Create a Path Quality Profile
Table of Contents
Expand all | Collapse all
- Create a Link Tag
- Configure an SD-WAN Interface Profile
- Configure a Physical Ethernet Interface for SD-WAN
- Configure a Virtual SD-WAN Interface
- Create a Default Route to the SD-WAN Interface
- Create a Path Quality Profile
- SD-WAN Traffic Distribution Profiles
- Create a Traffic Distribution Profile
- Configure an SD-WAN Policy Rule
- Allow Direct Internet Access Traffic Failover to MPLS Link
- Distribute Unmatched Sessions
- Configure HA Devices for SD-WAN
- Create a VPN Cluster
- Create a Static Route for SD-WAN
Create a Path Quality Profile
Create a path quality profile to control when the firewall replaces a deteriorating path with a new path for packets matching the SD-WAN policy rule.
Create a Path Quality profile for each set of business-critical and latency-sensitive applications, application filters, application groups, services, service objects and service group objects that has unique network quality (health) requirements based on latency, jitter, and packet loss percentage. Applications and services can share a Path Quality profile. Specify the maximum threshold for each parameter, above which the firewall considers the path deteriorated enough to select a better path.
As an alternative to creating a Path Quality profile, you can use any of the predefined Path Quality profiles, such as
remote-access, and more. The predefined profiles are set up to optimize the latency, jitter, and packet loss thresholds for the type of applications and services suggested by the name of the profile.
The predefined Path Quality profiles for a Panorama device group are based on the default
Probe Frequencysettings in the SD-WAN Interface profile for a Panorama template. If you change the default Probe Frequency setting, you must adjust the
Packet Losspercentage threshold in the Path Quality profile for the firewalls in a Device Group that are affected by the Panorama template where you changed the Interface profile.
The firewall treats the latency, jitter, and packet loss thresholds as OR conditions, meaning if any one of the thresholds is exceeded, the firewall selects the new best (preferred) path. Any path that has latency, jitter, and packet loss less than or equal to all three thresholds is considered qualified and the firewall selected the path based on the associated Traffic Distribution profile.
By default, the firewall measures
jitterevery 200ms and takes an average of the last three measurements to measure path quality in a sliding window. You can modify this behavior by selecting aggressive or relaxed path monitoring when you Configure an SD-WAN Interface Profile.
If a path fails over because it exceeded the configured
packet lossthreshold, the firewall still sends probing packets on the failed path and calculates its packet loss percentage as the path recovers. It can take approximately three minutes for the packet loss percentage on a recovered path to fall below the packet loss threshold configured in the Path Quality profile. For example, suppose an SD-WAN policy rule for an application has a Path Quality profile that specifies a packet loss threshold of 1% and a Traffic Distribution profile that specifies Top Down distribution with tag 1 (applied to tunnel.1) first on the list and tag 2 (applied to tunnel.2) next on the list. When tunnel.1 exceeds 1% packet loss, the data packets fail over to tunnel.2. After tunnel.1 recovers to 0% packet loss (based on probing packets), it can take up to three minutes for the monitored packet loss rate for tunnel.1 to drop below 1%, at which time the firewall then selects tunnel.1 as the best path again.
The sensitivity setting indicates which parameter (latency, jitter, or packet loss) is more important (preferred) for the applications to which the profile applies. When the firewall evaluates link quality, it considers a parameter with a
highsetting first. For example, when the firewall compares two links, suppose one link has 100ms latency and 20ms jitter; the other link has 300ms latency and 10 ms jitter. If the sensitivity for latency is high, the firewall chooses the first link. If the sensitivity for jitter is high, the firewall chooses the second link. If the parameters have the same sensitivity (by default the parameters are set to
medium), the firewall evaluates packet loss first, then latency, and jitter last.
As the SD-WAN Traffic Distribution Profiles concept states, the new path selection occurs in less than one second if you leave Path Monitoring and Probe Frequency with default settings; otherwise, new path selection could take more than one second. To achieve subsecond failover based on packet loss, you must set the latency sensitivity to
highand the latency threshold to no more than 250ms.
Reference the Path Quality profile in an SD-WAN policy rule to control the threshold at which the firewall replaces a deteriorating path with a new path for matching application packets.
- Select aDevice Group.
- Select.ObjectsSD-WAN Link ManagementPath Quality Profile
- Adda Path Quality profile byNameusing a maximum of 31 alphanumeric characters.
- ForLatency, double-click theThresholdvalue and enter the number of milliseconds allowed for a packet to leave the firewall, arrive at the opposite end of the SD-WAN tunnel, and a response packet to return to the firewall before the threshold is exceeded (range is 10 to 2,000; default is 100).
- ForLatency, select theSensitivity(low,medium, orhigh). Default ismedium.Click the arrow at the end of the Threshold column to sort thresholds in ascending or descending numerical order.
- ForJitter, double-click theThresholdvalue and enter the number of milliseconds (range is 10 to 1,000; default is 100).
- ForJitter, select theSensitivity(low,medium, orhigh). Default ismedium.
- ForPacket Loss, double-click theThresholdvalue and enter the percentage of packets lost on the link before the threshold is exceeded (range is 1 to 100.0; default is 1).Setting theSensitivityforPacket Losshas no effect, so leave the default setting.If you change theProbe Frequencyin an SD-WAN Interface profile for a Panorama template, you should also adjust the Packet Loss threshold for a Panorama device group.
- CommitandCommit and Pushyour configuration changes.
- Commityour changes.
- Repeat this task for every Device Group.