SD-WAN configuration elements interrelate to allow the
firewall to select the best path to an SD-WAN.
The elements of an SD-WAN configuration
work together, allowing you to:
Group physical Ethernet interfaces that share a common destination
into a logical SD-WAN interface.
Specify link speeds.
Specify the thresholds at which a deteriorating path (or brownout
or blackout) to an SD-WAN warrants selecting a new best path.
Specify the method of selecting that new best path.
This view indicates the relationships between elements at a glance.
The goal of an SD-WAN configuration is to control which links
your traffic takes by specifying the VPN tunnels or direct internet
access (DIA) that certain applications or services take from a branch
to a hub or from a branch to the internet. You group paths so that
if one path deteriorates, the firewall selects a new best path.
name of your choice identifies a link; you
apply the Tag to the link (interface) by applying an Interface Profile
to the interface, as the red arrow indicates. A link can have only
one Tag. The two yellow arrows indicate that a Tag is referenced
in the Interface Profile and the Traffic Distribution profile. Tags
allow you to control the order that interfaces are used for traffic
distribution. Tags allow Panorama to systematically configure many
firewall interfaces with SD-WAN functionality.
SD-WAN Interface Profile
specifies the Tag that you
apply to the physical interface, and also specifies the type of
Link that interface is (ADSL/DSL, cable modem, Ethernet, fiber,
LTE/3G/4G/5G, MPLS, microwave/radio, satellite, WiFi, or other).
The Interface Profile is also where you specify the maximum upload
and download speeds (in Mbps) of the ISP’s connection. You can also
change whether the firewall monitors the path frequently or not; the
firewall monitors link types appropriately by default.
A Layer3 Ethernet
with an IPv4 address can
support SD-WAN functionalities. You apply an SD-WAN Interface Profile
to this interface (red arrow) to indicate the characteristics of
the interface. The blue arrow indicates that physical Interfaces
are referenced and grouped in a virtual SD-WAN Interface.
is a VPN tunnel or DIA group
of one or more interfaces that constitute a numbered, virtual SD-WAN
Interface to which you can route traffic. The paths belonging to
an SD-WAN Interface all go to the same destination WAN and are all
the same type (either DIA or VPN tunnel). (Tag A and Tag B indicate
that physical interfaces for the virtual interface can have different
Path Quality Profile
specifies maximum latency, jitter,
and packet loss thresholds. Exceeding a threshold indicates that
the path has deteriorated and the firewall needs to select a new
path to the target. A sensitivity setting of high, medium, or low
lets you indicate to the firewall which path monitoring parameter
is more important for the applications to which the profile applies.
The green arrow indicates that you reference a Path Quality Profile
in one or more SD-WAN Policy Rules; thus, you can specify different
thresholds for rules applied to packets having different applications,
services, sources, destinations, zones, and users.
Traffic Distribution Profile
specifies how the firewall
determines a new best path if the current preferred path exceeds
a path quality threshold. You specify which Tags the distribution
method uses to narrow its selection of a new path; hence, the yellow
arrow points from Tags to the Traffic Distribution profile. A Traffic
Distribution profile specifies the distribution method for the rule.
The preceding elements come together in
SD-WAN Policy Rules
The purple arrow indicates that you reference a Path Qualify Profile
and a Traffic Distribution profile in a rule, along with packet
applications/services, sources, destinations, and users to specifically
indicate when and how the firewall performs application-based SD-WAN
path selection for a packet not belonging to a session.