If you have enabled multi-WAN, but want the Firebox to always send certain types of outgoing traffic through a specific external interface, you can use SD-WAN. For example, if your DNS server is reachable through only one of the external interfaces, you can create a DNS policy and enable SD-WAN to send all DNS traffic to the interface that can reach the DNS server. SD-WAN creates an exception to the global multi-WAN configuration settings.
In Fireware v12.3 or higher, SD-WAN replaces policy-based routing. In Fireware v12.2.1 or earlier, to route traffic to a different external interface, you must use policy-based routing. When you upgrade to Fireware v12.3, policy-based routing without failover is converted to an SD-WAN action with a single interface. Policy-based routing with failover is converted to an SD-WAN action with multiple interfaces. In Policy Manager, the policy-based routing setting is still available for backwards compatibility with older Fireware OS versions.
For detailed information about how SD-WAN works, see About SD-WAN.
Do not enable SD-WAN in the BOVPN-Allow policies or in policies that apply to mobile VPN traffic or incoming traffic.
To use SD-WAN:
- Create an SD-WAN action.
- Create an outgoing policy for the type of traffic that you want to send to a specific external interface.
- Enable SD-WAN in the policy.
- Select the SD-WAN action you want the policy to use.
For information about how to configure SD-WAN, see Configure SD-WAN.
For information about SD-WAN reporting in the Web UI, see Interface Information and SD-WAN Monitoring. For information about SD-WAN reporting in Policy Manager, see SD-WAN Monitoring, Status, and Manual Failback (Firebox System Manager).