Create a final SD-WAN catch-all policy rule to distribute
sessions that don’t match any SD-WAN policy rule.
The firewall attempts to match sessions that
arrive at an SD-WAN virtual interface to an SD-WAN policy rule;
the firewall examines the SD-WAN policy rules in order from the
top down, just as it does for Security policy rules.
there is an SD-WAN rule match, the firewall executes the path monitoring
and traffic distribution for that SD-WAN policy rule.
If there is no match to any SD-WAN policy rule in the list,
the session matches an implied SD-WAN policy rule at the end of
the list that uses the round-robin method to distribute unmatched
sessions among all links in one SD-WAN interface, which is based
on the route lookup.
Furthermore, if there is no SD-WAN
policy rule for a specific application, the firewall doesn’t track
that application’s performance in the SD-WAN-specific visibility tools
such as logging and reports in the SD-WAN plugin.
the implied policy rule:
Suppose the firewall has three
SD-WAN policy rules: one rule specifies five voice applications,
one rule specifies six video conferencing applications, and one
rule specifies ten SaaS applications.
A session, for example, a video application session, arrives
at the firewall and doesn’t match any of the SD-WAN policy rules.
Because the session didn’t match a rule, the firewall has no path
quality profile or traffic distribution profile to apply to the
Therefore, firewall matches the video application to the implied
rule and distributes each video session among all of the available
SD-WAN link tags and their associated links on the firewall, which
could be two broadband links, an MPLS link, and an LTE link. Session
1 goes to one member of the broadband interface, session 2 goes
to another member of the broadband interface, session 3 goes to
MPLS, session 4 goes to LTE, session 5 goes to the first member
of the broadband interface, session 6 goes to the second member
of the broadband interface, and the round-robin distribution continues.
may not want to let your unmatched sessions resort to matching the implied
SD-WAN rule because you have no control over that session distribution. Instead,
we recommend you create a catch-all SD-WAN policy rule and place
it last in the list of SD-WAN policy rules. A catch-all SD-WAN policy
rule lets you:
Control which links the unmatched sessions
View all of the applications on the firewall (including unmatched
application sessions) in logging and reports in the SD-WAN plugin.
Create a Path Quality Profile that sets
very high latency, jitter, and packet loss thresholds that will
never be exceeded. For example, 2,000ms latency, 1,000ms jitter,
and 99% packet loss.
Create a Traffic Distribution Profile that specifies the
SD-WAN link tags you want to use, in the order in which you want
the links associated with those link tags to be used by unmatched
If you don’t want unmatched applications to use a
specific path (physical interface) at all, omit the tag that includes
that link from the list of link tags in the traffic distribution
profile. For example, if you don’t want an unmatched application
such as movie streaming to use the expensive LTE link, omit the
link tag for the LTE link from the list of link tags in the traffic