TTechclick ⚡ XP 0% All lessons
Sophos · Next-Gen Firewall · NetworkingInteractive · L1 / L2 / L3

Sophos Firewall Networking — Zones, Interfaces & Routing with SD-WAN

Sophos Firewall makes every decision on top of three stacked layers — zones, interfaces and routing — with SD-WAN sitting on top to steer apps onto the healthiest link. This lesson maps each layer (default and custom zones, VLAN/LAG/bridge/RED interfaces, multi-ISP WAN links, static and OSPF/BGP routing) and nails the one thing interviews love: the exact order SFOS uses to pick a route.

📅 2026-06-19 · ⏱ 16 min · 5 infographics · live route demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

A clear, interactive guide to Sophos Firewall (SFOS) networking in 2026: zones as the trust model, every interface type (physical, VLAN, LAG, bridge, alias, RED), the WAN link manager with weighted balancing and failover, static and dynamic routing (OSPF/BGP/RIP), and SD-WAN profiles with SLA-based application failover — including the exact route-lookup order.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Zones

The trust model every firewall rule is built on.

 2

Interfaces & WAN

Physical, VLAN, LAG, bridge, RED — plus multi-ISP links.

 3

Routing & order

Static, OSPF/BGP/RIP, and the lookup precedence.

 4

SD-WAN & SLA

App-aware routing, SLA monitors and failover.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. What does a Sophos Firewall rule reference as its source and destination?

Answered in Zones.

2. How do you keep a branch online across two ISPs?

Answered in Interfaces & WAN.

3. Which is evaluated first in an SFOS route lookup?

Answered in Routing & order.

Most engineers think…

Most people treat a firewall as 'an IP and a few allow rules', then get stuck when traffic leaves the wrong link or a rule never matches. That mental model fails you in an interview and on a live branch.

Sophos Firewall is a stack of four layers in a fixed order: zones group interfaces by trust so a rule is written zone-to-zone; interfaces (physical, VLAN, LAG, bridge, alias, RED) are where traffic enters and leaves; the WAN link manager balances and fails over multiple ISPs; and routing picks the path with static and dynamic protocols. On top, SD-WAN steers apps by SLA — and crucially SD-WAN routes are looked up first, before static and dynamic. Knowing that order is what turns 'my static route is ignored' from a mystery into a one-line answer.

① Zones — the trust model everything else hangs off

The first idea to lock in: Sophos Firewall is zone-based, not per-port. A zone groups one or more interfaces by trust level, and every firewall rule is written source-zone to destination-zone. Write one rule from LAN to WAN and it covers every port you placed in LAN — far fewer, clearer rules than per-interface ACLs.

SFOS ships with default system zones: LAN, WAN, DMZ, WiFi and VPN (plus a Local zone for traffic to the firewall itself). When the defaults aren't enough — say you want to isolate a PCI segment or a guest network — you create a custom zone and drop the right interfaces into it.

The interview line: zones decide what a rule even applies to. Get an interface into the wrong zone and a perfectly written rule silently never matches the traffic you meant.

Figure 1 — The four SFOS layers, in order
Sophos Firewall decisions stack in a fixed order — zones, interfaces, routing, then SD-WAN on top.The four SFOS layers, in orderZonesTrust groups rules are written betweenInterfacesPhysical, VLAN, LAG, bridge, REDRoutingStatic + OSPF / BGP / RIPSD-WANApp-aware, SLA-driven steering
Sophos Firewall decisions stack in a fixed order — zones, interfaces, routing, then SD-WAN on top.
Check the zone before you debug the rule

When a firewall rule 'isn't working', confirm the interface is in the zone the rule expects first. A rule from LAN to WAN does nothing for a port you accidentally left in DMZ. Zones decide what a rule even applies to.

Quick check · Q1 of 10 · Understand

Why is Sophos Firewall described as 'zone-based'?

Correct: b. A zone groups interfaces by trust, and every firewall rule references a source zone and a destination zone — so one rule covers all ports in that zone. Put an interface in the wrong zone and the rule silently never matches.
👉 So far: Zones group interfaces by trust (LAN/WAN/DMZ/WiFi/VPN/custom) and every firewall rule is written source-zone to destination-zone — so zones decide what a rule applies to.

