Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to a Different SaaS Application Destination

Configure the SaaS application to failover to a hub firewall pointing to a different SaaS application destination in the event if there are no healthy Direct Internet Access (DIA) links from the branch firewall.
If your organization is leveraging a SaaS application at a branch firewall location but the branch firewall has no healthy DIA links to swap to, you can configure the hub firewall as a failover alternative to maintain a healthy connection to your SaaS application using a SaaS Quality profile pointing to a different SaaS application destination.
If the SaaS application DIA link health metric thresholds are exceeded and the branch firewall has no healthy DIA links available, the link is swapped to the next hub firewall for all new sessions. The existing session on the degraded DIA link is not swapped over to the hub firewall.
For example, say your branch and hub firewalls are located on opposite sides of the country and access a SaaS cloud application deployed in a cloud provider such as GCP. You can configure the hub firewall to act as a failover in the event there are no healthy DIA links from the branch firewall to the SaaS application. To accomplish this, configure an identically named SaaS Quality profile on both the branch and hub firewalls to automatically failover to the hub firewall if no healthy DIA links are available from the branch firewall. The SaaS Quality profile configured on the hub firewall to points to the on-ramp location closest to the hub to take advantage of local resources closest to it. This allows you flexibility in specifying healthy failover paths and the ability to maintain accurate end-to-end SaaS application monitoring data without congesting your network bandwidth.
  1. Create a Link Tag to group the SaaS application DIA links.
    Create multiple Link Tags for your DIA links in order to apply different SD-WAN monitoring settings for each SaaS application DIA link based on the link type.
    Additionally, you can create a single Link Tag for multiple DIA links to group the links into a single link bundle.
  2. Configure an SD-WAN Interface profile to define the characteristics of your ISP connection and specify the speed of the DIA link, how frequently the branch firewall monitors the link, and select the Link Tag to specify to which link the SD-WAN Interface profile applies.
    If you created multiple Link Tags, you must configure an SD-WAN Interface profile for each Link Tag.
    If you created a link bundle by assigning multiple DIA links to a single Link Tag, specifying that link tag applies the SD-WAN Interface profile settings to all DIA links in the bundle.
  3. Configure a physical Ethernet interface for each SaaS application DIA link.
    All physical Ethernet interfaces for DIA links must be Layer3.
  4. Configure a Virtual SD-WAN Interface that groups all physical Ethernet interfaces for the SaaS application DIA links into a single interface group.
    The firewall virtual router uses this virtual SD-WAN interface to route SD-WAN traffic to a DIA location. The SD-WAN path health and Traffic Distribution profiles in the SD-WAN policy rule then determine which path to use and the order in which to consider new paths if a path health deteriorates.
  5. Create identically named SaaS quality profiles for both the hub and branch firewalls.
    Two identically named SaaS Quality profiles must be configured on the hub and branch firewalls to successfully leverage the hub firewall as an alternative failover. Create two SaaS Quality profiles with identical names each pointing to a different SaaS application destination in different device groups and push them to your hub and branch firewalls.
    1. Select
      Objects
      SD-WAN Link Management
      SaaS Quality Profile
      , and select the target device group containing the branch firewall from the Device Group drop-down.
    2. Add
      a new SaaS Quality profile.
    3. Enter a descriptive
      Name
      for the SaaS Quality profile.
    4. Enable (check)
      Disable override
      to disable overriding the SaaS Quality profile configuration on the local firewall.
    5. Configure the SaaS Monitoring Mode using one of the following methods.
      • Configure the Static IP address for the SaaS application.
        Create a SaaS Quality profile per SaaS application. If a SaaS application has multiple IP addresses, configure a SaaS Quality profile with the multiple static IP addresses for that SaaS application.
        1. Select
          IP Address/Object
          Static IP Address
          and
          Add
          an IP address.
        2. Enter the IP address of the SaaS application or select a configured address object.
        3. Enter the
          Probe Interval
          by which the branch firewall probes the SaaS application path for health information.
        4. Click
          OK
          to save your configuration changes.
      • Configure the fully qualified domain name (FQDN) for the SaaS application.
        1. Configure a FQDN address object for the SaaS application.
        2. Select
          IP Address/Object
          FQDN
          and
          Add
          the FQDN.
        3. Select the
          FQDN
          address object for the SaaS application.
        4. Enter the
          Probe Interval
          by which the branch firewall probes the SaaS application path for health information.
        5. Click
          OK
          to save your configuration changes.
      • Configure the URL for the SaaS application.
        URL monitoring is only supported for traffic over ports 80, 443, 8080, 8081, and 143.
        1. Select
          HTTP/HTTPS
          .
        2. Enter the
          Monitored URL
          of the SaaS application.
        3. Enter the
          Probe Interval
          by which the branch firewall probes the SaaS application path for health information.
        4. Click
          OK
          to save your configuration changes.
    6. Select
      Objects
      SD-WAN Link Management
      SaaS Quality Profile
      , and select the target device group containing the hub firewall from the Device Group drop-down.
    7. Repeat Steps 6.2 through 6.5 to create an identically named SaaS Quality profile for a SaaS application at a different destination.
      This step is required to make in identically named SaaS Quality profile in the device group your hub firewall belongs to.
  6. Create a Traffic Distribution profile to specify the order the branch firewall swaps from DIA links to VPN links to the hub firewall in the event of link health degradation.
  7. Configure an SD-WAN policy rule to specify the SaaS application and link health metrics, and determine how the firewall selects the preferred link for the critical SaaS application traffic.
    In the
    Application
    tab, add the SaaS application you are monitoring to the SD-WAN policy rule to ensure the SaaS monitoring settings are applied only to the desired SaaS application.

Recommended For You