Configure SD-WAN

In Fireware v12.3 or higher, you can configure Software-Defined WAN (SD-WAN) on your Firebox. To configure SD-WAN:

  • Configure Link Monitor targets (recommended)
  • Add an SD-WAN action
  • Configure a policy to use the SD-WAN action

For detailed information about how SD-WAN works, go to About SD-WAN, About SD-WAN Methods, and Interpret SD-WAN Monitoring Data.

To configure Link Monitor targets, go to Configure Link Monitor.

For a configuration example, go to SD-WAN Failover from an MPLS Link to a BOVPN Virtual Interface Tunnel.

SD-WAN actions apply to new connections that initiate traffic. SD-WAN actions do not apply to reply traffic. You cannot use SD-WAN actions to force reply traffic out of a specific interface.

About SD-WAN Actions in Device Configuration Templates

In Fireware v12.8 or higher, you can also create SD-WAN actions in a Centralized Management device configuration template and apply the template to multiple Fireboxes. The template only contains a partial SD-WAN action definition because SD-WAN is configured on a Firebox for specific network interfaces.

  • An SD-WAN action with the same name must exist on the Firebox when you apply the template.

  • If there is no matching SD-WAN action with the same name on the Firebox, the SD-WAN action is not applied from the template's action.

  • If the template has a policy that uses an SD-WAN action that does not match an SD-WAN action on the Firebox, the policy is applied without the SD-WAN action. In this case, the “To” (destination) of the policy is applied instead.

For more information, go to Create Device Configuration Templates.

Add an SD-WAN Action

In an SD-WAN action, you select the routing method (Failover or Round Robin) and interfaces. You can also configure metrics settings. If you select the Failover routing method, you also specify failback settings.

  1. Select Network > SD-WAN.
  2. Click Add SD-WAN.
    The SD-WAN Action Settings page opens.
  3. In the Name text box, type a name for the SD-WAN action.
  4. (Optional) In the Description text box, type a description for the SD-WAN action.
  5. Select the method to route traffic that matches this SD-WAN action:
    • Failover
    • Round-robin (Fireware v12.8 or higher)

Screen shot of the routing method drop-down list

  1. To add one or more interfaces to the SD-WAN action, click Add.
    The Add SD-WAN Interface dialog box appears.
  2. Select one or more interfaces to include in the SD-WAN action.

Screen shot of the Add SD-WAN Interface dialog box

  1. Click OK.
  2. To use the up/down status of an interface to determine when an interface fails over or fails back, do not select any measurements.
  3. (Optional) If you selected the Failover routing method, you can select measurements to determine when an interface fails over or fails back. In the Metrics Settings section:
    1. Select one or more measurements (Loss Rate, Latency, or Jitter).
    2. In the adjacent text boxes, specify values for the measurements you selected. In Fireware v12.5.4 or higher, the default values are 5% (loss rate), 400 ms (latency), and 100 ms (jitter).
      By default, failover occurs if values for any selected measurements are exceeded.
    3. (Optional) Select Fail over if values for all selected measurements are exceeded.

Screenshot of the Metrics Settings section

  1. (Optional) If you selected the Round Robin routing method, you can select measurements to determine whether an interface participates in Round Robin. In the Metrics Settings section:
    1. Select one or more measurements (Loss Rate, Latency, or Jitter).
    2. In the adjacent text boxes, specify values for the measurements you selected. The default values are 5% (loss rate), 400 ms (latency), and 100 ms (jitter).
      If the interface exceeds the values for any selected measurements, the Firebox removes the interface from Round Robin selection. If the interface becomes active again, or if the interface no longer exceeds the configured loss, latency, and jitter values, the interface becomes available for Round Robin selection.

Screen shot of the metric settings for Round-Robin routing

  1. (Failover routing method only) From the Failback for Active Connections drop-down list, select No failback, Immediate, or Gradual failback. The default option is Immediate.
    If you select No failback or Gradual failback, you can select to manually fail back connections on the SD-WAN Status page. For more information, go to SD-WAN Status and Manual Failback (Web UI).

Screen shot of the Failback for Active Connections drop-down list

  1. Click Save.

Screen shot of a completed SD-WAN configuration (Failover)

Example of a Failover SD-WAN action

 

Screen shot of a completed SD-WAN configuration (Round Robin)

Example of a Round Robin SD-WAN action

In Fireware v12.5.3 or lower, the default values for measurements are 5% (loss rate), 20 ms (latency), and 10 ms (jitter).

