Configure SD-WAN

Log in to
Strata Cloud Manager
.
Set Up SD-WAN.
Configure a Layer 3 Interface.
Layer 3 interfaces are required for SD-WAN functionality. Repeat this step to configure as many Layer 3 Ethernet interfaces on your SD-WAN firewall as needed.
You can configure up to four IP addresses for an SD-WAN enabled interface. The Auto VPN workflows uses only the first IP address from the configured
IPv4
address list to create the VPN tunnel and ignores the remaining
IPv4
addresses in the list.
Configure a Logical Router and add the interfaces that you created in the previous step to the logical router.
(
Optional
) Configure a BGP Redistribution Profile.
Configure an SD-WAN interface profile.
The SD-WAN interface profile defines the characteristics of the ISP connection, specifies the speed of links and how frequently the firewall monitors the link, and specifies the Link Tag. When you specify the same Link Tag on multiple links, you’re grouping (bundling) those physical links into a link bundle or fat pipe.
Select
Manage
Configuration
NGFW and Prisma Access
Security Services
SD-WAN Policy
Profiles
SD-WAN Interface
and select the hub or branch folder where want to create the SD-WAN interface profile.
Add Profile
.
Enter a descriptive
Name
for the profile.
Select the
Link Tag
the profile assigns to the interface.
Select the
Link Type
from the predefined list.
Specify the
Maximum Download (Mbps)
speed from the ISP.
Specify the
Maximum Upload (Mbps)
speed to the ISP.
Check (enable
Eligible for Error Correction Profile Interface Selection
to enable Forward Error Correction (FEC) or packet duplication for interfaces.
If enabled, you must enable this setting for both sending and receiving firewalls.
VPN Data Tunnel Support
determines whether the branch-to-hub traffic and return traffic flows through a VPN tunnel for added security or flows outside of the VPN tunnel to avoid encryption overhead. This setting is enabled by default.
Keep enabled for public links that have direct internet connections or internet break capabilities, such as cable modem, ADSL, and other internet connections.
Disable for private link types such as MPLS, satellite, or microwave that doesn’t have internet breakout capability. However, you must first ensure that the traffic can’t be intercepted because it will be sent outside of the VPN tunnel.
The branch might have DIA traffic that needs to fail over to the private MPLS link connecting to the hub, and reach the internet from the hub. The VPN Data Tunnel Support setting determines whether the private data flows through the VPN tunnel or flows outside the tunnel, and the failed over traffic uses the other connection (that the private data flow doesn’t use). The firewall uses zones to segment DIA failover traffic from private MPLS traffic.
Set the
VPN Failover Metric
if DIA AnyPath is enabled a hub or branch firewall, to prioritize the order in which a particular hub is selected for failover.
The lower the metric, the higher the priority of the interface to be selected during failover. If multiple hub virtual interfaces have the same metric value, SD-WAN sends new session traffic to them in round-robin fashion.
Select the
Path Monitoring
mode.
Aggressive
—Firewall sends probe packets to the opposite end of the SD-WAN link at a constant frequency. Use this mode if you need fast detection and failover for brownout and blackout conditions. Default for all link types except LTE and Satellite.
Relaxed
—Firewall waits for a number of seconds (
Probe Idle Time
) between sending sets of probe packets, making path monitoring less frequent. When the probe idle time expires, firewall sends probes for 7 seconds at the
Probe Frequency
configured. Use this mode when you have low-bandwidth links, links that charge by usage (such as LTE), or when fast detection isn’t as important as preserving cost and bandwidth. Default for LTE and Satellite link types.
Set the
Probe Frequency (per second)
to specify the number of times per second the firewall sends a probe packet to the opposite end of the SD-WAN link. The default setting provides subsecond detection of brownout and blackout conditions.
Set the
Probe Idle Time (seconds
) to specify how long the firewall waits between sets of probe packets.
Set the
Failback Hold Time (seconds)
to specify how long the firewall waits for a recovered link to remain qualified before the firewall reinstates the link after it has failed.
Save
.
Configure a VPN cluster for your hub and branch firewalls.
Select
Manage
Configuration
Device Settings
Auto VPN
and
Add VPN Cluster
.
Check (enable)
SD-WAN
.
Add the hub firewalls to the VPN cluster.
Add Hub Devices
to select one or more firewalls to
Add
as hubs.
Up to four hubs are supported for a VPN cluster.
Click the firewall in the Hub Devices list.
Set the hub firewall
Priority
.
Range is
1
to
4
. The lower the priority value, the higher the priority and local preference. A cluster supports a maximum of four hubs. An active/passive HA pair counts as one hub. Multiple hubs can have the same priority; an HA pair must have the same priority.
Select a Logical
Router
.
(
Optional
) Check (enable)
DIA VPN
and select a
DIA VPN Link Tag
.
Update
.
Repeat this step for all hub firewalls that you add to the VPN cluster.
Add the branch firewalls to the VPN cluster.
Add Hub Devices
to select one or more firewalls to
Add
as hubs.
Select a Logical
Router
.
(
Optional
) Select a
BGP Redistribution Profile
.
Update
.
Repeat this step for all branch firewalls that you add to the VPN cluster.
Create SD-WAN Link Management Profiles.