Contents

About SD-WAN

Software-Defined WAN (SD-WAN) is a software-based routing solution that automatically distributes network traffic across multiple WAN connections based on policies you define. SD-WAN is embedded in the Firebox. The Firebox monitors your WAN connections, captures near real-time performance data, and uses this data to make routing decisions. For example, if a WAN connection becomes congested, the Firebox automatically sends traffic over a different WAN connection.

SD-WAN works with different types of WAN connections, which means you can configure a hybrid WAN. For example, if your Firebox has an MPLS connection and a broadband Internet connection, you can use both in an SD-WAN configuration.

You can use SD-WAN to increase application availability and performance, and to better utilize a hybrid WAN. For example, with SD-WAN, you can:

  • Send high-priority, latency-sensitive traffic such as VoIP and video conferencing over higher-quality, more expensive WAN connections
  • Send lower-priority traffic over less expensive WAN connections
  • Specify performance thresholds so that connections fail over to a different WAN connection when performance is less than ideal

To configure SD-WAN, in Fireware v12.3 or higher:

  • Configure Link Monitor targets
  • Configure an SD-WAN action
  • Configure a policy to use the SD-WAN action

This topic explains how SD-WAN works. For detailed configuration instructions, see Configure SD-WAN.

For a configuration example, see SD-WAN Failover from an MPLS Link to a BOVPN Virtual Interface Tunnel.

In Fireware v12.3 or higher, SD-WAN replaces policy-based routing. In Fireware v12.2.1 or earlier, to route traffic to a different external interface, you must use policy-based routing. When you upgrade to Fireware v12.3 or higher, policy-based routing without failover is converted to an SD-WAN action with a single interface. Policy-based routing with failover is converted to an SD-WAN action with multiple interfaces. In Policy Manager, the policy-based routing setting is still available for backwards compatibility with older Fireware OS versions. For more information about policy-based routing, see Configure Policy-Based Routing in Fireware v12.2.1 or lower in the WatchGuard Knowledge Base.

Configure Link Monitor Targets

We recommend that you configure Link Monitor targets for interfaces included in an SD-WAN action.

A Link Monitor target is host beyond your network perimeter. The Firebox sends ping, TCP, or DNS probes to targets to verify connectivity. The Firebox can also use probe results to verify performance if you select to measure loss, latency, and jitter.

In the Link Monitor configuration, you can add targets for these interface types:

  • External
  • Internal (Trusted, Optional, or Custom) — Fireware v12.4 or higher
  • BOVPN virtual interface — Fireware v12.4 or higher

Link Monitor is an important part of your SD-WAN configuration. When your Firebox uses metric-based SD-WAN routing, it makes routing decisions based on loss, latency, and jitter calculations from Link Monitor probes. For example, if the loss rate exceeds the value you specify in the SD-WAN action, the Firebox can fail over connections to another interface included in the SD-WAN action. To configure metric-based SD-WAN routing, all interfaces in the SD-WAN action must have at least one Link Monitor target configured.

If you do not want to configure metric-based routing, you can configure the Firebox to make SD-WAN routing decisions based on connectivity. For example, if a Link Monitor target fails to respond after a certain number of attempts, the Firebox considers the interface inactive. The Firebox can then fail over connections to another interface included in the SD-WAN action.

Link Monitor Requirements for SD-WAN Interfaces

Interfaces included in SD-WAN actions have these Link Monitor requirements:

Internal interfaces

For internal interfaces, a next hop IP address or a custom target is required in the Link Monitor configuration. We recommend that you specify a next hop IP address. The next hop IP address tells the Firebox how to route Link Monitor traffic and SD-WAN traffic for the interface.

If you do not specify a next hop IP address, the Firebox uses its route table to route Link Monitor traffic and SD-WAN traffic for the interface. This means you must add a static route to the route table.

Internal interfaces that are added to Link Monitor but do not have a next hop or custom target cannot be added to an SD-WAN action.

