Applies To: Cloud-managed Fireboxes
This topic explains the SD-WAN methods that WatchGuard Cloud supports:
To configure SD-WAN in WatchGuard Cloud, see Configure SD-WAN.
You can configure an SD-WAN action to use the Failover method. The Firebox fails over connections to a different interface in these cases:
- The current interface is inactive (down).
- The current interface exceeds the measurement values that you specify.
For example, if you select Use Measurement Based Failover and keep the default values, the latency value is 400 ms, the loss rate value is 5%, and the jitter value is 100 ms. If the Firebox detects that latency increased to 401 ms, the interface fails over, even if the loss rate and jitter do not exceed the specified values.
If you do not select Use Measurement Based Failover, connections fail over only if the interface is inactive (down). The Firebox considers the interface as inactive because of physical disconnection or failed link monitoring probes.
If an interface fails over, but later recovers, you can control whether active and new connections fail back to the original interface, and whether they fail back immediately or gradually. You can specify these options:
- Immediate failback — Active and new connections use the failback (original) interface. This is the default setting.
- Gradual failback — Active connections continue to use the failover interface. New connections use the failback (original) interface.
- Don't failback — Active and new connections continue to use the failover interface. You might select this option if you want to confirm that an issue is resolved before you fail back to the original WAN connection.
In this example, the SD-WAN action uses the Failover method and measurement-based failover.
You can configure an SD-WAN action to use the Round-Robin method. Round-Robin is a load-balancing method that splits outgoing traffic between multiple interfaces based on weight and other factors.
You can use SD-WAN Round-Robin to:
- Share traffic load across multiple ISPs or lines.
- Get the full benefit from all ISP connections to which your company subscribes. For example, you can use a secondary connection for more than just redundancy.
For traffic that matches the SD-WAN action, the Firebox considers these factors to determine the outgoing interface:
- Weight — A weight value that you assign to each interface in an SD-WAN action
- 3-tuple — Source IP address, destination IP address, and protocol for packets handled by an SD-WAN action
- Measures — Loss rate, latency, and jitter for each interface in an SD-WAN action
To deploy a configuration that includes one or more SD-WAN Round-Robin actions, your device must run firmware v12.8 or higher. If your device runs a lower firmware version, you must do one of the following before you can deploy the configuration: Upgrade the device firmware to v12.8 or higher, change all SD-WAN actions to use the Failover method, or delete any SD-WAN actions that use the Round-Robin method. If your device model does not support firmware v12.8 or higher, change all SD-WAN actions to use the Failover method or delete any SD-WAN actions that use the Round-Robin method.
In an SD-WAN action, you can edit the weight value for each interface. Weight refers to the proportion of traffic load that the Firebox sends through an interface. If you configure an SD-WAN action that includes two WAN connections of unequal capacity, you might decide to specify interface weights proportional to capacity. The interface with the higher weight handles more traffic. The default interface weight is 1.
For example, you configure an SD-WAN action with two networks, External-1 and External-2. The External-1 connection has more capacity than External-2. In the SD-WAN action settings, you assign a weight of 6 to External-1 and a weight of 4 to External-2. If 10 connections match the SD-WAN action, External-1 handles 6 of these connections. External-2 handles 4 connections.
On the Live Status > Networks page, select the SD-WAN tab to see the percentage of connections handled by each network or VPN in the SD-WAN action. When an SD-WAN action handles a large number of connections (hundreds or thousands of connections), the load balancing percentage more closely matches the weight ratio that you specified.
For an SD-WAN action with no traffic, the usage value is 0% for each interface. The percentage resets after any interface status change.
You can use only whole numbers for the interface weights; no fractions or decimals are allowed. For optimal load balancing, you might have to do a calculation to know the whole-number weight to assign for each interface. Use a common multiplier so that the relative proportion of the bandwidth given by each external connection is resolved to whole numbers.
For example, suppose you have three Internet connections. One ISP gives you 6 Mbps, another ISP gives you 1.5 Mbps, and a third gives you 768 Kbps. Convert the proportion to whole numbers:
- First convert the 768 Kbps to approximately .75 Mbps so that you use the same unit of measurement for all three lines. Your three lines are rated at 6, 1.5, and .75 Mbps.
- Multiply each value by 100 to remove the decimals. Proportionally, these are equivalent: [6 : 1.5 : .75] is the same ratio as [600 : 150 : 75]
- Find the greatest common divisor of the three numbers. In this case, 75 is the largest number that evenly divides all three numbers 600, 150, and 75.
- Divide each of the numbers by the greatest common divisor.
The results are 8, 2, and 1. You can use these numbers as weights in an SD-WAN Round-Robin action.
In addition to weight, SD-WAN Round Robin uses a 3-tuple hash calculation to determine the outgoing interface for packets. A 3-tuple is a list of three elements derived from the packet header: source IP address, destination IP address, and protocol. Connections are sticky, which means traffic from the same source to the same destination using the same protocol is always routed through the same interface.
Optionally, you can configure loss rate, latency, and jitter measures that apply to all interfaces in the SD-WAN action. These measures determine whether an interface qualifies to be part of the path selection. To qualify, an interface must have loss rate, latency, and jitter values equal to or less than those you specified.
If an interface no longer exceeds the specified loss, latency, and jitter values, it becomes qualified and available for Round Robin selection.
Because each network is different, and some applications are more sensitive to performance issues, you must select loss, latency, and jitter values based on your knowledge of your network. We recommend that you first establish baseline values for your WAN connections. As a best practice, we recommend that you consider the average values for the last 24 hours.
Inactive and Unqualified Interfaces
The Firebox removes an interface from Round-Robin path selection in these cases:
- Inactive (down) interface — The Firebox considers the interface as inactive (down) because of physical disconnection or failed link monitoring probes. For more information about link monitoring, see Configure Firebox Network Link Monitoring.
- Unqualified interface — An interface exceeds the values that you specified for loss rate, latency, or jitter.
The Firebox distributes traffic among the qualified interfaces that remain.
If no interfaces are qualified, the Firebox routes traffic to the first active (up) interface, which is the first active interface listed in the SD-WAN action configuration. If no interfaces are active, the Firebox drops packets that match the SD-WAN action. If an interface becomes active or qualified again, it automatically becomes available for Round-Robin selection.
In this example, the SD-WAN action uses the Round-Robin method and measurement-based participation.