Configure SD-WAN
Applies To: Cloud-managed Fireboxes
Software-Defined WAN (SD-WAN) is a software-based routing solution that you can use to distribute traffic between networks or to a specific network, based on firewall policies. An SD-WAN action can include external networks, cellular interfaces, internal and guest networks with link monitoring enabled, and BOVPNs.
You can configure an SD-WAN action to use either the Failover or Round-Robin method. For information about SD-WAN methods, see About SD-WAN Methods.
If you configure measurement-based SD-WAN routing, the Firebox uses performance data to make routing decisions. For example, you can specify loss, latency, and jitter thresholds so that traffic fails over to a different connection when performance is less than ideal.
You can use SD-WAN to increase application availability and performance, and to better utilize different types of connections. For example, with SD-WAN, you can:
- Send high-priority, latency-sensitive traffic such as VoIP and video conferencing over higher-quality, more expensive WAN connections
- Send lower-priority traffic over less expensive WAN connections
- Specify loss, latency, and jitter thresholds so that connections fail over to a different connection when performance is less than ideal
To configure SD-WAN for a cloud-managed Firebox:
- Configure link monitoring (recommended for external networks, required for internal and guest networks)
- Configure BOVPN virtual IP addresses
- Add an SD-WAN action
- Enable SD-WAN in a firewall policy
Configure Link Monitoring
Before you can add an internal or guest network to an SD-WAN action, you must enable link monitoring in the network settings. You must also enable link monitoring for an external network if you want to use measurement-based failover or load balancing.
A link monitoring target is host beyond your network perimeter. The Firebox sends ping, TCP, or DNS probes to targets to verify connectivity. The Firebox can also use probe results to verify performance if you select to measure loss, latency, and jitter.
When your Firebox uses measurement-based SD-WAN routing, it makes routing decisions based on loss, latency, and jitter calculations from link monitoring probes. For example, if the loss rate exceeds the value you specify in the SD-WAN action, the Firebox can fail over connections to another interface included in the SD-WAN action. To configure measurement-based SD-WAN routing, all interfaces in the SD-WAN action must have at least one link monitoring target configured.
If you do not specify measurements in the SD-WAN configuration, the Firebox makes SD-WAN routing decisions based on connectivity only. For example, if a link monitoring target fails to respond after a certain number of attempts, the Firebox considers the interface inactive. If you selected the Failover SD-WAN method, the Firebox fails over connections to another interface included in the SD-WAN action. If you selected the Round-Robin SD-WAN method, the Firebox removes the interface from path selection until the interface becomes active again.
For information about how to enable network link monitoring for a cloud-managed Firebox, see Configure Firebox Network Link Monitoring.
For information about loss, latency, and jitter calculations, see Interpret SD-WAN Data.
Configure BOVPN Virtual IP Addresses
Before you can add a BOVPN to an SD-WAN action, you must configure the BOVPN with /32 virtual IP addresses for both endpoints. BOVPN link monitoring is implicitly enabled when you configure /32 host IP addresses as the virtual IP address of both endpoints. A BOVPN that does not have link monitoring enabled (does not have valid /32 virtual IP addresses for both endpoints) is not available to select in an SD-WAN action.
For information about how to configure the virtual IP addresses for a BOVPN, see:
- Configure a BOVPN Between Cloud-Managed Fireboxes
- Configure a BOVPN to a Locally-Managed Firebox or Third-Party VPN Endpoint
Add an SD-WAN Action
You can add one or more SD-WAN actions to your configuration.
- SD-WAN actions apply to new connections that initiate traffic.
- SD-WAN actions only apply to outbound traffic that originates from behind the Firebox.
- SD-WAN actions do not apply for replies to inbound traffic. You cannot use SD-WAN actions to force reply traffic out a specific interface.
- SD-WAN actions apply only to traffic that matches the SD-WAN action.
- You can add an unlimited number of SD-WAN actions, and you can use the same SD-WAN action in multiple policies.
In the SD-WAN action settings, you must specify the method (Failover or Round-Robin) and whether to use measurement-based failover. If you select the Failover method, you must also select a Failback option. For more information about SD-WAN methods, see About SD-WAN Methods.
To deploy a configuration that includes one or more SD-WAN Round-Robin actions, your device must run firmware v12.8 or higher. If your device runs a lower firmware version, you must do one of the following before you can deploy the configuration: Upgrade the device firmware to v12.8 or higher, change all SD-WAN actions to use the Failover method, or delete any SD-WAN actions that use the Round-Robin method. If your device model does not support firmware v12.8 or higher, change all SD-WAN actions to use the Failover method or delete any SD-WAN actions that use the Round-Robin method.
To configure an SD-WAN action, from WatchGuard Cloud:
- Select Configure > Devices.
- Select the cloud-managed Firebox.
- Click Device Configuration.
- Click the Networks tile.
The Networks configuration page opens. - In the WAN Settings section, click Add SD-WAN.
The Add SD-WAN page opens.
- In the Name text box, type a name for this SD-WAN action.
- From the Method drop-down list, select Failover or Round-Robin.
- If you selected Failover, select one of these options from the Failback drop-down list:
- Immediate — Active and new connections use the failback (original) network. This is the default setting.
- Gradual — Active connections continue to use the failover interface. New connections use the failback (original) network.
- Don't Fail Back — Active and new connections continue to use the failover interface. You might select this option if you want to confirm that an issue is resolved before you fail back to the original WAN connection.
- To add networks or VPNs to the SD-WAN action, click Select Network / VPN.
A list of networks opens. The list shows all external networks, cellular interfaces, BOVPNs, and internal networks that have link monitoring enabled.
- Select the check box for each network you want to add to this SD-WAN action.
- Click Close.
- To use measurements to determine when a network fails over or fails back, do one of the following:
- If you selected the Failover method, select Use Measurement Based Failover.
- If you selected the Round-Robin method, select Use Measurement Based Participation.
- If you selected to use measurements, keep or edit the default values for Latency, Loss, and Jitter.
- To save configuration changes to the cloud, click Save.
Enable SD-WAN in a Firewall Policy
After you add the SD-WAN action, you can configure a firewall policy to use it. When you use an SD-WAN action in a policy, the settings from the SD-WAN action take precedence over the global WAN settings.
SD-WAN actions apply to new connections that initiate traffic. SD-WAN actions do not apply to reply traffic. You cannot use SD-WAN actions to force reply traffic out a specific interface. SD-WAN actions apply only to traffic that matches the SD-WAN action.
To enable SD-WAN in a firewall policy, from WatchGuard Cloud:
- Select Configure > Devices.
- Select the cloud-managed Firebox.
- Click Device Configuration.
- Click the Firewall Policies tile.
The Firewall Policies list opens. - Add or edit a firewall policy.
- In the SD-WAN section of the policy, click the Enable SD-WAN toggle.
- From the drop-down list, select the SD-WAN action to use for traffic that matches this policy.
- To save configuration changes to the cloud, click Save.
For more information about policy configuration, see Configure Firewall Policies in WatchGuard Cloud.
Monitor SD-WAN Traffic
You can view live information about SD-WAN traffic on the Live Status > Networks page. For more information, see Monitor Networks on Fireboxes and FireClusters.