About SD-WAN

Software-Defined WAN (SD-WAN) is a software-based routing solution that automatically distributes network traffic across multiple WAN connections based on policies you define. SD-WAN is embedded in the Firebox. The Firebox monitors your WAN connections, captures near real-time performance data, and uses this data to make routing decisions. For example, if a WAN connection becomes congested, the Firebox can automatically send traffic over a different WAN connection.

SD-WAN works with different types of WAN connections, which means you can configure a hybrid WAN. For example, if your Firebox has an MPLS connection and a broadband Internet connection, you can use both in an SD-WAN configuration.

You can use SD-WAN to increase application availability and performance, and to better utilize a hybrid WAN. For example, with SD-WAN, you can:

Send high-priority, latency-sensitive traffic such as VoIP and video conferencing over higher-quality, more expensive WAN connections
Send lower-priority traffic over less expensive WAN connections
Specify performance thresholds so that connections fail over to a different WAN connection when performance is less than ideal

SD-WAN ignores the global multi-WAN configuration settings.

To configure SD-WAN, in Fireware v12.3 or higher:

Configure Link Monitor targets
Configure an SD-WAN action
Configure a policy to use the SD-WAN action

In Fireware v12.8 or higher, you can also create SD-WAN actions in a Centralized Management device configuration template and apply the template to multiple Fireboxes. The template only contains a partial SD-WAN action definition because SD-WAN is configured on a Firebox for specific network interfaces. An SD-WAN action with the same name must already exist on the Firebox when you apply the template. If a matching SD-WAN action does not exist on the Firebox, the SD-WAN action is not applied from the template. If the template has a policy that uses an SD-WAN action that does not exist on the Firebox, the policy is applied without the SD-WAN action. For more information, go to Create Device Configuration Templates.

This topic explains how SD-WAN works. For detailed configuration instructions, go to Configure SD-WAN.

For a configuration example, go to SD-WAN Failover from an MPLS Link to a BOVPN Virtual Interface Tunnel.

In Fireware v12.3 or higher, SD-WAN replaces policy-based routing. In Fireware v12.2.1 or earlier, to route traffic to a different external interface, you must use policy-based routing. When you upgrade to Fireware v12.3 or higher, policy-based routing without failover is converted to an SD-WAN action with a single interface. Policy-based routing with failover is converted to an SD-WAN action with multiple interfaces. In Policy Manager, the policy-based routing setting is still available for backwards compatibility with older Fireware OS versions. For more information about policy-based routing, go to Configure Policy-Based Routing in Fireware v12.2.1 or lower in the WatchGuard Knowledge Base.

Configure Link Monitor Targets

We recommend that you configure Link Monitor targets for interfaces included in an SD-WAN action. A Link Monitor target is host beyond your network perimeter. The Firebox sends ping, TCP, or DNS probes to targets to verify connectivity. The Firebox can also use probe results to verify performance if you select to measure loss, latency, and jitter.

In the Link Monitor configuration, you can add targets for these interface types:

External
Internal (Trusted, Optional, or Custom) — Fireware v12.4 or higher
BOVPN virtual interface — Fireware v12.4 or higher

Link Monitor is an important part of your SD-WAN configuration. To configure metric-based SD-WAN routing, all interfaces in the SD-WAN action must have at least one Link Monitor target configured.

When your Firebox uses metric-based SD-WAN routing, it makes routing decisions based on loss, latency, and jitter calculations from Link Monitor probes. For example, if the loss rate for an interface exceeds the value you specify in the SD-WAN action, the Firebox can fail over connections to another interface included in the SD-WAN action. Or, if you select the Round Robin method in Fireware v12.8 or higher, the Firebox removes the route so the interface no longer participates in Round Robin path selection.

If you do not specify metrics in the SD-WAN configuration, the Firebox makes SD-WAN routing decisions based on connectivity only. For example, if a Link Monitor target fails to respond after a certain number of attempts, the Firebox considers the interface inactive. If you configured an SD-WAN Failover action that includes this interface and another interface, the Firebox can fail over connections to the other interface.

For information about jitter calculations, go to How is Jitter Calculated? in the WatchGuard Knowledge Base.

Link Monitor Requirements for SD-WAN Interfaces

Interfaces included in SD-WAN actions have these Link Monitor requirements:

Internal interfaces

For internal interfaces, a next hop IP address or a custom target is required in the Link Monitor configuration. We recommend that you specify a next hop IP address. The next hop IP address tells the Firebox how to route Link Monitor traffic and SD-WAN traffic for the interface.

If you do not specify a next hop IP address, the Firebox uses its route table to route Link Monitor traffic and SD-WAN traffic for the interface. This means you must add a static route to the route table.