  1. Select Network > Configuration > SD-WAN.
  2. Click Add.
    The Add SD-WAN Action dialog box appears.
  3. In the Name text box, type a name for the SD-WAN action.
  4. (Optional) In the Description text box, type a description for the SD-WAN action.
  5. Select the method to route traffic that matches this SD-WAN action:
    • Failover
    • Round-robin (Fireware v12.8 or higher)

Screen shot of the SD-WAN routing method drop-down list

  1. Select one or more interfaces to include in the SD-WAN action.
    If you select a BOVPN virtual interface, you cannot select other interfaces. SD-WAN actions that include both a BOVPN virtual interface and other external interfaces are not supported.
  2. To use the up/down status of an interface to determine when an interface fails over or fails back, do not select any measurements.
  3. (Optional) If you selected the Failover routing method, you can select measurements to determine when an interface fails over or fails back. In the Metrics Settings section:
    1. Select one or more measurements (Loss Rate, Latency, or Jitter).
    2. In the adjacent text boxes, specify values for the measurements you selected. In Fireware v12.5.4 or higher, the default values are 5% (loss rate), 400 ms (latency), and 100 ms (jitter).
      By default, failover occurs if values for any selected measurements are exceeded.
    3. (Optional) Select Fail over if values for all selected measurements are exceeded.

Screen shot of the SD-WAN metrics settings (Failover)

  1. (Optional) If you selected the Round Robin routing method, you can select measurements to determine whether an interface participates in Round Robin. In the Metrics Settings section:
    1. Select one or more measurements (Loss Rate, Latency, or Jitter).
    2. In the adjacent text boxes, specify values for the measurements you selected. The default values are 5% (loss rate), 400 ms (latency), and 100 ms (jitter).
      If the interface exceeds the values for any selected measurements, the Firebox removes the interface from Round Robin selection. If the interface becomes active again, or if the interface no longer exceeds the configured loss, latency, and jitter values, the interface becomes available for Round Robin selection.

Screen shot of the SD-WAN metrics settings (Round Robin)

  1. (Failover routing method only) From the Failback for Active Connections drop-down list, select No failback, Immediate failback, or Gradual failback. The default option is Immediate.
    If you select No failback or Gradual failback, you can select to manually fail back connections on the SD-WAN tab in FSM. For more information, go to SD-WAN Monitoring, Status, and Manual Failback (Firebox System Manager).

Screen shot of the SD-WAN Failback settings

  1. Click Save.

Screen shot of a completed SD-WAN configuration (Failover)

Example of a Failover SD-WAN action

 

Screen shot of a completed SD-WAN configuration (Round Robin)

Example of a Round Robin SD-WAN action

In Fireware v12.5.3 or lower, the default values for measurements are 5% (loss rate), 20 ms (latency), and 10 ms (jitter).

Configure a Policy to Use an SD-WAN Action

In the settings for a policy, you can select to add or create an SD-WAN action.

In Fireware v12.3 or higher, SD-WAN replaces policy-based routing. In Fireware v12.2.1 or earlier, to route traffic to a different external interface, you must use policy-based routing. When you upgrade to Fireware v12.3 or higher, policy-based routing without failover is converted to an SD-WAN action with a single interface. Policy-based routing with failover is converted to an SD-WAN action with multiple interfaces. In Policy Manager, the policy-based routing setting is still available for backwards compatibility with older Fireware OS versions. For more information about policy-based routing, go to Configure Policy-Based Routing in Fireware v12.2.1 or lower in the WatchGuard Knowledge Base.

  1. Select Firewall > Firewall Policies.
  2. To edit a policy, click the policy name.
    The Edit page appears.
  3. Select the SD-WAN tab.
    The SD-WAN settings appear.

Screen shot of the SD-WAN Action drop-down list

  1. From the SD-WAN Action drop-down list, select an SD-WAN action or click Create new.
    The SD-WAN configuration settings appear.

Screenshot of the SD-WAN configuration settings

  1. If you selected to create a new SD-WAN action, follow the steps in the Add an SD-WAN Action section.
  2. To use this SD-WAN action in the policy, click Save.
    The policy list appears. The SD-WAN action you selected or added appears in the SD-WAN column for the policy.

Screen shot of a policy in the policy list that uses an SD-WAN action

  1. From the list of policies, double-click a policy to edit it.
  2. Select the Route outbound traffic using check box.
  3. From the drop-down list, select SD-WAN Based Routing.
  4. Choose one of these options:
    • To use an existing SD-WAN action, from the SD-WAN Action drop-down list, select the action.
    • To edit an existing SD-WAN action, select the View/Edit SD-WAN Action button Screen shot of the Edit button.
    • To add a new SD-WAN action, click the New/Clone SD-WAN Action button Screen shot of the SD-WAN add or clone button.
  5. If you selected to edit or create a new SD-WAN action, follow the steps in the Add an SD-WAN Action section.

Screen shot of a policy configured for SD-WAN routing

  1. To use this SD-WAN action in the policy, click OK.
    The policy list appears. The SD-WAN action you selected or added appears in the SD-WAN column for the policy.

Screen shot of the policy list

Related Topics

About SD-WAN

About SD-WAN Methods

Interpret SD-WAN Monitoring Data

SD-WAN Status and Manual Failback (Web UI)

Interface Information and SD-WAN Monitoring

SD-WAN Monitoring, Status, and Manual Failback (Firebox System Manager)

SD-WAN Failover from an MPLS Link to a BOVPN Virtual Interface Tunnel

About Link Monitor