Sophos Firewall V19: Instructions on how to route the server’s internet traffic through the specified IP WAN Alias using SD-WAN

1.The purpose of the article

In this article techbast will show you how to configure the server’s internet traffic routing through the fixed IP WAN Alias.



The internet connection is connected at port 2 of the Sophos XG Firewall device called ISP – Viettel IDC and has an IP of 171.x.x.195.

Also on port 2 we will have 4 more IP WAN Alias as follows:

  • Port 2 – WAN 1 (Alias IP): 171.x.x.200.
  • Port 2 – WAN 2 (Alias IP): 171.x.x.199.
  • Port 2 – WAN 3 (Alias IP): 171.x.x.198.
  • Port 2 – WAN 3 (Alias IP): 171.x.x.197.

The LAN subnet is configured at port 1 of the Sophos XG Firewall device with IP and configured with a DHCP Server to allocate IPs to connected devices.

Finally, the server device running the database with IP is connected to port 1 and named IMBX3850-DB-NEW.


Techbast will configure the Internet traffic routing of the IBMX3850-DB-NEW server through Port 2 – WAN 1 with IP 171.x.x.200.

4.What to do

  • Create Host profile.
  • Create SD-WAN Policy.
  • Create Firewall Rule và NAT Rule.
  • Result.


5.1.Create Host profile.

Go to Hosts and Services > IP Host and click Add to define a server with the following parameters:

  • Name*: IBMX3850-DB-NEW.
  • IP version*: IPv4.
  • Type*: IP
  • IP address*:
  • Click Save.

Similarly we also create a host profile for Port 2 – WAN 1 with IP 171.x.x.200

  • Name*: 171.x.x.200.
  • IP version*: IPv4.
  • Type*: IP
  • IP address*: 171.x.x.200.
  • Click Save.

5.2.Create SD-WAN Policy

Go to CONFIGURE > Routing > SD-WAN routes and configure with the following parameters:

  • Name: test.
  • Source networks: select host profile IBMX3580-DB-NEW.
  • Destination networks: Any.
  • Services: Any.
  • Application objects: Any.
  • User or group: Any.
  • Primary gateway: select ISP – Viettel IDC.
  • Click Save.

5.3.Create firewall and NAT rule.

To create, go to PROTECT > Rules and policies > Firewall rules > Add Firewall rule > New firewall rule.

Configure according to the following parameters:

  • Rule status: ON
  • Rule Name: IMBX3850-DB-NEW to WAN.
  • Action: select Accept.
  • Log firewall traffic: select.
  • Source zones: LAN.
  • Source networks and devices: select host profile IBMX3850-DB-NEW.
  • Destination zones: WAN.
  • Destination networks: Any.

Also in the policy configuration section, we click Create linked NAT rule to create a NAT rule with the following information:

  • Translated source (SNAT): select MASQ.
  • Tích chọn Override source translation (SNAT) for specific outbound interfaces.
  • Outbound interface: select Port 2 – WAN 1.
  • Translated source: select host profile 171.x.x.200.
  • Click Save.

1 Comment

  1. Great article but be aware that SDWAN will break internal traffic flow between Zones when you try this. Took me days to figure it out. I have LAN and DMZ but when I tried to route the DMZ to an IP alias, all of a sudden I could not get LAN DMZ to communicate even though the firewall rule was there at the top. It is only when turning off the SDWan route internal traffic flow worked. Then I found this article and it turns out SDWan has higher precedence than static routes and it will try to route EVERYTHING to the gateway interface. This article will tell you how to fix it:

Leave a Reply to Mike Cancel reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.