Create SD-WAN Link Management Profiles

1. Log in to Strata Cloud Manager.
2. Select ManageConfigurationNGFW and Prisma Access and in the Overview, select the branch folder for which you want to create your SD-WAN Link Management profiles.

   To make the Error Correction profile available to all SD-WAN firewalls regardless of folder association, select All Firewalls.
3. (Optional) Create a custom Path Quality profile.

   Create a custom Path Quality profile for each set of business-critical and latency-sensitive applications, application filters, application groups, services, service objects and service group objects that has unique network quality (health) requirements based on latency, jitter, and packet loss percentage specific to your business needs. Applications and services can share a Path Quality profile.

   The firewall treats the latency, jitter, and packet loss thresholds as OR conditions, meaning if any one of the thresholds is exceeded, the firewall selects the new best (preferred) path. Any path that has latency, jitter, and packet loss less than or equal to all three thresholds is considered qualified and the firewall selected the path based on the associated Traffic Distribution profile.

   As an alternative to creating a Path Quality profile, you can use any of the predefined Path Quality profiles, such as general-business, voip-video, file-sharing, audio-streaming, photo-video, and remote-access, and more. The predefined profiles are set up to optimize the latency, jitter, and packet loss thresholds for the type of applications and services suggested by the name of the profile.

   1. Select Security ServicesSD-WAN PolicyProfilesPath Quality Quality and select the branch folder for which you want to create the Path Quality profile.
   2. Add Path Quality Profile.
   3. Enter a descriptive Name.

      Up to 31 alphanumeric characters are supported.
   4. Configure the Latency settings.

      The latency settings specify the number of milliseconds allowed for a packet to leave the firewall, arrive at the opposite end of the SD-WAN tunnel, and a response packet to return to the firewall before the threshold is exceeded.

      1. Specify the latency Threshold in milliseconds.
         Range is 10 to 3000. Default is 100.
      2. Specify the latency threshold Sensitivity.
         You can select Low, Medium (default), or High sensitivity.
   5. Configure the Jitter settings.

      The jitter settings specify the number of milliseconds allowed for packet disruptions to impact data packet arrival. High jitter may cause packets to be received out of order or to be discarded.

      1. Specify the jitter Threshold in milliseconds.
         Range is 10 to 2000. Default is 100.
      2. Specify the latency threshold Sensitivity.
         You can select Low, Medium (default), or High sensitivity.
   6. Configure the Packet Loss settings.

      The packet loss settings specify the percentage of packets lost on the link before the threshold is exceeded.

      Range is 1 to 100. Default is 1.
   7. Save.
4. Create a SaaS Quality profile.

   The SaaS Quality profile specifies how one or more software-as-a-service applications should be monitored if your branch firewall has a Direct Internet Access (DIA) link to a SaaS application. The SaaS Quality profile is associated with an SD-WAN policy rule to determine how the branch firewall determines the path quality thresholds for latency, jitter, and packet loss and selects the preferred path for an outgoing packet.

   1. Select Security ServicesSD-WAN PolicyProfilesSaaS Quality.
   2. Add Profile.
   3. Enter a descriptive Name.
   4. Configure the SaaS Quality profile.

      The following SaaS Monitoring Mode types are supported. Only a single SaaS Monitoring Mode type is supported for a SaaS Quality profile.

      • Adaptive—Passively monitor the SaaS application session for send and receive activity to determine if the predefined path quality thresholds have been exceeded.
      • Static IP Address—Add up to four static IP addresses to monitor and specify the Probe Interval by which the branch firewall probes the SaaS application path for health information.
      • FQDN—Add one Fully Qualified Domain Name and specify the Probe Interval by which the branch firewall probes the SaaS application path for health information.
      • HTTP/HTTPS—Add a URL and specify the Probe Interval by which the branch firewall probes the SaaS application path for health information.
   5. Save.
5. Create a Traffic Distribution profile.

   The Traffic Distribution profile specifies how the firewall selects paths for session load distribution and for path failover when the firewall detects a brownout, blackout, or path deterioration for an application. Before you can configure a Traffic Distribution profile, you must create all your Link Tags so the firewall can know which paths to fail over to.

   1. Select Security ServicesSD-WAN PolicyProfilesTraffic Distribution.
   2. Add Profile.
   3. Enter a descriptive Name.
   4. Select the Traffic Distribution method the firewall uses to determine which path to fail over to.

      Only a single Traffic Distribution method is supported for a Traffic Distribution profile.

      • Best Available Path—Select this method if cost isn’t a factor and you allow applications to use any path out of the branch. The firewall uses the predefined Path Quality metrics to distribute traffic and to fail over to one of the links belonging to a Link Tag in the list, thus providing the best application experience to users.
      • Top Down Priority—Select this method if you have expensive or low-capacity links that you want used only as a last resort or as a backup link. When using this method, order your Link Tags so that the paths you want used as a last resort are at the bottom of the Link Tag list. The firewall uses the top Link Tag in the list first to determine the links on which to session load traffic and on which to fail over. If none of the links in the top Link Tag are qualified based on the predefined Path Quality profile, the firewall selects a link from the second Link Tag in the list. If none of the links in the second Link Tag are qualified, the process continues as necessary until the firewall finds a qualified link in the last Link Tag. If all associated links are overloaded and no link meets quality thresholds, the firewall uses the Best Available Path method to select a link on which to forward traffic. At the start of a failover event, the firewall starts at the top of the Top-Down Priority list of Link Tags to find a link to which it fails over.
      • Weighted Session Distribution—Select this method if you want to manually load traffic (that matches the rule) onto your ISP and WAN links and you don’t require failover during brownout conditions. You manually specify the link load when you apply a static percentage of new sessions that the interfaces grouped with a single Link Tag will get. The firewall distributes new sessions using round-robin among the links having the specified Link Tags, until the link assigned the lowest percentage reaches that percentage of sessions. The firewall then uses one or more remaining links in the same manner. You might select this method for applications that aren’t sensitive to latency and that require much of the link’s bandwidth capacity, such as large branch backups and large file transfers.
   5. Add Link Tags .

      When adding and ordering your Link Tags, be sure consider the Traffic Distribution method you selected to ensure the firewall selects the appropriate path.
   6. Save.
6. Create an Error Correction profile.

   SD-WAN supports Forward Error Correction (FEC) to correct certain data transmission errors that occur over noisy communication lines to improve data reliability without requiring retransmission or Packet Duplication to duplicate application sessions from one tunnel to another.

   1. Select Security ServicesSD-WAN PolicyProfilesError Correction.

      To make the Error Correction profile available to all SD-WAN firewalls regardless of folder association, select All Firewalls.
   2. Add Profile.
   3. Enter a descriptive Name.
   4. Specify the Activation Threshold (Packet Loss %) to set the packet loss percentage that must be exceeded before error correction is activated.
   5. Select the error correction Mode.

      Only a single error correction Mode can be selected for an Error Correction profile.
   6. (Forward Error Correction only) Select the Packet Loss Correction Ratio to specify the ratio of parity bits to data packets.

      The higher the ratio of parity bits to data packets that the sending firewall sends, the higher the probability that the receiving firewall can repair packet loss. However, a higher ratio requires more redundancy and therefore more bandwidth overhead, which is a tradeoff for achieving error correction. The parity ratio applies to the receiving firewall’s outgoing traffic.

      Also specify the Recovery Duration (ms) to set the maximum number of milliseconds that the receiving firewall can spend performing packet recovery on last data packets using the parity packets it received.
   7. Save.
7. Configure an SD-WAN Policy Rule.