Use Case: Configure SaaS Monitoring for a Branch Firewall

Configure SaaS monitoring for an SD-WAN branch firewall with a Direct Internet Access (DIA) link to a business-critical SaaS application.
If your organization is leveraging a business-critical SaaS application at a branch firewall location, you can configure a SaaS Quality profile and associate it with a SD-WAN policy rule to monitor the latency, jitter, and packet loss health metrics of the critical SaaS application and swap links from an SD-WAN branch firewall to a SaaS application on a Direct Internet Access (DIA) link to ensure application usability.
If the business-critical SaaS application DIA link health metric thresholds are exceeded, the link is swapped to the next DIA link configured in the Traffic Distribution profile for all new sessions. The existing session on the degraded DIA link is not swapped over to the next DIA link.
  1. Create a Link Tag to group the SaaS application DIA links.
    Create multiple Link Tags for your DIA links in order to apply different SD-WAN monitoring settings for each SaaS application DIA link based on the link type.
    Additionally, you can create a single Link Tag for multiple DIA links to group the links into a single link bundle. Creating a single Link Tag for multiple DIA links allows you to aggregate bandwidth between bundled links and allow the firewall to distribute sessions between multiple links.
  2. Configure an SD-WAN Interface profile to define the characteristics of your ISP connection and specify the speed of the DIA link, how frequently the branch firewall monitors the link, and select the Link Tag to specify to which link the SD-WAN Interface profile applies.
    If you created multiple Link Tags, you must configure an SD-WAN Interface profile for each Link Tag.
    If you created a link bundle by assigning multiple DIA links to a single Link Tag, specifying that link tag applies the SD-WAN Interface profile settings to all DIA links in the bundle.
  3. Configure a physical Ethernet interface for each SaaS application DIA link.
    All physical Ethernet interfaces for DIA links must be Layer3.
  4. Configure a Virtual SD-WAN Interface that groups all physical Ethernet interfaces for the SaaS application DIA links into a single interface group.
    The firewall virtual router uses this virtual SD-WAN interface to route SD-WAN traffic to a DIA location. The SD-WAN path health and Traffic Distribution profiles in the SD-WAN policy rule then determine which path to use and the order in which to consider new paths if a path health deteriorates.
  5. Create a Path Quality profile to configure the latency, jitter, and packet loss thresholds and sensitivity in order to specify when the branch firewall should swap to the next DIA link.
  6. Create a SaaS Quality profile to specify your SaaS application and the frequency the DIA link is monitored.
  7. Create a Traffic Distribution profile to specify the order the branch firewall swaps to DIA links in the event of link health degradation.
  8. Configure an SD-WAN policy rule to specify the SaaS application and link health metrics, and determine how the firewall selects the preferred link for the critical SaaS application traffic.
    In the
    tab, add the SaaS application you are monitoring to the SD-WAN policy rule to ensure the SaaS monitoring settings are applied only to the desired SaaS application.

Recommended For You