② Interfaces & WAN links — where traffic enters and leaves

An interface is any port — physical or logical — that carries traffic, and each one is assigned to exactly one zone. SFOS supports physical ports (hardware or virtual NICs), VLAN interfaces (802.1Q tagged sub-interfaces that split one port into many logical networks), LAG / link aggregation (bonding ports with LACP for bandwidth or redundancy), bridge interfaces (transparent mode, so the firewall sits inline without re-addressing the segment), alias IPs (extra IPs on one interface) and RED / SD-RED tunnels (a thin remote box that back-hauls a branch LAN over an encrypted link).

Two ISPs, one branch

For WAN, the WAN link manager lets you run multiple gateways with weighted load balancing and failover. Each gateway gets a health check (a gateway probe), so a dead ISP is detected automatically and traffic moves to the surviving link. Weights bias how much load each link carries. Per-interface services like DHCP and DNS are configured here too, so one box runs addressing, name resolution and routing for the site.

Figure 2 — Interface types, all living in a zone
Every interface kind in SFOS is assigned to a zone before any rule or route can use it.Interface types, all living in a zoneA Zonetrust groupingPhysical portVLAN (802.1Q)LAG (LACP)BridgeAlias IPRED / SD-RED
Every interface kind in SFOS is assigned to a zone before any rule or route can use it.
🛡️
Zone
tap to flip

A trust grouping of interfaces (LAN/WAN/DMZ/WiFi/VPN/custom). Every firewall rule is written source-zone to destination-zone.

🔀
VLAN / LAG
tap to flip

VLAN = an 802.1Q tagged sub-interface splitting one port into many logical networks. LAG = bonding ports with LACP for bandwidth or redundancy.

🌐
WAN link manager
tap to flip

Runs multiple ISP gateways with weighted load balancing, failover and health-check probes so a branch stays online if one link dies.

📡
SD-WAN profile
tap to flip

App/FQDN-aware policy routing with an SLA monitor (latency/jitter/loss). On breach it fails the app over to the backup link automatically.

Quick check · Q2 of 10 · Remember

Which interface type back-hauls a remote branch LAN to the firewall over an encrypted tunnel?

Correct: c. RED (Remote Ethernet Device) / SD-RED is a thin remote box that tunnels a branch LAN back to the firewall. VLANs tag one port, bridges run transparent mode, and alias IPs just add extra IPs to an interface.
👉 So far: Interfaces (physical, VLAN, LAG, bridge, alias, RED) each live in one zone; the WAN link manager runs multiple ISP gateways with weighted balancing, failover and health checks.

③ Routing — static, dynamic, and the lookup order that trips people up

Once an interface and gateway exist, routing decides the egress path. SFOS does first-class static routes, plus a full dynamic routing stack built on FRR: OSPF, BGP and RIP, with multicast (PIM/IGMP) for streaming. It also supports policy-based routing, which in modern SFOS is delivered through SD-WAN routes that match on source, destination, service or application — not just a destination subnet.

The precedence you must memorise

SFOS evaluates routes in a fixed order: (1) SD-WAN policy routes, then (2) static routes, then (3) dynamic routes (OSPF/BGP/RIP). The catch: an SD-WAN route wins even if a more specific static route exists. That single fact explains most 'my static route is being ignored' tickets — an SD-WAN route matched first and steered the traffic somewhere else.

Figure 3 — Route lookup order
SFOS checks SD-WAN policy routes first, then static, then dynamic — so an SD-WAN route can override a static one.Route lookup orderSD-WANpolicy routes firstStaticnext in lineDynamicOSPF / BGP / RIPEgresschosen next-hop
SFOS checks SD-WAN policy routes first, then static, then dynamic — so an SD-WAN route can override a static one.
Figure 4 — Static routes vs SD-WAN routes
Static routes match a destination subnet; SD-WAN routes match apps and watch an SLA — and they win the lookup.Static routes vs SD-WAN routesStatic routeMatches destination subnetNo health awarenessFixed next-hop / gatewayEvaluated after SD-WANSD-WAN routeMatches app / FQDN / serviceSLA monitor: latency/jitter/lossAuto failover between linksEvaluated first in lookup
Static routes match a destination subnet; SD-WAN routes match apps and watch an SLA — and they win the lookup.
'My static route is being ignored'

It isn't ignored — it lost the lookup. SFOS checks SD-WAN policy routes before static and dynamic routes, so an SD-WAN route matching the same traffic wins even if your static route is more specific. Check SD-WAN routes first when egress looks wrong.