BOVPN virtual interfaces

Before you can add a BOVPN virtual interface to Link Monitor, you must first configure a peer IP address in the BOVPN virtual interface settings. You cannot specify a netmask.

To add a BOVPN virtual interface to an SD-WAN action that includes other interfaces, the BOVPN virtual interface must have a Link Monitor target. When you add a BOVPN virtual interface to Link Monitor, the target is automatically configured to be the peer IP address. You cannot change or remove this target.

External interfaces

For external interfaces in an SD-WAN action, it is optional to specify a Link Monitor target if you do not select metrics. However, we recommend that you specify a Link Monitor target. If you do not configure a Link Monitor target and do not select metrics in the action, the Firebox only considers an external interface inactive when a physical connection is not detected, and a valid IP address is not assigned to the interface (if the interface is dynamic).

For detailed information about Link Monitor, see About Link Monitor.

Configure an SD-WAN Action

After you configure Link Monitor, you must configure an SD-WAN action.

SD-WAN actions apply to new connections that initiate traffic. SD-WAN actions do not apply to reply traffic. You cannot use SD-WAN actions to force reply traffic out a specific interface.

An SD-WAN action includes these settings:

  • Interfaces — Which interfaces participate in the action.
  • Primary interface — Which interface is primary. The primary interface is preferred if it is active and has metrics that do not exceed the values you specified. The first interface in the list is the primary interface. To change the primary interface, you can move interfaces up or down in the list.
  • Failover — Whether metrics (loss, latency, or jitter) or connectivity (active/inactive) are used to determine failover. If you select metrics, you can also specify whether any or all metrics are used to determine failover.
  • Failback — How connections fail back (immediately, gradually, or not at all).

You can include one or more of these interface types in SD-WAN actions:

  • External
  • Internal (Trusted, Optional, or Custom) — Fireware v12.4 or higher. Internal interfaces include those configured for private network connections such as leased lines and MPLS links.
  • BOVPN virtual interface — In Fireware v12.4 or higher, you can add more than one BOVPN virtual interface and select to use metrics for failover.

The interfaces you add to the SD-WAN action determine which failover and failback settings are available:

  • If you select multiple interfaces, but not all interfaces have Link Monitor targets enabled, you can only configure failback settings.
  • If you select only one external interface or only one BOVPN virtual interface, you cannot configure failover or failback settings.
  • If Link Monitor targets are not enabled for each external interface in an action, you can only configure failback settings.

There is no limit to the number of SD-WAN actions that you can add. You can use the same SD-WAN action in multiple policies.

For detailed configuration instructions, see Configure SD-WAN.

In Fireware v12.3.x, you must add at least one external interface to an action, or you can add one BOVPN virtual interface. You can select multiple external interfaces. You cannot select multiple BOVPN virtual interfaces. If you select a BOVPN virtual interface, you cannot select other interfaces.

Configure Failover and Failback Settings in an SD-WAN Action

Apply an SD-WAN Action to a Policy

To complete the SD-WAN configuration, select the SD-WAN action in a Firebox policy. All traffic that matches the policy uses the SD-WAN action. For example, in a policy for VoIP traffic, you can specify an SD-WAN action that automatically fails over traffic to another interface if the Firebox detects jitter or latency values that exceed those you specified.

For detailed configuration instructions, see Configure SD-WAN.

View SD-WAN Reporting

You can view graphs that show loss, latency, and jitters metrics for interfaces with Link Monitor targets.

For information about SD-WAN reporting in the Web UI, see Interface Information and SD-WAN Monitoring.

For information about SD-WAN reporting in Firebox System Manager (FSM), see SD-WAN Monitoring, Status, and Manual Failback (Fireware System Manager).

Configuration Example

You can take advantage of metric-based SD-WAN routing on many types of networks. To see how SD-WAN can work with an MPLS link, leased line, or private line, see SD-WAN Failover from an MPLS Link to a BOVPN Virtual Interface Tunnel.

See Also

Configure SD-WAN

SD-WAN Status and Manual Failback (Web UI)

About Link Monitor

Configure Link Monitor

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search