Sophos Sticky Session

Sophos XG Firewall: WAN load balancing CLI command 

KB-000038813Mar 1, 20213 people found this article helpful 

Overview 

Session persistence will send traffic for the same session over a specific interface. Weighted round robin will pass traffic over different interfaces depending on the load that each interface is experiencing. This article describes how to set up the WAN load balancing type on the firewall. 

The following sections are covered: 

How to check the current load balancing setting 

How to change the load balancing to Weighted Round Robin 

How to change the load balancing to Session-Persistant 

weighted-round-robin and session-persistant comparison 

When to use Session-Persistant? 

Applies to the following Sophos products and versions 

Sophos XG Firewall 

How to check the current load balancing setting 

console> show routing wan-load-balancing  

sample output: 

IPv4 WAN Link Load Balance method : Weighted Round Robin 

IPv6 WAN Link Load Balance method : Weighted Round Robin 

How to change the load balancing to Weighted Round Robin 

console> set routing wan-load-balancing weighted-round-robin ip-family <all/ipv4/ipv6> 

How to change the load balancing to Session-Persistant 

console> set routing wan-load-balancing session-persistant <connection-based/destination-only/source-and-destination/source-only> ip-family <all/ipv4/ipv6> 

weighted-round-robin vs session-persistant 

weighted-round-robin 

For weighted-round-robin, each link is assigned a weight. Sophos XG Firewall then distributes the traffic among the links in proportion to the weight assigned to them. 

Note: You can also choose the IP family for which the load balancing method is to be configured. 

session-persistant 

Based on the parameters defined, the session would be similar to a sticky (persistent) session, i.e. based on the existing or active sessions, the new connection would follow the same route and use the same gateway. This can be either destination or source based or both or with the protocol and destination port. 

• connection-based - Combination of source and destination IP addresses, protocol, and destination port will be considered for load balancing. 
• destination-only - Destination IP address will be considered for load balancing. 
• source-only - Source IP address will be considered for load balancing (default). 
• source-and-destination - Combination of source and destination IP addresses will be considered for load balancing. 

Note: You can also choose IP family for which load balancing method is to be configured. Use ipfamily as described below. 

ip-family{ ipv4 | ipv6 | all } 

• ipv4 - Choose to apply load balancing method to IPv4 gateway(s). 
• ipv6 - Choose to apply load balancing method to IPv6 gateway(s). 
• all - Choose to apply load balancing method to IPv4 and IPv6 gateway(s). 

When to use session-persistant? 

Before version 17, the load balancing was Weighted Round Robin which caused a lot of issue with the connection to secure websites such as banking websites and government portals. When a user is logged in the server on the remote end, it would expect the connection with the same source address i.e. public address of the client. When a new session is created, a new public address would be the source and the connection/session would then be rejected by the server. 

Hence, the option of persistent connection is introduced for such websites so users do not need to create a FQDN rule to targeted gateway. It is recommended to use Session-Persistant using source and destination IP address or destination IP address only to overcome such issues. 

From <https://support.sophos.com/support/s/article/KB-000038813?language=en_US>