About SD-WAN Methods

This topic explains the SD-WAN methods that Fireware supports:

Failover
Round Robin (Fireware v12.8 or higher)

For an overview of SD-WAN in Fireware, go to About SD-WAN.

SD-WAN actions determine the outbound interface to send traffic. They do not determine the interface to receive traffic. Additionally, SD-WAN actions do not change how policies manage reply traffic; reply traffic to open connections are handled by the policy that accepted the initial connection.

Failover

You can configure an SD-WAN action to use the Failover method. If the current interface exceeds the measurement values that you specify, the Firebox fails over connections to a different interface.

You can specify these options:

Fail over if values for any selected measures exceed the specified value

For example, you select Loss Rate, Latency, and Jitter and keep the default values, which means the loss rate value is 5%, the latency value is 400 ms, and the jitter value is 100 ms. If the Firebox detects that latency increased to 401 ms, the interface fails over, even if the loss rate and jitter do not exceed the specified values.

Fail over if values for all selected measures exceed the specified value

For example, you select Loss Rate and Jitter and keep the default values, which means the loss rate value is 5%, and the jitter value is 10 ms. If the Firebox detects that the loss rate increased to 6% and jitter increased to 11 ms, the interface fails over. If only the loss rate exceeds the specified value, the interface does not fail over.

Because each network is different, and some applications are more sensitive to performance issues, you must select loss, latency, and jitter values based on your knowledge of your network. We recommend that you first establish baseline values for your WAN connections. To do this, you can view SD-WAN reporting data on the Firebox. As a best practice, we recommend that you consider the average values for the last 24 hours. Because Firebox System Manager shows only real-time data, you must use the Web UI, which shows historical data for periods of time up to 7 days and calculates an average. For information about how to view and interpret SD-WAN monitoring data in the Web UI, go to Interface Information and SD-WAN Monitoring.

If you do not select any metrics in an SD-WAN action, connections fail over only if the interface is inactive. The Firebox considers the interface as inactive (down) because of physical disconnection or failed Link Monitor probes.

In Fireware v12.3.x, failover is not supported for BOVPN virtual interfaces.

Failback

If an interface fails over, but later recovers, you can control whether active and new connections fail back to the original interface, and whether they fail back immediately or gradually. You can specify these options:

Immediate failback — Active and new connections use the failback (original) interface. This is the default setting.
Gradual failback — Active connections continue to use the failover interface. New connections use the failback (original) interface.
No failback — Active and new connections continue to use the failover interface. You might select this option if you want to confirm that an issue is resolved before you fail back to the original WAN connection.

If you select Gradual Failback or No Failback, you can manually initiate manual failback on the SD-WAN Status page. For more information about manual failback in Fireware Web UI, go to SD-WAN Status and Manual Failback (Web UI). For more information about manual failback in Fireware System Manager (FSM), go to SD-WAN Monitoring, Status, and Manual Failback (Firebox System Manager).

Round-Robin

In Fireware v12.8 or higher, you can configure an SD-WAN action to use the Round Robin method. Round Robin is a load-balancing method that splits outgoing traffic between multiple interfaces based on weight and other factors.

You can use SD-WAN Round Robin to:

Share traffic load across multiple ISPs or lines.
Get the full benefit from all ISP connections to which your company subscribes. For example, you can use a secondary connection for more than just redundancy.

For traffic that matches the SD-WAN action, the Firebox considers these factors to determine the outgoing interface:

Weight — A weight value that you assign to each interface in an SD-WAN action
3-tuple — Source IP address, destination IP address, and protocol for packets handled by an SD-WAN action
Measures — Loss rate, latency, and jitter for each interface in an SD-WAN action

Weight

In an SD-WAN action, you can edit the weight value for each interface. Weight refers to the proportion of traffic load that the Firebox sends through an interface. If you configure an SD-WAN action that includes two WAN connections of unequal capacity, you might choose to specify interface weights proportional to capacity. The interface with the higher weight handles more traffic. The default interface weight is 1.

For example, you configure an SD-WAN action with two interfaces, External-1 and External-2. The External-1 interface connection has more capacity than External-2. In the SD-WAN action settings, you assign a weight of 6 to the External-1 interface and a weight of 4 to the External-2 interface. If 10 connections match the SD-WAN action, the External-1 interface handles 6 of these connections. The External-2 interface handles 4 connections.

Screen shot of the SD-WAN interfaces list

On the SD-WAN Status page, in the Interfaces column, you can see the percent of connections handled by each interface in the SD-WAN action.

Screen shot of the SD-WAN Status page

For an SD-WAN action with no usage, the percent for each interface is 0%. The percentage resets after any interface status change.

When an SD-WAN action handles a large number of connections (hundreds or thousands of connections), the load balancing percentage more closely matches the weight ratio that you specified.

For more information about the SD-WAN Status page, go to SD-WAN Status and Manual Failback (Web UI) and SD-WAN Monitoring, Status, and Manual Failback (Firebox System Manager).

For information about how to calculate weights, go to Find How to Assign Weights to Interfaces.

3-Tuple

In addition to weight, SD-WAN Round Robin uses a 3-tuple hash calculation to determine the outgoing interface for packets. A 3-tuple is a list of three elements derived from the packet header: source IP address, destination IP address, and protocol. Connections are sticky, which means traffic from the same source to the same destination using the same protocol is always routed through the same interface.

Measures

Optionally, you can configure loss rate, latency, and jitter measures that apply to all interfaces in the SD-WAN action. These measures determine whether an interface qualifies to be part of the path selection. To qualify, an interface must have loss rate, latency, and jitter values equal to or less than those you specified.

If an interface no longer exceeds the specified loss, latency, and jitter values, it becomes qualified and available for Round Robin selection.

Screen shot of the metric settings for Round-Robin SD-WAN routing

Inactive and Unqualified Interfaces

The Firebox removes an interface from Round Robin path selection in these cases:

Inactive (down) interface — The Firebox considers the interface as inactive (down) because of physical disconnection or failed Link Monitor probes. For more information about Link Monitor, go to About Link Monitor.
Unqualified interface — An interface exceeds the values that you specified for loss rate, latency, or jitter.

The Firebox distributes traffic among the qualified interfaces that remain.

If no interfaces are qualified, the Firebox routes traffic to the first active (up) interface, which is the first active interface listed in the SD-WAN action configuration. If no interfaces are active, the Firebox drops packets that match the SD-WAN action. If an interface becomes active or qualified again, it automatically becomes available for Round Robin selection.