Distribute Unmatched Sessions

Create a final SD-WAN catch-all policy rule to distribute sessions that don’t match any SD-WAN policy rule.
The firewall attempts to match sessions that arrive at an SD-WAN virtual interface to an SD-WAN policy rule; the firewall examines the SD-WAN policy rules in order from the top down, just as it does for Security policy rules.
  • If there is an SD-WAN rule match, the firewall executes the path monitoring and traffic distribution for that SD-WAN policy rule.
  • If there is no match to any SD-WAN policy rule in the list, the session matches an implied SD-WAN policy rule at the end of the list that uses the round-robin method to distribute unmatched sessions among all links in one SD-WAN interface, which is based on the route lookup.
Furthermore, if there is no SD-WAN policy rule for a specific application, the firewall doesn’t track that application’s performance in the SD-WAN-specific visibility tools such as logging and reports in the SD-WAN plugin.
To illustrate the implied policy rule:
  • Suppose the firewall has three SD-WAN policy rules: one rule specifies five voice applications, one rule specifies six video conferencing applications, and one rule specifies ten SaaS applications.
  • A session, for example, a video application session, arrives at the firewall and doesn’t match any of the SD-WAN policy rules. Because the session didn’t match a rule, the firewall has no path quality profile or traffic distribution profile to apply to the session.
  • Therefore, firewall matches the video application to the implied rule and distributes each video session among all of the available SD-WAN link tags and their associated links on the firewall, which could be two broadband links, an MPLS link, and an LTE link. Session 1 goes to one member of the broadband interface, session 2 goes to another member of the broadband interface, session 3 goes to MPLS, session 4 goes to LTE, session 5 goes to the first member of the broadband interface, session 6 goes to the second member of the broadband interface, and the round-robin distribution continues.
You may not want to let your unmatched sessions resort to matching the implied SD-WAN rule because you have no control over that session distribution. Instead, we recommend you create a catch-all SD-WAN policy rule and place it last in the list of SD-WAN policy rules. A catch-all SD-WAN policy rule lets you:
  • Control which links the unmatched sessions use.
  • View all of the applications on the firewall (including unmatched application sessions) in logging and reports in the SD-WAN plugin.
  1. Create a Path Quality Profile that sets very high latency, jitter, and packet loss thresholds that will never be exceeded. For example, 2,000ms latency, 1,000ms jitter, and 99% packet loss.
  2. Create a Traffic Distribution Profile that specifies the SD-WAN link tags you want to use, in the order in which you want the links associated with those link tags to be used by unmatched sessions.
    If you don’t want unmatched applications to use a specific path (physical interface) at all, omit the tag that includes that link from the list of link tags in the traffic distribution profile. For example, if you don’t want an unmatched application such as movie streaming to use the expensive LTE link, omit the link tag for the LTE link from the list of link tags in the traffic distribution profile.
  3. Add
    a catch-all SD-WAN policy rule and on the
    tab, specify the
    Path Quality Profile
    that you created.
  4. Select
    for the
  5. On the
    Path Selection
    tab, select the
    Traffic Distribution Profile
    you created.
  6. Move
    the rule down to the last position in the list of SD-WAN policy rules.
  7. Commit
    Commit and Push
    your configuration changes.
  8. Commit
    your changes.

Recommended For You