Distribute Unmatched Sessions
Expand all | Collapse all
Distribute Unmatched Sessions
Create a final SD-WAN catch-all policy rule to distribute
sessions that don’t match any SD-WAN policy rule.
The firewall attempts to match sessions that
arrive at an SD-WAN virtual interface to an SD-WAN policy rule;
the firewall examines the SD-WAN policy rules in order from the
top down, just as it does for Security policy rules.
If
there is an SD-WAN rule match, the firewall executes the path monitoring
and traffic distribution for that SD-WAN policy rule.
If there is no match to any SD-WAN policy rule in the list,
the session matches an implied SD-WAN policy rule at the end of
the list that uses the round-robin method to distribute unmatched
sessions among all links in one SD-WAN interface, which is based
on the route lookup.
Furthermore, if there is no SD-WAN
policy rule for a specific application, the firewall doesn’t track
that application’s performance in the SD-WAN-specific visibility tools
such as logging and reports in the SD-WAN plugin.
To illustrate
the implied policy rule:
Suppose the firewall has three
SD-WAN policy rules: one rule specifies five voice applications,
one rule specifies six video conferencing applications, and one
rule specifies ten SaaS applications.
A session, for example, a video application session, arrives
at the firewall and doesn’t match any of the SD-WAN policy rules.
Because the session didn’t match a rule, the firewall has no path
quality profile or traffic distribution profile to apply to the
session.
Therefore, firewall matches the video application to the implied
rule and distributes each video session among all of the available
SD-WAN link tags and their associated links on the firewall, which
could be two broadband links, an MPLS link, and an LTE link. Session
1 goes to one member of the broadband interface, session 2 goes
to another member of the broadband interface, session 3 goes to
MPLS, session 4 goes to LTE, session 5 goes to the first member
of the broadband interface, session 6 goes to the second member
of the broadband interface, and the round-robin distribution continues.
You
may not want to let your unmatched sessions resort to matching the implied
SD-WAN rule because you have no control over that session distribution. Instead,
we recommend you create a catch-all SD-WAN policy rule and place
it last in the list of SD-WAN policy rules. A catch-all SD-WAN policy
rule lets you:
Control which links the unmatched sessions
use.
View all of the applications on the firewall (including unmatched
application sessions) in logging and reports in the SD-WAN plugin.
Create a Path Quality Profile that sets
very high latency, jitter, and packet loss thresholds that will
never be exceeded. For example, 2,000ms latency, 1,000ms jitter,
and 99% packet loss.
Create a Traffic Distribution Profile that specifies the
SD-WAN link tags you want to use, in the order in which you want
the links associated with those link tags to be used by unmatched
sessions.
If you don’t want unmatched applications to use a
specific path (physical interface) at all, omit the tag that includes
that link from the list of link tags in the traffic distribution
profile. For example, if you don’t want an unmatched application
such as movie streaming to use the expensive LTE link, omit the
link tag for the LTE link from the list of link tags in the traffic
distribution profile.
Add
a catch-all
SD-WAN policy rule and
on the
Application/Service
tab, specify the
Path
Quality Profile
that you created.
Select
Any
for the
Applications
and
Service
.
On the
Path Selection
tab, select
the
Traffic Distribution Profile
you created.
Move
the rule down to the last
position in the list of SD-WAN policy rules.
Commit
and
Commit and Push
your
configuration changes.