{"id":161460,"date":"2024-09-03T10:02:45","date_gmt":"2024-09-03T09:02:45","guid":{"rendered":"https:\/\/www.avanet.com\/kb\/sophos-firewall-sd-wan-routing-reply-packet-system-traffic\/"},"modified":"2024-09-03T10:07:59","modified_gmt":"2024-09-03T09:07:59","slug":"sophos-firewall-sd-wan-routing-reply-packet-system-traffic","status":"publish","type":"kb","link":"https:\/\/www.avanet.com\/en\/kb\/sophos-firewall-sd-wan-routing-reply-packet-system-traffic\/","title":{"rendered":"Sophos Firewall – SD-WAN Routing Reply-Packet & System Traffic"},"content":{"rendered":"\n

There are various options for managing Sophos Firewalls in order to efficiently control and route data traffic.\nAn important component here is the Software-Defined WAN (SD-WAN).\nSD-WAN makes it possible to make network infrastructures more intelligent through an additional software layer, especially when controlling traffic between different networks and across different WAN connections. <\/p>\n\n

For optimal functionality, it may be necessary to manually enable SD-WAN settings via the command line (CLI), as some of these settings may be disabled.\nThis post provides an overview of two specific SD-WAN settings that can be customized via SSH: reply-packet<\/strong> and system-generate-traffic<\/strong>.\nThese settings are particularly relevant if you notice that certain traffic routings are not working as expected. <\/p>\n\n

Activate Reply-Packet<\/h2>\n\n

Reply packets<\/strong> refer to the reply packets that belong to an outgoing data traffic.\nBy default, Sophos Firewall enforces symmetric routing for reply packets over WAN interfaces.\nHowever, there may be situations where asymmetric routing is required, e.g. for traffic between LAN and DMZ. <\/p>\n\n

How to check the current setting<\/strong><\/p>\n\n

show routing sd-wan-policy-route reply-packet<\/code><\/pre>\n\n
To activate the reply packet option<\/strong><\/p>\n\n
set routing sd-wan-policy-route reply-packet enable<\/code><\/pre>\n\n
If this option is activated, response packets can be sent via a different interface than the one originally used, which can be helpful in certain network scenarios.<\/p>\n\n
Activate system-generated traffic<\/h2>\n\n
System-generated traffic<\/strong> refers to traffic that is generated by the Sophos Firewall itself, for example for management services or monitoring protocols.\nIn certain scenarios, it may be necessary to route this traffic via a specific route instead of using the default route. <\/p>\n\n
How to check the current setting<\/strong><\/p>\n\n
show routing sd-wan-policy-route system-generate-traffic <\/code><\/pre>\n\n
To activate the System Generate Traffic option<\/strong><\/p>\n\n
set routing sd-wan-policy-route system-generate-traffic enable<\/code><\/pre>\n\n
Activating this option ensures that the system-generated traffic is routed correctly via the SD-WAN policies, which is particularly advantageous for complex network infrastructures.<\/p>\n\n
When are these adjustments necessary?<\/h2>\n\n
It may happen that certain network requirements are no longer met if the default route settings of the firewall are not sufficient.\nThis can occur, for example, if: <\/p>\n\n