Create a final SD-WAN catch-all policy rule to distribute
sessions that don’t match any SD-WAN policy rule.
The firewall attempts to match sessions that
arrive at an SD-WAN virtual interface to an SD-WAN policy rule;
the firewall examines the SD-WAN policy rules in order from the
top down, just as it does for Security policy rules.
- If
there is an SD-WAN rule match, the firewall executes the path monitoring
and traffic distribution for that SD-WAN policy rule.
- If there is no match to any SD-WAN policy rule in the list,
the session matches an implied SD-WAN policy rule at the end of
the list that uses the round-robin method to distribute unmatched
sessions among all links in one SD-WAN interface, which is based
on the route lookup.
Furthermore, if there is no SD-WAN
policy rule for a specific application, the firewall doesn’t track
that application’s performance in the SD-WAN-specific visibility tools
such as logging and reports in the SD-WAN plugin.
To illustrate
the implied policy rule:
- Suppose the firewall has three
SD-WAN policy rules: one rule specifies five voice applications,
one rule specifies six video conferencing applications, and one
rule specifies ten SaaS applications.
- A session, for example, a video application session, arrives
at the firewall and doesn’t match any of the SD-WAN policy rules.
Because the session didn’t match a rule, the firewall has no path
quality profile or traffic distribution profile to apply to the
session.
- Therefore, firewall matches the video application to the implied
rule and distributes each video session among all of the available
SD-WAN link tags and their associated links on the firewall, which
could be two broadband links, an MPLS link, and an LTE link. Session
1 goes to one member of the broadband interface, session 2 goes
to another member of the broadband interface, session 3 goes to
MPLS, session 4 goes to LTE, session 5 goes to the first member
of the broadband interface, session 6 goes to the second member
of the broadband interface, and the round-robin distribution continues.
You
may not want to let your unmatched sessions resort to matching the implied
SD-WAN rule because you have no control over that session distribution. Instead,
we recommend you create a catch-all SD-WAN policy rule and place
it last in the list of SD-WAN policy rules. A catch-all SD-WAN policy
rule lets you:
- Control which links the unmatched sessions
use.
- View all of the applications on the firewall (including unmatched
application sessions) in logging and reports in the SD-WAN plugin.