Software-Defined WAN (SD-WAN) is a software-based routing solution that automatically distributes network traffic across multiple WAN connections based on policies you define. SD-WAN is embedded in the Firebox. The Firebox monitors your WAN connections, captures near real-time performance data, and uses this data to make routing decisions. For example, if a WAN connection becomes congested, the Firebox automatically sends traffic over a different WAN connection.
SD-WAN works with different types of WAN connections, which means you can configure a hybrid WAN. For example, if your Firebox has an MPLS connection and a broadband Internet connection, you can use both in an SD-WAN configuration.
You can use SD-WAN to increase application availability and performance, and to better utilize a hybrid WAN. For example, with SD-WAN, you can:
- Send high-priority, latency-sensitive traffic such as VoIP and video conferencing over higher-quality, more expensive WAN connections
- Send lower-priority traffic over less expensive WAN connections
- Specify performance thresholds so that connections fail over to a different WAN connection when performance is less than ideal
To configure SD-WAN, in Fireware v12.3 or higher:
- Configure Link Monitor targets
- Configure an SD-WAN action
- Configure a policy to use the SD-WAN action
This topic explains how SD-WAN works. For detailed configuration instructions, see Configure SD-WAN.
For a configuration example, see SD-WAN Failover from an MPLS Link to a BOVPN Virtual Interface Tunnel.
In Fireware v12.3 or higher, SD-WAN replaces policy-based routing. In Fireware v12.2.1 or earlier, to route traffic to a different external interface, you must use policy-based routing. When you upgrade to Fireware v12.3 or higher, policy-based routing without failover is converted to an SD-WAN action with a single interface. Policy-based routing with failover is converted to an SD-WAN action with multiple interfaces. In Policy Manager, the policy-based routing setting is still available for backwards compatibility with older Fireware OS versions. For more information about policy-based routing, see Configure Policy-Based Routing in Fireware v12.2.1 or lower in the WatchGuard Knowledge Base.
Configure Link Monitor Targets
We recommend that you configure Link Monitor targets for interfaces included in an SD-WAN action.
A Link Monitor target is host beyond your network perimeter. The Firebox sends ping, TCP, or DNS probes to targets to verify connectivity. The Firebox can also use probe results to verify performance if you select to measure loss, latency, and jitter.
In the Link Monitor configuration, you can add targets for these interface types:
- Internal (Trusted, Optional, or Custom) — Fireware v12.4 or higher
- BOVPN virtual interface — Fireware v12.4 or higher
Link Monitor is an important part of your SD-WAN configuration. When your Firebox uses metric-based SD-WAN routing, it makes routing decisions based on loss, latency, and jitter calculations from Link Monitor probes. For example, if the loss rate exceeds the value you specify in the SD-WAN action, the Firebox can fail over connections to another interface included in the SD-WAN action. To configure metric-based SD-WAN routing, all interfaces in the SD-WAN action must have at least one Link Monitor target configured.
If you do not want to configure metric-based routing, you can configure the Firebox to make SD-WAN routing decisions based on connectivity. For example, if a Link Monitor target fails to respond after a certain number of attempts, the Firebox considers the interface inactive. The Firebox can then fail over connections to another interface included in the SD-WAN action.
Link Monitor Requirements for SD-WAN Interfaces
Interfaces included in SD-WAN actions have these Link Monitor requirements:
For internal interfaces, a next hop IP address or a custom target is required in the Link Monitor configuration. We recommend that you specify a next hop IP address. The next hop IP address tells the Firebox how to route Link Monitor traffic and SD-WAN traffic for the interface.
If you do not specify a next hop IP address, the Firebox uses its route table to route Link Monitor traffic and SD-WAN traffic for the interface. This means you must add a static route to the route table.
Internal interfaces that are added to Link Monitor but do not have a next hop or custom target cannot be added to an SD-WAN action.
BOVPN virtual interfaces
Before you can add a BOVPN virtual interface to Link Monitor, you must first configure a peer IP address in the BOVPN virtual interface settings. You cannot specify a netmask.
To add a BOVPN virtual interface to an SD-WAN action that includes other interfaces, the BOVPN virtual interface must have a Link Monitor target. When you add a BOVPN virtual interface to Link Monitor, the target is automatically configured to be the peer IP address. You cannot change or remove this target.
For external interfaces in an SD-WAN action, it is optional to specify a Link Monitor target if you do not select metrics. However, we recommend that you specify a Link Monitor target. If you do not configure a Link Monitor target and do not select metrics in the action, the Firebox only considers an external interface inactive when a physical connection is not detected, and a valid IP address is not assigned to the interface (if the interface is dynamic).
For detailed information about Link Monitor, see About Link Monitor.
Configure an SD-WAN Action
After you configure Link Monitor, you must configure an SD-WAN action.
SD-WAN actions apply to new connections that initiate traffic. SD-WAN actions do not apply to reply traffic. You cannot use SD-WAN actions to force reply traffic out a specific interface.
An SD-WAN action includes these settings:
- Interfaces — Which interfaces participate in the action.
