Strata Cloud Manager

1. Log in to Strata Cloud Manager.
2. Select ManageConfigurationNGFW and Prisma AccessSecurity ServicesSD-WAN PolicyProfilesSD-WAN Interfaceand select the hub or branch folder where want to create the SD-WAN interface profile.
3. Add Profile.
4. Enter a descriptive Name for the profile.
5. Select the Link Tag the profile assigns to the interface.
6. Select the Link Type from the predefined list.
7. Specify the Maximum Download (Mbps) speed from the ISP.
8. Specify the Maximum Upload (Mbps) speed to the ISP.
9. Check (enable Eligible for Error Correction Profile Interface Selection to enable Forward Error Correction (FEC) or packet duplication for interfaces.

   If enabled, you must enable this setting for both sending and receiving firewalls.
10. VPN Data Tunnel Support determines whether the branch-to-hub traffic and return traffic flows through a VPN tunnel for added security or flows outside of the VPN tunnel to avoid encryption overhead. This setting is enabled by default.

    • Keep enabled for public links that have direct internet connections or internet break capabilities, such as cable modem, ADSL, and other internet connections.
    • Disable for private link types such as MPLS, satellite, or microwave that doesn’t have internet breakout capability. However, you must first ensure that the traffic can’t be intercepted because it will be sent outside of the VPN tunnel.
    • The branch might have DIA traffic that needs to fail over to the private MPLS link connecting to the hub, and reach the internet from the hub. The VPN Data Tunnel Support setting determines whether the private data flows through the VPN tunnel or flows outside the tunnel, and the failed over traffic uses the other connection (that the private data flow doesn’t use). The firewall uses zones to segment DIA failover traffic from private MPLS traffic.
11. Set the VPN Failover Metric if DIA AnyPath is enabled a hub or branch firewall, to prioritize the order in which a particular hub is selected for failover.

    The lower the metric, the higher the priority of the interface to be selected during failover. If multiple hub virtual interfaces have the same metric value, SD-WAN sends new session traffic to them in round-robin fashion.
12. Select the Path Monitoring mode.

    • Aggressive—Firewall sends probe packets to the opposite end of the SD-WAN link at a constant frequency. Use this mode if you need fast detection and failover for brownout and blackout conditions. Default for all link types except LTE and Satellite.
    • Relaxed—Firewall waits for a number of seconds (Probe Idle Time) between sending sets of probe packets, making path monitoring less frequent. When the probe idle time expires, firewall sends probes for 7 seconds at the Probe Frequency configured. Use this mode when you have low-bandwidth links, links that charge by usage (such as LTE), or when fast detection isn’t as important as preserving cost and bandwidth. Default for LTE and Satellite link types.
13. Set the Probe Frequency (per second) to specify the number of times per second the firewall sends a probe packet to the opposite end of the SD-WAN link. The default setting provides subsecond detection of brownout and blackout conditions.
14. Set the Probe Idle Time (seconds) to specify how long the firewall waits between sets of probe packets.
15. Set the Failback Hold Time (seconds) to specify how long the firewall waits for a recovered link to remain qualified before the firewall reinstates the link after it has failed.
16. Save.