Manage: SD-WAN
Focus
Focus
Strata Cloud Manager

Manage: SD-WAN

Table of Contents

Manage: SD-WAN

Learn to configure SD-WAN Polices for your deployments.
Where Can I Use This?What Do I Need?
  • SD-WAN
An SD-WAN policy rule specifies application(s) and/or service(s) and a traffic distribution profile to determine how the firewall selects the preferred path for an incoming packet that doesn’t belong to an existing session and that matches all other criteria, such as source and destination zones, source and destination IP addresses, and source user. The SD-WAN policy rule also specifies a path quality profile of thresholds for latency, jitter, and packet loss. When one of the thresholds is exceeded, the firewall selects a new path for the application(s) and/or service(s).
To configure an SD-WAN policy, select ManageConfigurationNGFW and Prisma AccessNetwork PoliciesSD-WAN.

Rules

You can define Pre rules and Post rules in a shared context, as shared policies for all managed firewalls, or in a device group context, to make the rules specific to a device group:
  • Pre Rules—Rules that are added to the top of the rule order and are evaluated first. You can use pre-rules to enforce the Acceptable Use Policy for an organization. For example, you can block access to specific URL categories or allow DNS traffic for all users.
  • Post Rules—Rules that are added at the bottom of the rule order and are evaluated after the pre-rules and rules that are locally defined on the firewall. Post-rules typically include rules to deny access to traffic based on the App-ID™, User-ID™, or Service.

Profiles

Create profiles to apply to sets of applications and services specified in SD-WAN policy rules.
Path Quality
SD-WAN allows you to create a path quality profile for each set of applications, application filters, application groups, services, service objects, and service group objects that have unique network quality requirements and reference the profile in an SD-WAN policy rule. In the profile you set maximum thresholds for three parameters: latency, jitter, and packet loss. When an SD-WAN link exceeds any one of the thresholds, the firewall selects a new best path for packets matching the SD-WAN rule where you apply this profile.
SaaS Quality
SD-WAN allows you to create Software-as-a-Service (SaaS) quality profiles to measure the path health quality between your hub or branch firewall and server-side SaaS applications in order to accurately monitor SaaS application reliability and swap paths should the path health quality degrade. This allows the firewall to accurately determine when to failover to a different Direct Internet Access (DIA) link.
The SaaS quality profile allows you to specify the SaaS application to monitor using an adaptive learning algorithm that monitors the application activity, or by specifying a SaaS application using the application IP address, FQDN, or URL.
Traffic Distribution
For this Traffic Distribution profile, select the method the firewall uses to distribute sessions and to fail over to a better path when path quality deteriorates. Add the Link Tags that the firewall considers when determining the link on which it forwards SD-WAN traffic. You apply a Traffic Distribution profile to each SD-WAN policy rule you create.
Error Correction
If your SD-WAN traffic includes an application that is sensitive to packet loss or corruption, such as audio, VoIP, or video conferencing, you can apply either Forward Error Correction (FEC) or packet duplication as a means of error correction. With FEC, the receiving firewall (decoder) can recover lost or corrupted packets by employing parity bits that the encoder embeds in an application flow. Packet duplication is an alternative method of error correction, in which an application session is duplicated from one tunnel to a second tunnel. To employ one of these methods, create an Error Correction Profile and reference it in an SD-WAN policy rule for specific applications.
(You must also specify which interfaces are available for the firewall to select for error correction by indicating in an SD-WAN Interface Profile that interfaces are Eligible for Error Correction Profile interface selection.)
SD-WAN Interface
Create an SD-WAN interface profile to define the characteristics of ISP connections and to specify the speed of links and how frequently the firewall monitors the link, and specify a Link Tag for the link. When you specify the same Link Tag on multiple links, you are grouping (bundling) those physical links into a link bundle or fat pipe. You must configure an SD-WAN interface profile and specify it for an Ethernet interface enabled with SD-WAN before you can save the Ethernet interface.

Link Tags

Create a link tag to identify one or more physical links that you want applications and services to use in a specific order during SD-WAN traffic distribution and failover protection. Grouping multiple physical links allows you to maximize the application and service quality if the physical link health deteriorates.
When planning how to group your links, consider the use or purpose of the links and group them accordingly. For example, if you are configuring links intended for low-cost or non-business-critical traffic, create a link tag and group these interfaces together to ensure that the intended traffic flows primarily on these links, and not on more expensive links that may impact business-critical applications or services.