Configure SD-WAN

In Fireware v12.3 or higher, you can configure Software-Defined WAN (SD-WAN) on your Firebox. To configure SD-WAN:

  • Configure Link Monitor targets (recommended)
  • Add an SD-WAN action
  • Configure a policy to use the SD-WAN action

For detailed information about how SD-WAN works, go to About SD-WAN, About SD-WAN Methods, and Interpret SD-WAN Monitoring Data.

To configure Link Monitor targets, go to Configure Link Monitor.

For a configuration example, go to SD-WAN Failover from an MPLS Link to a BOVPN Virtual Interface Tunnel.

SD-WAN actions apply to new connections that initiate traffic. SD-WAN actions do not apply to reply traffic. You cannot use SD-WAN actions to force reply traffic out of a specific interface.

About SD-WAN Actions in Device Configuration Templates

In Fireware v12.8 or higher, you can also create SD-WAN actions in a Centralized Management device configuration template and apply the template to multiple Fireboxes. The template only contains a partial SD-WAN action definition because SD-WAN is configured on a Firebox for specific network interfaces.

  • An SD-WAN action with the same name must exist on the Firebox when you apply the template.

  • If there is no matching SD-WAN action with the same name on the Firebox, the SD-WAN action is not applied from the template's action.

  • If the template has a policy that uses an SD-WAN action that does not match an SD-WAN action on the Firebox, the policy is applied without the SD-WAN action. In this case, the “To” (destination) of the policy is applied instead.

For more information, go to Create Device Configuration Templates.

Add an SD-WAN Action

In an SD-WAN action, you select the routing method (Failover or Round Robin) and interfaces. You can also configure metrics settings. If you select the Failover routing method, you also specify failback settings.

Configure a Policy to Use an SD-WAN Action

In the settings for a policy, you can select to add or create an SD-WAN action.

In Fireware v12.3 or higher, SD-WAN replaces policy-based routing. In Fireware v12.2.1 or earlier, to route traffic to a different external interface, you must use policy-based routing. When you upgrade to Fireware v12.3 or higher, policy-based routing without failover is converted to an SD-WAN action with a single interface. Policy-based routing with failover is converted to an SD-WAN action with multiple interfaces. In Policy Manager, the policy-based routing setting is still available for backwards compatibility with older Fireware OS versions. For more information about policy-based routing, go to Configure Policy-Based Routing in Fireware v12.2.1 or lower in the WatchGuard Knowledge Base.

Related Topics

About SD-WAN

About SD-WAN Methods

Interpret SD-WAN Monitoring Data

SD-WAN Status and Manual Failback (Web UI)

Interface Information and SD-WAN Monitoring

SD-WAN Monitoring, Status, and Manual Failback (Firebox System Manager)

SD-WAN Failover from an MPLS Link to a BOVPN Virtual Interface Tunnel

About Link Monitor