Traditional SD-WAN
One of the key terms that has been floating around in networking for several years is SD-WAN (Software-Defined Wide Area Networking). The premise of SD-WAN is that traditional routers are replaced with devices that can virtually help control the connections used for processing traffic leaving a network. This implementation can allow for better performance and utilization of connections such as Internet access, MPLS networks and site-to-site VPNs.
SD-WAN is typically implemented to ensure better performance across the connections in use for an organization. Typical SD-WAN will also implement quality of service to ensure that optimal bandwidth is given to high-priority applications. This can often include methods such as sending an application’s traffic over a faster link, or splitting the traffic between two pathways to ensure optimal performance.
WatchGuard SD-WAN
With the release of firmware version 12.3, WatchGuard has implemented their own version of SD-WAN. Their approach with this feature is different than traditional implementations. WatchGuard’s focus for SD-WAN is to allow for better monitoring of outbound connections so that you can ensure traffic is being sent over the best connection. WatchGuard’s SD-WAN focuses on connection redundancy through policy-specific settings that are utilizing metrics for identifying the most stable connection.
For many years WatchGuard has provided firewalls the option to utilize multiple external connections for processing traffic. Through Multi-WAN and Policy-Based Routing, failover and traffic routing were available for deciding which interface would be utilized for outbound connections. However, these options are often rather rigid when dealing with which interface is best for traffic to flow through. Through both Multi-WAN and PBR, traffic would only failover if an interface was seen to be down.
Through WatchGuard’s SD-WAN, you can create profiles to define which interface you want traffic to flow through primarily, and can specify the redundant connection in use. SD-WAN gives more granular control over deciding which interface is best for processing outbound requests, based on the stability of that interface. One of the key differences with WatchGuard’s SD-WAN and traditional SD-WAN is that it operates purely in a failover method, instead of being able to split traffic through connections based on performance.
How WatchGuard’s SD-WAN Works
To utilize SD-WAN on your Firebox, there are several steps that need to be taken.
Ensure your firewall has multiple external connections available for outbound traffic.
Optional: If you want to utilize metric-based SD-WAN (see below), configure link monitoring targets for each external interface.
Configure an SD-WAN profile.
Attach the SD-WAN profile to your desired policies.
Metric-Based Monitoring
One of the biggest benefits of SD-WAN are the parameters you can set for monitoring. Instead of purely being able to identify if the interface is up or down, SD-WAN allows the firewall to also monitor:
Loss Rate
Latency
Jitter
This gives much better insight into if an interface is performing correctly, and can allow the firewall to send traffic out the connection that is most stable. In order to set this monitoring, a link monitor target must be set on each interface.
Link Monitoring
One of the most important pieces to configuring SD-WAN is Link Monitoring. This is a feature that has previously been available, however the default configuration that is in use can impact SD-WAN’s effectiveness.
By default, Link Monitor is set to monitor the default gateway on the external interface. The issue with this configuration is that monitoring access to the default gateway does not necessarily indicate if the connection is down. The default gateway is simply the next hop on the connection, and a downed connection could be the result of something further down the line.
To better monitor a connection, it is recommended that the default setting be removed and replaced with better targets. JSCM Group recommends using both a ping and TCP target when monitoring links. The targets will typically depend on your organization and what type of outbound connections you want to ensure are active.
SD-WAN vs. Policy-Based Routing
Policy-based routing is an option that many organizations have been using up to this point to specify pathways for outbound traffic through policies. With this type of configuration, you can dictate the primary interface that a policy will utilize, and can provide a failover interface if desired.
In this setup, we are specifying the traffic going through this policy will utilize the Fiber connection as the primary connection. We have failover configured, in which case we would failover to our backup interface.
The difference with Policy-Based Routing is that it is only going to allow for failover if the primary interface is actually down. It will not be able to utilize our metric-based monitoring.
If you upgrade your firewall to 12.3 and have Policy-Based Routing enabled, it will automatically be converted to utilize SD-WAN.
Scenario: Configuration for VOIP Data
To best demonstrate the setup of SD-WAN, let’s use a scenario in which we want to implement proper failover for our VOIP data. On our device we will have both a Fiber and a Cable connection that can be utilized. We want to prioritize our Fiber connection for VOIP, but would like our Cable connection to be available for redundancy. Aside from just basic failover, we also want to ensure to implement the metric-based monitoring so that we get the best quality of connection for our traffic.
Step 1: Configure External Interfaces
The first step is to ensure we have both of our external interfaces configured on our firewall.
In Policy Manager, if we go to Network > Configuration, we can see that we have two external connections configured on the device.
Step 2: Link Monitoring
Next we want to set link monitoring on each interface so that we get the benefit of metric-based monitoring. In Policy Manager we go to Network > Configuration > Link Monitor. By default we will see that the Default Gateway is set as a monitor. We will remove that, and add both an IP and TCP target. You can then select which target you would like to use to monitor Loss, Latency and Jitter.
NOTE: The targets for link monitoring will be dependent on your network, and what you are looking to accomplish with SD-WAN. The IPs listed above are purely for demonstrative purposes and should not be used in an actual setup.
On the Link Monitor tab, we can also set the probe thresholds to determine how quickly an interface will deactivate or reactivate.
Step 3: Set SD-WAN Profile
The next step is to create our SD-WAN profile. For this we will go to Network > Configuration > SD-WAN, and we will click Add to create a new entry.
First, name the profile so that it is easily identifiable. We will call this one “VOIP Traffic.” Next, we select the interfaces that we want to use as part of this SD-WAN configuration. The firewall will follow the order of the interfaces, so we need to put our preferred connection at the top of the list. Since we want to utilize Fiber as our primary connection with Cable as the failover, we will set the order and check the boxes to include both interfaces.
Also in this profile we will decide which of the metric systems we want to measure. This will largely be based on the goals of your own SD-WAN configuration. For this example, we will select all options.
When we set the metrics, we have the option to choose Fail over if values for all selected measurements are exceeded. If we select this option, all of the metric targets would have to exceed their set amount for a failover to occur. If this option is not selected, only one target would have to exceed the configured amount for a failover.
The final piece of our SD-WAN profile is to decide which failback option we want to utilize when the primary connection is deemed stable. This will be based on our own preference and how our firewall will handle the traffic. Our options for this are:
Immediate Failback: With this option, active traffic will immediately fail back to the primary interface when it comes back online. This will get us back onto our primary interface quickly, but will result in some dropped connections.
Gradual Failback: With this option, active traffic will finish its connection, and only new connections will fail back to the primary interface. This will be a slower process, but will allow for a smoother transition back to our primary interface.
No Failback: With this option, we will not fail back to the primary interface if it comes back
online. All active and new connections will continue to use the failover connection.
Step 4: Apply SD-WAN to Policies
Now that our SD-WAN profile is set, we can apply this to our desired policies. We currently have a policy in place for outbound VOIP traffic. In this policy, we will select Route outbound traffic using, make sure SD-WAN Based Routing is selected, and will then specify the SD-WAN profile we created in the previous step.
Step 5: Save Your Policy!
As always, once we get our policy set we want to make sure to safe the configuration.
Configuring SD-WAN on Your Firewall
The key thing when looking to implement SD-WAN is to understand that every network is going to be different. The example outlined about is meant to demonstrate how SD-WAN is implemented from a configuration standpoint. Ultimately, your goal in implementing SD-WAN will be the deciding factor in how it is configured. One of the key parts to getting SD-WAN rolled out is to make sure a baseline is established when it comes to the values needed for monitoring. If you would like to implement SD-WAN on your network, contact JSCM Group today so that we can help you plan and configure this feature to best suit your network’s needs.