Internal interfaces that are added to Link Monitor but do not have a next hop or custom target cannot be added to an SD-WAN action.

BOVPN virtual interfaces

Before you can add a BOVPN virtual interface to Link Monitor, you must first configure a peer IP address in the BOVPN virtual interface settings. You cannot specify a netmask.

To add a BOVPN virtual interface to an SD-WAN action that includes other interfaces, the BOVPN virtual interface must have a Link Monitor target. When you add a BOVPN virtual interface to Link Monitor, the target is automatically configured to be the peer IP address. You cannot change or remove this target.

External interfaces

For external interfaces in an SD-WAN action, it is optional to specify a Link Monitor target if you do not select metrics. However, we recommend that you specify a Link Monitor target. If you do not configure a Link Monitor target and do not select metrics in the action, the Firebox only considers an external interface inactive when a physical connection is not detected, and a valid IP address is not assigned to the interface (if the interface is dynamic).

For detailed information about Link Monitor, go to About Link Monitor.

Configure an SD-WAN Action

After you configure Link Monitor, you must configure an SD-WAN action.

SD-WAN actions apply to new connections that initiate traffic.
SD-WAN actions only apply to outbound traffic that originates from behind the Firebox.
SD-WAN actions do not apply for replies to inbound traffic. You cannot use SD-WAN actions to force reply traffic out a specific interface.
SD-WAN actions apply only to traffic that matches the SD-WAN action.
You can add an unlimited number of SD-WAN actions, and you can use the same SD-WAN action in multiple policies.

An SD-WAN action includes these settings:

Method

The method determines how the Firebox routes traffic that matches this SD-WAN action. Select Failover or Round Robin. Round Robin is available in Fireware v12.8 or higher.

For information about SD-WAN methods, go to About SD-WAN Methods.

SD-WAN Interfaces

You must select which interfaces participate in the action.

The first interface in the list is the primary interface. For the Failover method, the primary interface is preferred if it is active and has metrics that do not exceed the values you specified. The Round Robin method does not have a preferred interface. To change the primary interface, you can move interfaces up or down in the list.

You can include one or more of these interface types in SD-WAN actions:

External
Internal (Trusted, Optional, or Custom) — Fireware v12.4 or higher. Internal interfaces include those configured for private network connections such as leased lines and MPLS links.
BOVPN virtual interface — In Fireware v12.4 or higher, you can add more than one BOVPN virtual interface and select to use metrics for failover.

For the Failover method, the interfaces you add to the SD-WAN action determine which failover and failback settings are available:

If you select multiple interfaces, but not all interfaces have Link Monitor targets enabled, you can only configure failback settings.
If you select only one external interface or only one BOVPN virtual interface, you cannot configure failover or failback settings.
If Link Monitor targets are not enabled for each external interface in an action, you can only configure failback settings.

The Round Robin configuration does not include settings for failover and failback.

Metrics Settings

You can select whether measurements (loss rate, latency, or jitter) are used for Failover or Round Robin.

For the Failover method, if the value for any selected measurement is exceeded, the Firebox fail over connections to a different interface. For the Round Robin method, if the value for any selected measurement is exceeded, the Firebox removes the route so the interface no longer participates in Round Robin path selection.

If you do not select at least one measurement, the Firebox uses interface connectivity only (active/inactive) for Failover and Round Robin.

Failback for Active Connections

If you select the Failover method, you must specify how connections fail back (immediately, gradually, or not at all).

For detailed configuration instructions, go to Configure SD-WAN.

In Fireware v12.3.x, you must add at least one external interface to an action, or you can add one BOVPN virtual interface. You can select multiple external interfaces. You cannot select multiple BOVPN virtual interfaces. If you select a BOVPN virtual interface, you cannot select other interfaces.

Apply an SD-WAN Action to a Policy

To complete the SD-WAN configuration, select the SD-WAN action in a Firebox policy. All traffic that matches the policy uses the SD-WAN action. For example, in a policy for VoIP traffic, you can specify an SD-WAN Failover action that automatically fails over traffic to another interface if the Firebox detects jitter or latency values that exceed those you specified.

For detailed configuration instructions, go to Configure SD-WAN.

View SD-WAN Reporting

You can view graphs that show loss, latency, and jitter metrics for interfaces with Link Monitor targets.

For information about SD-WAN reporting in the Web UI, go to Interface Information and SD-WAN Monitoring.

For information about SD-WAN reporting in Firebox System Manager (FSM), go toe SD-WAN Monitoring, Status, and Manual Failback (Firebox System Manager).

Configuration Example

You can take advantage of metric-based SD-WAN routing on many types of networks. To see how SD-WAN Failover can work with an MPLS link, leased line, or private line, go to SD-WAN Failover from an MPLS Link to a BOVPN Virtual Interface Tunnel.