Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to a Different SaaS Application Destination
Table of Contents
Expand all | Collapse all
-
- Create a Link Tag
- Configure an SD-WAN Interface Profile
- Configure a Physical Ethernet Interface for SD-WAN
- Configure an Aggregate Ethernet Interface and Subinterfaces for SD-WAN
- Configure Layer 3 Subinterfaces for SD-WAN
- Configure a Virtual SD-WAN Interface
- Create a Default Route to the SD-WAN Interface
-
- Create a Path Quality Profile
-
- Create a SaaS Quality Profile
- Use Case: Configure SaaS Monitoring for a Branch Firewall
- Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to the Same SaaS Application Destination
- Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to a Different SaaS Application Destination
- SD-WAN Traffic Distribution Profiles
- Create a Traffic Distribution Profile
- Create an Error Correction Profile
- Configure an SD-WAN Policy Rule
- Allow Direct Internet Access Traffic Failover to MPLS Link
- Configure DIA AnyPath
- Distribute Unmatched Sessions
- Configure HA Devices for SD-WAN
- Create a VPN Cluster
- Create a Full Mesh VPN Cluster with DDNS Service
- Create a Static Route for SD-WAN
Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to a Different SaaS Application Destination
Configure the SaaS application to failover to a hub firewall
pointing to a different SaaS application destination in the event
if there are no healthy Direct Internet Access (DIA) links from
the branch firewall.
If your organization is leveraging a SaaS
application at a branch firewall location but the branch firewall
has no healthy DIA links to swap to, you can configure the hub firewall
as a failover alternative to maintain a healthy connection to your
SaaS application using a SaaS Quality profile pointing to a different
SaaS application destination.
If the SaaS application DIA
link health metric thresholds are exceeded and the branch firewall
has no healthy DIA links available, the link is swapped to the next hub
firewall for all new sessions. The existing session on the degraded
DIA link is not swapped over to the hub firewall.
For example,
say your branch and hub firewalls are located on opposite sides
of the country and access a SaaS cloud application deployed in a
cloud provider such as GCP. You can configure the hub firewall to
act as a failover in the event there are no healthy DIA links from
the branch firewall to the SaaS application. To accomplish this,
configure an identically named SaaS Quality profile on both the
branch and hub firewalls to automatically failover to the hub firewall
if no healthy DIA links are available from the branch firewall.
The SaaS Quality profile configured on the hub firewall to points
to the on-ramp location closest to the hub to take advantage of
local resources closest to it. This allows you flexibility in specifying
healthy failover paths and the ability to maintain accurate end-to-end
SaaS application monitoring data without congesting your network
bandwidth.
- Set up your SD-WAN deployment.
- Install the SD-WAN Plugin.
- Set Up Panorama and Firewalls for SD-WAN.
- Add SD-WAN Devices to Panorama.
- (High availability configurations only) Configure HA Devices for SD-WAN.
- Create a VPN Cluster.
- Create a Link Tag to group the
SaaS application DIA links.Create multiple Link Tags for your DIA links in order to apply different SD-WAN monitoring settings for each SaaS application DIA link based on the link type.Additionally, you can create a single Link Tag for multiple DIA links to group the links into a single link bundle.
- Configure an SD-WAN
Interface profile to define the characteristics of your ISP connection
and specify the speed of the DIA link, how frequently the branch
firewall monitors the link, and select the Link Tag to specify to
which link the SD-WAN Interface profile applies.If you created multiple Link Tags, you must configure an SD-WAN Interface profile for each Link Tag.If you created a link bundle by assigning multiple DIA links to a single Link Tag, specifying that link tag applies the SD-WAN Interface profile settings to all DIA links in the bundle.
- Configure a physical
Ethernet interface for each SaaS application DIA link. All physical Ethernet interfaces for DIA links must be Layer3.
- Configure a Virtual SD-WAN Interface that groups
all physical Ethernet interfaces for the SaaS application DIA links
into a single interface group.The firewall virtual router uses this virtual SD-WAN interface to route SD-WAN traffic to a DIA location. The SD-WAN path health and Traffic Distribution profiles in the SD-WAN policy rule then determine which path to use and the order in which to consider new paths if a path health deteriorates.
- Create identically named SaaS quality profiles for both
the hub and branch firewalls.Two identically named SaaS Quality profiles must be configured on the hub and branch firewalls to successfully leverage the hub firewall as an alternative failover. Create two SaaS Quality profiles with identical names each pointing to a different SaaS application destination in different device groups and push them to your hub and branch firewalls.
- Select ObjectsSD-WAN Link ManagementSaaS Quality Profile, and select the target device group containing the branch firewall from the Device Group drop-down.
- Add a new SaaS Quality profile.
- Enter a descriptive Name for the SaaS Quality profile.
- Enable (check) Disable override to disable overriding the SaaS Quality profile configuration on the local firewall.
- Configure
the SaaS Monitoring Mode using one of the following methods.
- Configure the Static IP address for the SaaS application.Create a SaaS Quality profile per SaaS application. If a SaaS application has multiple IP addresses, configure a SaaS Quality profile with the multiple static IP addresses for that SaaS application.
- Select IP Address/ObjectStatic IP Address and Add an IP address.
- Enter the IP address of the SaaS application or select a configured address object.
- Enter the Probe Interval by which the branch firewall probes the SaaS application path for health information.
- Click OK to save your configuration changes.
- Configure the fully qualified domain name (FQDN) for the SaaS application.
- Configure a FQDN address object for the SaaS application.
- Select IP Address/ObjectFQDN and Add the FQDN.
- Select the FQDN address object for the SaaS application.
- Enter the Probe Interval by which the branch firewall probes the SaaS application path for health information.
- Click OK to save your configuration changes.
- Configure the URL for the SaaS application.URL monitoring is only supported for traffic over ports 80, 443, 8080, 8081, and 143.
- Select HTTP/HTTPS.
- Enter the Monitored URL of the SaaS application.
- Enter the Probe Interval by which the branch firewall probes the SaaS application path for health information.
- Click OK to save your configuration changes.
- Select ObjectsSD-WAN Link ManagementSaaS Quality Profile, and select the target device group containing the hub firewall from the Device Group drop-down.
- Repeat Steps 6.2 through 6.5 to create
an identically named SaaS Quality profile for a SaaS application
at a different destination.This step is required to make in identically named SaaS Quality profile in the device group your hub firewall belongs to.
- Create a Traffic Distribution profile to specify the order the branch firewall swaps from DIA links to VPN links to the hub firewall in the event of link health degradation.
- Configure an SD-WAN
policy rule to specify the SaaS application and link health metrics,
and determine how the firewall selects the preferred link for the
critical SaaS application traffic. In the Application tab, add the SaaS application you are monitoring to the SD-WAN policy rule to ensure the SaaS monitoring settings are applied only to the desired SaaS application.