Strata Cloud Manager
Manage: SD-WAN
Table of Contents
Expand All
|
Collapse All
Strata Cloud Manager Docs
-
- Strata Copilot
- Command Center: Strata Cloud Manager
-
- Dashboard: Build a Custom Dashboard
- Dashboard: Executive Summary
-
- WildFire Dashboard: Filters
- WildFire Dashboard: Total Samples Submitted
- WildFire Dashboard: Analysis Insights
- WildFire Dashboard: Session Trends For Samples Submitted
- WildFire Dashboard: Verdict Distribution
- WildFire Dashboard: Top Applications Delivering Malicious Samples
- WildFire Dashboard: Top Users Impacted By Malicious Samples
- WildFire Dashboard: Top Malware Regions
- WildFire Dashboard: Top Firewalls
- Dashboard: DNS Security
- Dashboard: AI Runtime Security
- Dashboard: IoT Security
- Dashboard: Prisma Access
-
- Application Experience Dashboard: Mobile User Experience Card
- Application Experience Dashboard: Remote Site Experience Card
- Application Experience Dashboard: Experience Score Trends
- Application Experience Dashboard: Experience Score Across the Network
- Application Experience Dashboard: Global Distribution of Application Experience Scores
- Application Experience Dashboard: Experience Score for Top Monitored Sites
- Application Experience Dashboard: Experience Score for Top Monitored Apps
- Application Experience Dashboard: Application Performance Metrics
- Application Experience Dashboard: Network Performance Metrics
- Dashboard: Best Practices
- Dashboard: Compliance Summary
-
- Prisma SD-WAN Dashboard: Device to Controller Connectivity
- Prisma SD-WAN Dashboard: Applications
- Prisma SD-WAN Dashboard: Top Alerts by Priority
- Prisma SD-WAN Dashboard: Overall Link Quality
- Prisma SD-WAN Dashboard: Bandwidth Utilization
- Prisma SD-WAN Dashboard: Transaction Stats
- Prisma SD-WAN Dashboard: Predictive Analytics
- Dashboard: PAN-OS CVEs
- Dashboard: CDSS Adoption
- Dashboard: Feature Adoption
- Dashboard: On Demand BPA
- Manage: IoT Policy Recommendation
- Manage: Enterprise DLP
- Manage: SaaS Security
- Manage: Prisma Access Browser
- Reports: Strata Cloud Manager
-
-
- Strata Cloud Manager Release Information
-
- New Features in February 2025
- New Features in January 2025
- New Features in December 2024
- New Features in November 2024
- New Features in October 2024
- New Features in September 2024
- New Features in August 2024
- New Features in July 2024
- New Features in June 2024
- New Features in May 2024
- New Features in April 2024
- New Features in March 2024
- New Features in February 2024
- New Features in January 2024
- New Features in November 2023
- New Features in October 2023
- New Features in September 2023
- Known Issues
- Addressed Issues
- Getting Help
Manage: SD-WAN
Learn to configure SD-WAN Polices for your deployments.
Where Can I Use This? | What Do I Need? |
---|---|
|
→ The features and capabilities available to you in Strata Cloud Manager depend on which license(s) you are
using.
|
An SD-WAN policy rule specifies application(s) and/or service(s) and a traffic
distribution profile to determine how the firewall selects the preferred path for an
incoming packet that doesn’t belong to an existing session and that matches all
other criteria, such as source and destination zones, source and destination IP
addresses, and source user. The SD-WAN policy rule also specifies a path
quality profile of thresholds for latency, jitter, and packet loss. When one of the
thresholds is exceeded, the firewall selects a new path for the application(s)
and/or service(s).
To configure an SD-WAN policy, select ManageConfigurationNGFW and Prisma AccessNetwork PoliciesSD-WAN.
Rules
You can define Pre rules and Post rules in a shared context, as shared
policies for all managed firewalls, or in a device group context, to make the
rules specific to a device group:
- Pre Rules—Rules that are added to the top of the rule order and are evaluated first. You can use pre-rules to enforce the Acceptable Use Policy for an organization. For example, you can block access to specific URL categories or allow DNS traffic for all users.
- Post Rules—Rules that are added at the bottom of the rule order and are evaluated after the pre-rules and rules that are locally defined on the firewall. Post-rules typically include rules to deny access to traffic based on the App-ID™, User-ID™, or Service.
Profiles
Create profiles to apply to sets of applications and services specified
in SD-WAN policy rules.
Path Quality
SD-WAN allows you to create a path quality profile for each set of
applications, application filters, application groups, services, service
objects, and service group objects that have unique network quality requirements
and reference the profile in an SD-WAN policy rule. In the profile you set
maximum thresholds for three parameters: latency, jitter, and packet loss. When
an SD-WAN link exceeds any one of the thresholds, the firewall selects a new
best path for packets matching the SD-WAN rule where you apply this profile.
SaaS Quality
SD-WAN allows you to create Software-as-a-Service (SaaS) quality
profiles to measure the path health quality between your hub or branch firewall
and server-side SaaS applications in order to accurately monitor SaaS
application reliability and swap paths should the path health quality degrade.
This allows the firewall to accurately determine when to failover to a different
Direct Internet Access (DIA) link.
The SaaS quality profile allows you to specify the SaaS application to
monitor using an adaptive learning algorithm that monitors the application
activity, or by specifying a SaaS application using the application IP address,
FQDN, or URL.
Traffic Distribution
For this Traffic Distribution profile, select the method the firewall
uses to distribute sessions and to fail over to a better path when path quality
deteriorates. Add the Link Tags that the firewall considers when determining the
link on which it forwards SD-WAN traffic. You apply a Traffic Distribution
profile to each SD-WAN policy rule you create.
Error Correction
If your SD-WAN traffic includes an application that is sensitive to
packet loss or corruption, such as audio, VoIP, or video conferencing, you can
apply either Forward Error Correction (FEC) or packet duplication as a means of
error correction. With FEC, the receiving firewall (decoder) can recover lost or
corrupted packets by employing parity bits that the encoder embeds in an
application flow. Packet duplication is an alternative method of error
correction, in which an application session is duplicated from one tunnel to a
second tunnel. To employ one of these methods, create an Error Correction
Profile and reference it in an SD-WAN policy rule for specific applications.
(You must also specify which interfaces are available for the firewall
to select for error correction by indicating in an SD-WAN Interface Profile that
interfaces are Eligible for Error Correction Profile interface selection.)
SD-WAN Interface
Create an SD-WAN interface profile to define the characteristics of ISP
connections and to specify the speed of links and how frequently the firewall
monitors the link, and specify a Link Tag for the link. When you specify the
same Link Tag on multiple links, you are grouping (bundling) those physical
links into a link bundle or fat pipe. You must configure an SD-WAN interface
profile and specify it for an Ethernet interface enabled with SD-WAN before you
can save the Ethernet interface.
Link Tags
Create a link tag to identify one or more physical links that you want
applications and services to use in a specific order during SD-WAN traffic
distribution and failover protection. Grouping multiple physical links allows
you to maximize the application and service quality if the physical link health
deteriorates.
When planning how to group your links, consider the use or purpose of
the links and group them accordingly. For example, if you are configuring links
intended for low-cost or non-business-critical traffic, create a link tag and
group these interfaces together to ensure that the intended traffic flows
primarily on these links, and not on more expensive links that may impact
business-critical applications or services.