The elements of an SD-WAN configuration work together, allowing you
to:
Group physical Ethernet interfaces that share a common destination into a logical SD-WAN interface.
Specify link speeds.
Specify the thresholds at which a deteriorating path (or brownout or blackout) to an SD-WAN warrants selecting a new best path.
Specify the method of selecting that new best path.
This view indicates the relationships between elements at a glance.
The goal of an SD-WAN configuration is to control which links your traffic takes
by specifying the VPN tunnels or direct internet access (DIA) that certain applications
or services take from a branch to a hub or from a branch to the internet. You group
paths so that if one path deteriorates, the firewall selects a new best path.
A Tag name of your choice identifies a link; you apply the Tag to the link (interface) by
applying an Interface Profile to the interface, as the red arrow indicates. A link
can have only one Tag. The two yellow arrows indicate that a Tag is referenced in
the Interface Profile and the Traffic Distribution profile. Tags allow you to
control the order that interfaces are used for traffic distribution. Tags allow Panorama to systematically configure many firewall interfaces with SD-WAN functionality.
An SD-WAN Interface Profile specifies the Tag that you apply to the
physical interface, and also specifies the type of Link that interface is (ADSL/DSL,
cable modem, Ethernet, fiber, LTE/3G/4G/5G, MPLS, microwave/radio, satellite, WiFi,
or other). The Interface Profile is also where you specify the maximum upload and
download speeds (in Mbps) of the ISP’s connection. You can also change whether the
firewall monitors the path frequently or not; the firewall monitors link types
appropriately by default.
A Layer3 Ethernet Interface with an IPv4 or IPv6 address (SD-WAN
plugin 3.2.0 and later versions) can support SD-WAN
functionalities. You apply an SD-WAN Interface Profile to this
interface (red arrow) to indicate the characteristics of the interface. The blue
arrow indicates that physical Interfaces are referenced and grouped in a virtual SD-WAN Interface.
A virtual SD-WAN Interface is a VPN tunnel or DIA group of one or more
interfaces that constitute a numbered, virtual SD-WAN Interface to
which you can route traffic. The paths belonging to an SD-WAN
Interface all go to the same destination WAN and are all the same type (either DIA
or VPN tunnel). (Tag A and Tag B indicate that physical interfaces for the virtual
interface can have different tags.)
A Path Quality Profile specifies maximum latency, jitter, and packet loss thresholds.
Exceeding a threshold indicates that the path has deteriorated and the firewall
needs to select a new path to the target. A sensitivity setting of high, medium, or
low lets you indicate to the firewall which path monitoring parameter is more
important for the applications to which the profile applies. The green arrow
indicates that you reference a Path Quality Profile in one or more SD-WAN Policy Rules; thus, you can specify different thresholds for
rules applied to packets having different applications, services, sources,
destinations, zones, and users.
A Traffic Distribution Profile specifies how the firewall
determines a new best path if the current preferred path exceeds
a path quality threshold. You specify which Tags the distribution
method uses to narrow its selection of a new path; hence, the yellow
arrow points from Tags to the Traffic Distribution profile. A Traffic
Distribution profile specifies the distribution method for the rule.
The preceding elements come together in SD-WAN Policy Rules. The purple
arrow indicates that you reference a Path Qualify Profile and a Traffic Distribution
profile in a rule, along with packet applications/services, sources, destinations,
and users to specifically indicate when and how the firewall performs
application-based SD-WAN path selection for a packet not belonging to
a session. (You can also reference a SaaS Quality Profile and
an Error Correction Profile in an SD-WAN
policy rule.)