Hi, a quick one today.
We have a customer with a Sophos XG 230, a lot of Site-2-Site VPNs and different Policy-based routes, mainly for the 3 different ISPs they have.
The default “route precedence” the Sophos XG uses is as follows.:
- Static routes
- SD-WAN policy routes
- VPN routes
This caused issues with the VPN traffic because the firewall used the policy-based routing for a few paths rather than the VPN tunnels. I don’t remember the exact problem, but I do remember that I needed to change the priority.
Here is how to change it. SSH into the device and select “Device Console”.
fedora-kde :: ~ » ssh admin@172.16.16.16
Sophos Firmware Version SFOS 18.0.5 MR-5-Build586
Main Menu
AA. Device Activation
1. Network Configuration
2. System Configuration
3. Route Configuration
4. Device Console
5. Device Management
6. VPN Management
7. Shutdown/Reboot Device
0. Exit
Select Menu Number [0-7]: 4
To show the current precedence.
console> system route_precedence show Routing Precedence: 1. Static routes 2. SD-WAN policy routes 3. VPN routes
Change the priority.
console> system route_precedence set static vpn sdwan_policyroute
Another check.
console> system route_precedence show Routing Precedence: 1. Static routes 2. VPN routes 3. SD-WAN policy routes
Short one today.
Till next time.