Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

How to route only SMTP traffic through a specific interface (e.g. Secondary WAN)

10/14/2021 49 People found this article helpful 103,373 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    This article explains how to route only SMTP traffic through a specific interface (e.g. Secondary WAN). When a SonicWall has two Internet Service Providers, and you want to force only SMTP traffic out through one specific ISP, you must create a policy based route for SMTP traffic originating from the mail server.

    Resolution

    Resolution for SonicOS 6.5

    This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

    This example will show forcing of SMTP to the X2, which is the Secondary WAN.

    Image 

    Background:

    Before the procedure is covered, you must learn about some default address objects in SonicOS, and how they have changed over time.  When a WAN interface is configured, either in static or DHCP or PPPoE or L2TP modes, a gateway IP address is either configured or learned through the dynamic connection with the upstream devices.  That gateway has an address object defined for it and is used in static routes which pertain to traffic being pushed on a specific WAN connection.  Those gateway objects have changed dramatically, as SonicOS has gone from a maximum of two WAN connections, to 4 or more WAN connections in Load Balancing code.

    In SonicOS Enhanced versions 5.4 and earlier, including all Gen4 products, there are two objects named Default Gateway and Secondary Default Gateway

    In SonicOS Enhanced versions 5.5 and later, there are also objects named X1 Default Gateway, X2 Default Gateway or X3 Default Gateway, etc., depending on which interface you use as a secondary WAN.  The previous objects Default Gateway and Secondary Default Gateway also exist in the newer versions of SonicOS, because we must allow upgrades from earlier versions of firmware. 

    It is important to know that,
    In SonicOS Enhanced versions 5.5 and later, the Default Gateway and Secondary Default Gateway objects are frozen in time and should not be used in any static routes or policy-based routes.



    Procedure:

    First we must create an address object for the private IP address of the mail server.

    1. Login to Sonicwall Management Interface
    2. Click Manage in the top navigation menu
    3. Navigate to Objects | Address Objects
    4. Click Add to add an address object

    Image

    Next, we need to create the policy based route.

    1. Navigate to Network | Routing |  Route Policies.
    2. Click Add to create a static route. The source will be the address object of the mail server’s private IP address, the destination will be “Any”, and the service will be “SMTP (Send Email)”. 

      Image

      Probe-Enabled Policy Based Routing Configuration

      When configuring a static route, you can optionally configure a Network Monitor policy for the route. When a Network Monitor policy is used, the static route is dynamically disabled or enabled, based on the state of the probe for the policy.

      Step 1: In the Probe pulldown menu select the appropriate Network Monitor object or select Create New Network Monitor object... to dynamically create a new object.

      Step 2: Typical configurations will not check the Disable route when probe succeeds checkbox, because typically administrators will want to disable a route when a probe to the route’s destination fails. This option is provided to give administrators added flexibility for defining routes and probes.

      Step 3: Select the Probe default state is UP to have the route consider the probe to be successful (i.e. in the “UP” state) when the attached Network Monitor policy is in the “UNKNOWN” state. This is useful to control the probe-based behavior when a unit of a High Availability pair transitions from “IDLE” to “ACTIVE,” because this transition sets all Network Monitor policy states to “UNKNOWN.”

       Step 4: Click OK to apply the configuration.

     

    Resolution for SonicOS 6.2 and Below

    The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.

    This example will show forcing of SMTP to the X2, which is the Secondary WAN.

    Image 

    Background:

    Before the procedure is covered, you must learn about some default address objects in SonicOS, and how they have changed over time.  When a WAN interface is configured, either in static or DHCP or PPPoE or L2TP modes, a gateway IP address is either configured or learned through the dynamic connection with the upstream devices.  That gateway has an address object defined for it and is used in static routes which pertain to traffic being pushed on a specific WAN connection.  Those gateway objects have changed dramatically, as SonicOS has gone from a maximum of two WAN connections, to 4 or more WAN connections in Load Balancing code.

    In SonicOS Enhanced versions 5.4 and earlier, including all Gen4 products, there are two objects named Default Gateway and Secondary Default Gateway

    In SonicOS Enhanced versions 5.5 and later, there are ALSO objects named X1 Default Gateway, X2 Default Gateway or X3 Default Gateway, etc., depending on which interface you use as a secondary WAN.  The previous objects Default Gateway and Secondary Default Gateway also exist in the newer versions of SonicOS, because we must allow upgrades from earlier versions of firmware. 

    It is important to know that, 
    In SonicOS Enhanced versions 5.5 and later, the Default Gateway and Secondary Default Gateway objects are frozen in time and should not be used in any static routes or policy-based routes.



    Procedure:

    First we must create an address object for the private IP address of the mail server. From the left side menu click Network and the click Address Objects. Scroll to the bottom of the page, and click Add to add a new address object.

    Image

    Next, we need to create the policy based route. From the left side menu click Network and the click Routing. Scroll to the bottom of the page click Add to create a static route. The source will be the address object of the mail server’s private IP address, the destination will be “Any”, and the service will be “SMTP (Send Email)”. 

    NOTE:  the choice of the Gateway: address object depends on which version of SonicOS you are using.  Below you see examples of both:


    In SonicOS Enhanced versions 5.4 and earlier, use Secondary Default Gateway in the route statement
    In SonicOS Enhanced versions 5.5 and later, use X2 Default Gateway in the route statement

    Image


    Probe-Enabled Policy Based Routing Configuration

    When configuring a static route, you can optionally configure a Network Monitor policy for the route. When a Network Monitor policy is used, the static route is dynamically disabled or enabled, based on the state of the probe for the policy.

    Step 1: In the Probe pulldown menu select the appropriate Network Monitor object or select Create New Network Monitor object... to dynamically create a new object.

    Step 2: Typical configurations will not check the Disable route when probe succeeds checkbox, because typically administrators will want to disable a route when a probe to the route’s destination fails. This option is provided to give administrators added flexibility for defining routes and probes.

    Step 3: Select the Probe default state is UP to have the route consider the probe to be successful (i.e. in the “UP” state) when the attached Network Monitor policy is in the “UNKNOWN” state. This is useful to control the probe-based behavior when a unit of a High Availability pair transitions from “IDLE” to “ACTIVE,” because this transition sets all Network Monitor policy states to “UNKNOWN.”

    Step 4: Click OK to apply the configuration.

    To determine which Gateway to send SMTP traffic through, you must determine which interface is the Primary WAN.  By default, this is X1.

    On the left side menu bar, click Network, and the click WAN Failover & LB. On this page, the SonicWall will display which interface is the Primary WAN Ethernet Interface, and which interfaces are Alternate WANs.

    Image 

    Related Articles

    • Parserror on Event logs.
    • Switch from the Policy mode to classic mode on Gen 7 appliances
    • Analyzing TCP reset(RST)packets

    Categories

    • Firewalls > TZ Series
    • Firewalls > SonicWall NSA Series
    • Firewalls > SonicWall SuperMassive 9000 Series
    • Firewalls > SonicWall SuperMassive E10000 Series

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2022 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
    Scroll to top
    Trace:dd05288e52973a5809ba22c373a5ba22-70