- Primary interface — Which interface is primary. The primary interface is preferred if it is active and has metrics that do not exceed the values you specified. The first interface in the list is the primary interface. To change the primary interface, you can move interfaces up or down in the list.
- Failover — Whether metrics (loss, latency, or jitter) or connectivity (active/inactive) are used to determine failover. If you select metrics, you can also specify whether any or all metrics are used to determine failover.
- Failback — How connections fail back (immediately, gradually, or not at all).
You can include one or more of these interface types in SD-WAN actions:
- Internal (Trusted, Optional, or Custom) — Fireware v12.4 or higher. Internal interfaces include those configured for private network connections such as leased lines and MPLS links.
- BOVPN virtual interface — In Fireware v12.4 or higher, you can add more than one BOVPN virtual interface and select to use metrics for failover.
The interfaces you add to the SD-WAN action determine which failover and failback settings are available:
- If you select multiple interfaces, but not all interfaces have Link Monitor targets enabled, you can only configure failback settings.
- If you select only one external interface or only one BOVPN virtual interface, you cannot configure failover or failback settings.
- If Link Monitor targets are not enabled for each external interface in an action, you can only configure failback settings.
There is no limit to the number of SD-WAN actions that you can add. You can use the same SD-WAN action in multiple policies.
For detailed configuration instructions, see Configure SD-WAN.
In Fireware v12.3.x, you must add at least one external interface to an action, or you can add one BOVPN virtual interface. You can select multiple external interfaces. You cannot select multiple BOVPN virtual interfaces. If you select a BOVPN virtual interface, you cannot select other interfaces.
Configure Failover and Failback Settings in an SD-WAN Action
If you select loss, latency, and jitter measures in an SD-WAN action, connections fail over if the values you specified for those measures are exceeded. You can specify these options:
Fail over if values for any selected measures exceed the specified value
For example, you select Loss Rate, Latency, and Jitter and keep the default values, which means the loss rate value is 5%, the latency value is 20 ms, and the jitter value is 10 ms.
If the Firebox detects that latency increased to 21 ms, the interface fails over, even if the loss rate and jitter do not exceed the specified values.
Fail over if values for all selected measures exceed the specified value
For example, you select Loss Rate and Jitter and keep the default values, which means the loss rate value is 5%, and the jitter value is 10 ms. You select the Fail over if values for all selected measurements are exceeded check box.
If the Firebox detects that the loss rate increased to 6% and jitter increased to 11 ms, the interface fails over. If only the loss rate exceeds the specified value, the interface does not fail over.
Because each network is different, and some applications are more sensitive to performance issues, you must select loss, latency, and jitter values based on your knowledge of your network. We recommend that you first establish baseline values for your WAN connections. To do this, you can view SD-WAN reporting data on the Firebox. As a best practice, we recommend that you consider the average values for the last 24 hours. Because Firebox System Manager shows only real-time data, you must use the Web UI, which shows historical data for periods of time up to 7 days and calculates an average. For information about how to view and interpret SD-WAN monitoring data in the Web UI, see Interface Information and SD-WAN Monitoring.
If you do not select any metrics in an SD-WAN action, connections fail over only if the interface is inactive.
Only failover mode is supported. Round-robin, interface overflow, and routing table modes are not supported.
In Fireware v12.3.x, failover is not supported for BOVPN virtual interfaces.
If an interface fails over, but later recovers, you can control whether active and new connections fail back to the original interface, and whether they fail back immediately or gradually. You have these options:
- Immediate failback — Active and new connections use the failback (original) interface. This is the default setting.
- Gradual failback — Active connections continue to use the failover interface; new connections use the failback (original) interface
- No failback — Active and new connections continue to use the failover interface. You might select this option if you want to confirm that an issue is resolved before you fail back to the original WAN connection.
If you select Gradual Failback or No Failback, you can manually initiate manual failback on the SD-WAN Status page. For more information about manual failback in Fireware Web UI, see SD-WAN Status and Manual Failback (Web UI). For more information about manual failback in Fireware System Manager (FSM), see SD-WAN Monitoring, Status, and Manual Failback (Firebox System Manager).
Apply an SD-WAN Action to a Policy
To complete the SD-WAN configuration, select the SD-WAN action in a Firebox policy. All traffic that matches the policy uses the SD-WAN action. For example, in a policy for VoIP traffic, you can specify an SD-WAN action that automatically fails over traffic to another interface if the Firebox detects jitter or latency values that exceed those you specified.
For detailed configuration instructions, see Configure SD-WAN.
View SD-WAN Reporting
You can view graphs that show loss, latency, and jitters metrics for interfaces with Link Monitor targets.
For information about SD-WAN reporting in the Web UI, see Interface Information and SD-WAN Monitoring.
For information about SD-WAN reporting in Firebox System Manager (FSM), see SD-WAN Monitoring, Status, and Manual Failback (Firebox System Manager).
You can take advantage of metric-based SD-WAN routing on many types of networks. To see how SD-WAN can work with an MPLS link, leased line, or private line, see SD-WAN Failover from an MPLS Link to a BOVPN Virtual Interface Tunnel.