Quick check · Q3 of 10 · Analyze

A specific static route exists for 10.20.0.0/16, yet that traffic leaves a different link. What is the most likely cause?

Correct: a. SFOS evaluates SD-WAN policy routes before static and dynamic routes. An SD-WAN route matching that traffic is chosen first, even though a more specific static route exists — the classic 'my static route is ignored' case.
👉 So far: Routing = static + dynamic (OSPF/BGP/RIP via FRR) + multicast, and the lookup order is SD-WAN routes first, then static, then dynamic — which is why an SD-WAN route can override a static one.

④ SD-WAN — app-aware routing with SLA failover

SD-WAN is where SFOS gets smart about which link an application uses. You build an SD-WAN profile with an SLA monitor — thresholds for latency, jitter and packet loss measured by gateway probes — and pick a primary link plus a backup. You then attach it to an SD-WAN route that matches by application or FQDN, so (for example) your SaaS ERP always rides the fibre link while it is healthy.

Design it so it actually fails over

When the SLA on the primary link is breached, the profile automatically fails the matched traffic over to the backup link, then moves it back when the primary recovers. The failure everyone hits is creating the SD-WAN route but attaching no SLA monitor — SFOS never notices the link degrading and pins the app to a bad link forever. Always pair an app route with an SLA profile and a probe target.

Figure 5 — How an app fails over on an SLA breach
An SD-WAN profile probes the link, detects the SLA breach and moves the app to the backup link automatically.How an app fails over on an SLA breachMatch appSD-WAN route hits ERPProbe SLAlatency/jitter/lossBreachlink1 over thresholdFailoverapp moves to link2
An SD-WAN profile probes the link, detects the SLA breach and moves the app to the backup link automatically.

Priya at Kavin Retail Solutions (Pune) faces this

A branch on two ISPs runs a cloud ERP that goes slow and times out at peak, even though 'the SD-WAN route exists' and both ISPs are up.

Likely cause

The SD-WAN route pins the ERP to link1 but has no SLA monitor or health probe attached, so SFOS never notices link1's latency and packet loss have crossed acceptable limits.

Diagnosis

In Routing ▸ SD-WAN the ERP route matches, but its profile has no SLA thresholds and no gateway probe; in the WAN link manager both gateways show up, so nothing triggers a failover.

Routing ▸ SD-WAN ▸ Profiles / Routes + Network ▸ WAN link manager
Fix

Build an SD-WAN profile with an SLA monitor (probe target + latency/jitter/loss thresholds), set link1 primary and link2 backup, and attach it to the ERP SD-WAN route.

Verify

Inject loss on link1 (or wait for peak): watch the SLA flip to breached, the ERP sessions move to link2, the route show link2 active, and the app become responsive again.

Prove failover, don't assume it

Never trust that SD-WAN will fail over because 'a backup link is configured'. Inject loss or drop the primary and watch the SLA monitor flip to breached and the app move links in the SD-WAN status. No SLA monitor means no failover — full stop.

▶ Watch a SaaS app ride link1, then fail over to link2

How an SD-WAN route steers an app and fails it over on an SLA breach. Press Play for the healthy path, then Break it to see the classic failure.

① Match appThe branch ERP traffic hits an SD-WAN route that matches the ERP application and prefers link1 (fibre).
② Probe SLAThe SD-WAN profile probes link1 — latency, jitter and packet loss are within threshold, so the app stays on link1.
③ SLA breachLink1 starts dropping packets; the probe sees loss cross the threshold and marks the SLA as breached.
④ FailoverThe profile automatically moves the ERP sessions to link2 (broadband); the app stays responsive and recovers.
Press Play to step through the healthy SD-WAN path. Then press Break it.
Quick check · Q4 of 10 · Apply

Your SaaS ERP rides link1 but never fails over to link2 when link1 degrades. What is missing?

Correct: b. Without an SLA monitor and gateway probe attached to the SD-WAN profile, SFOS never measures link1's degradation, so it never triggers failover. Add the SLA thresholds and probe target and the app moves to link2 on breach.
👉 So far: An SD-WAN profile steers an app/FQDN onto a link and monitors an SLA (latency/jitter/loss); on breach it auto-fails over — but only if an SLA monitor and probe are actually attached.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Which of these is NOT a default system zone in Sophos Firewall?

