Where Can I Use This? | What Do I Need? |
|
|
The firewall attempts to match sessions that arrive at an SD-WAN virtual interface
to an SD-WAN policy rule; the firewall examines the SD-WAN policy rules in order from the top down, just as it does for
Security policy rules.
- If there is an SD-WAN rule match, the firewall executes the path monitoring and
traffic distribution for that SD-WAN policy rule.
- If there is no match to any SD-WAN policy rule in the list, the session matches
an implied SD-WAN policy rule at the end of the list that uses
the round-robin method to distribute unmatched sessions among all links in one
SD-WAN interface, which is based on the route lookup.
Furthermore, if there is no SD-WAN policy rule for a specific application, the
firewall doesn’t track that application’s performance in the SD-WAN-specific visibility tools such as logging and reports in the SD-WAN plugin.
To illustrate
the implied policy rule:
- Suppose the firewall has three SD-WAN policy rules: one rule specifies five voice
applications, one rule specifies six video conferencing applications, and one
rule specifies ten SaaS applications.
- A session, for example, a video application session, arrives at the firewall and doesn’t match
any of the SD-WAN policy rules. Because the session didn’t match
a rule, the firewall has no path quality profile or traffic distribution profile
to apply to the session.
- Therefore, firewall matches the video application to the implied rule and distributes each video
session among all of the available SD-WAN link tags and their
associated links on the firewall, which could be two broadband links, an MPLS
link, and an LTE link. Session 1 goes to one member of the broadband interface,
session 2 goes to another member of the broadband interface, session 3 goes to
MPLS, session 4 goes to LTE, session 5 goes to the first member of the broadband
interface, session 6 goes to the second member of the broadband interface, and
the round-robin distribution continues.
You may not want to let your unmatched sessions resort to matching the implied SD-WAN rule because you have no control over that session
distribution. Instead, we recommend you create a catch-all SD-WAN
policy rule and place it last in the list of SD-WAN policy rules. A
catch-all SD-WAN policy rule lets you:
- Control which links the unmatched sessions
use.
- View all of the applications on the firewall (including unmatched application sessions) in
logging and reports in the SD-WAN plugin.