Configure SD-WAN

Applies To: Cloud-managed Fireboxes

This feature is only available to participants in the WatchGuard Cloud Beta program.

Software-Defined WAN (SD-WAN) is a software-based routing solution that you can use to distribute traffic between networks or to a specific network, based on firewall policies. An SD-WAN action can include external networks, internal and guest networks with link monitoring enabled, and BOVPNs.

To configure SD-WAN for a cloud-managed Firebox:

  • Enable network link monitoring (recommended for external networks, required for internal and guest networks)
  • Add an SD-WAN action
  • Configure a policy to use the SD-WAN action

SD-WAN and Link Monitoring

Before you can add an internal or guest network to an SD-WAN action, you must enable link monitoring in the network settings. You must also enable link monitoring for an external network if you want to use measurement-based failover.

For information about how to enable network link monitoring for a cloud-managed Firebox, see Configure Firebox Network Link Monitoring.

Add an SD-WAN Action

You can optionally configure an SD-WAN action to use measurements of network quality as the basis for failover and fail back. When you enable measurement-based failover, you set threshold values for latency, loss, and jitter. If connection metrics exceed any of the specified values, the connection fails over to another network in the SD-WAN action.

To configure an SD-WAN action, from WatchGuard Cloud:

  1. Select Configure > Devices.
  2. Select the cloud-managed Firebox.
  3. Click Device Configuration.
  4. Click the Networks tile.
    The Networks configuration page opens.
  5. In the WAN Settings section, click Add SD-WAN.
    The Add SD-WAN page opens.

Screen shot of the Add SD-WAN page

  1. In the Name text box, type a name for this SD-WAN action.
  2. To add networks or VPNs to the SD-WAN action, click Add Network / VPN.
    A list of networks appear. The list shows all external networks, BOVPNs, and internal or guest networks that have link monitoring enabled.

Screen shot of the Add Network / VPN page

  1. Select the check box for each network you want to add to this SD-WAN action.
  2. Click Close.
  3. To use metrics to determine when a network fails over or fails back:
    1. Select the Use Measurement Based Failover check box.
    2. Accept or edit the recommended values for Latency, Loss, and Jitter.

Screen shot of an SD-WAN action with Use Measurement Based Failover selected

  1. To configure how the Firebox fails back active connections, from the Failback drop-down list, select one of these options:
    • Immediate — Active and new connections use the failback (original) network. This is the default setting.
    • Gradual — Active connections continue to use the failover interface; new connections use the failback (original) network
    • Don't failback — Active and new connections continue to use the failover interface. You might select this option if you want to confirm that an issue is resolved before you fail back to the original WAN connection.
  2. To save configuration changes to the cloud, click Save.

Enable SD-WAN in a Firewall Policy

After you add the SD-WAN action, you can configure a firewall policy to use it. When you use an SD-WAN action in a policy, the settings from the SD-WAN action take precedence over the global WAN settings.

To enable SD-WAN in a firewall policy, from WatchGuard Cloud

  1. Select Configure > Devices.
  2. Select the cloud-managed Firebox.
  3. Click Device Configuration.
  4. Click the Firewall Policies tile.
    The Firewall Policies list opens.
  5. Add or edit a firewall policy.
  6. In the SD-WAN settings, click the Enable SD-WAN toggle.

Screen shot of SD-WAN settings for a firewall policy

  1. From the drop-down list, select the SD-WAN action to use for traffic that matches this policy.
  2. To save configuration changes to the cloud, click Save.

For more information about policy configuration, see Configure Firewall Policies in WatchGuard Cloud.

See Also

About Firebox Networking Settings