Correct: c. The default system zones are LAN, WAN, DMZ, WiFi and VPN (plus Local for the firewall itself). 'Branch' is not a default zone — you would create that as a custom zone.
Q6 · Understand

What is a LAG (link aggregation) interface used for?

Correct: b. LAG bonds multiple physical ports (LACP/802.3ad) into one logical link for higher throughput or redundancy. VLANs tag a port, RED tunnels a remote site, and alias IPs just add extra addresses.
Q7 · Apply

You need a branch to stay online if its primary ISP fails. Which feature handles this?

Correct: c. The WAN link manager runs multiple WAN gateways with weighted load balancing, failover and health-check probes, so a dead ISP is detected and traffic moves to the live link automatically.
Q8 · Analyze

Egress for a destination looks wrong even though a precise static route exists. Where do you look first?

Correct: b. SFOS evaluates SD-WAN policy routes before static and dynamic routes, so an SD-WAN route can win over a more specific static route. Check the SD-WAN routes first when traffic leaves the wrong link.
Q9 · Evaluate

An SD-WAN profile is configured but an app never fails over to the backup ISP. Best explanation?

Correct: a. Failover is triggered by an SLA breach measured by a probe. With no SLA monitor and probe target attached to the profile, SFOS never measures the link, so nothing breaches and the app stays pinned to the bad link.
Q10 · Evaluate

An interviewer asks for the SFOS route-lookup order. Best answer?

Correct: d. The correct precedence is SD-WAN policy routes first, then static routes, then dynamic routes. That order is exactly why an SD-WAN route can override a static one, and it is the answer interviewers are listening for.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: in what order does Sophos Firewall pick a route, and why does that explain an 'ignored' static route? Then compare with the expert version.

Expert version: SFOS looks up routes in a fixed order — SD-WAN policy routes first, then static routes, then dynamic routes (OSPF/BGP/RIP). Because SD-WAN routes are evaluated before everything else, an SD-WAN route that matches the traffic is chosen even when a more specific static route exists. So a static route that 'seems ignored' usually lost the lookup to an SD-WAN route matching the same app or destination. Fix it by checking the SD-WAN routes first, then the static table, then the dynamic table — in that order.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Zone
A trust grouping of interfaces (LAN, WAN, DMZ, WiFi, VPN or custom) used as the source/destination of firewall rules.
Interface
A physical or logical port (physical, VLAN, LAG, bridge, alias, RED) assigned to one zone, optionally with an IP, DHCP and DNS.
VLAN (802.1Q)
Tagging that lets one physical port carry multiple logical networks as separate VLAN sub-interfaces.
LAG (link aggregation)
Bonding several physical ports (LACP/802.3ad) into one logical link for more bandwidth or redundancy.
Bridge interface
Transparent mode where the firewall sits inline between segments without re-addressing them.
RED / SD-RED
Remote Ethernet Device — a thin remote box that back-hauls a branch LAN to the firewall over an encrypted tunnel.
WAN link manager
The SFOS feature for running multiple WAN gateways with weighted balancing, failover and health-check probes.
OSPF / BGP / RIP
Dynamic routing protocols (FRR-based) SFOS can run to learn and advertise routes, alongside static routes.
SD-WAN profile
Application/FQDN-aware policy routing with an SLA monitor (latency/jitter/loss) and automatic failover.
Route precedence
The SFOS lookup order: SD-WAN policy routes first, then static routes, then dynamic routes.

📚 Sources

  1. Sophos — Sophos Firewall: Zones (LAN/WAN/DMZ/WiFi/VPN and custom zones). docs.sophos.com
  2. Sophos — Sophos Firewall: Interfaces — physical, VLAN, LAG, bridge, alias and RED. docs.sophos.com
  3. Sophos — Sophos Firewall: WAN link manager and gateways (weighted balancing & failover). docs.sophos.com
  4. Sophos — Sophos Firewall: Routing — static, OSPF, BGP, RIP and multicast (FRR). docs.sophos.com
  5. Sophos — Sophos Firewall: SD-WAN profiles, SLA monitoring and SD-WAN routes. docs.sophos.com
  6. Sophos Support — SD-WAN routing and route precedence (SD-WAN over static and dynamic). support.sophos.com

What's next?

Got the plumbing? Next, learn how Sophos Firewall rules and rule groups actually match traffic — and why NAT lives in its own separated NAT rule table instead of being baked into the firewall rule.

Next · All interview lessons → Practice on exam.techclick.in →