Use Case: Configure SaaS Monitoring for a Branch Firewall
Table of Contents
Expand all | Collapse all
-
- Create a Link Tag
- Configure an SD-WAN Interface Profile
- Configure a Physical Ethernet Interface for SD-WAN
- Configure an Aggregate Ethernet Interface and Subinterfaces for SD-WAN
- Configure Layer 3 Subinterfaces for SD-WAN
- Configure a Virtual SD-WAN Interface
- Create a Default Route to the SD-WAN Interface
- Create a Path Quality Profile
-
- Create a SaaS Quality Profile
- Use Case: Configure SaaS Monitoring for a Branch Firewall
- Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to the Same SaaS Application Destination
- Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to a Different SaaS Application Destination
- SD-WAN Traffic Distribution Profiles
- Create a Traffic Distribution Profile
- Create an Error Correction Profile
- Configure an SD-WAN Policy Rule
- Allow Direct Internet Access Traffic Failover to MPLS Link
- Configure DIA AnyPath
- Distribute Unmatched Sessions
- Configure HA Devices for SD-WAN
- Create a VPN Cluster
- Create a Full Mesh VPN Cluster with DDNS Service
- Create a Static Route for SD-WAN
Use Case: Configure SaaS Monitoring for a Branch Firewall
Configure SaaS monitoring for an SD-WAN branch firewall
with a Direct Internet Access (DIA) link to a business-critical
SaaS application.
If your organization is leveraging a business-critical
SaaS application at a branch firewall location, you can configure
a SaaS Quality profile and associate it with a SD-WAN policy rule
to monitor the latency, jitter, and packet loss health metrics of the
critical SaaS application and swap links from an SD-WAN branch firewall
to a SaaS application on a Direct Internet Access (DIA) link to
ensure application usability.
If the business-critical SaaS
application DIA link health metric thresholds are exceeded, the
link is swapped to the next DIA link configured in the Traffic Distribution
profile for all new sessions. The existing session on the degraded
DIA link is not swapped over to the next DIA link.
- Set up your SD-WAN deployment.
- Install the SD-WAN Plugin.Set Up Panorama and Firewalls for SD-WAN.Add SD-WAN Devices to Panorama.(High availability configurations only) Configure HA Devices for SD-WAN.Create a VPN Cluster.Create a Link Tag to group the SaaS application DIA links.Create multiple Link Tags for your DIA links in order to apply different SD-WAN monitoring settings for each SaaS application DIA link based on the link type.Additionally, you can create a single Link Tag for multiple DIA links to group the links into a single link bundle. Creating a single Link Tag for multiple DIA links allows you to aggregate bandwidth between bundled links and allow the firewall to distribute sessions between multiple links.Configure an SD-WAN Interface profile to define the characteristics of your ISP connection and specify the speed of the DIA link, how frequently the branch firewall monitors the link, and select the Link Tag to specify to which link the SD-WAN Interface profile applies.If you created multiple Link Tags, you must configure an SD-WAN Interface profile for each Link Tag.If you created a link bundle by assigning multiple DIA links to a single Link Tag, specifying that link tag applies the SD-WAN Interface profile settings to all DIA links in the bundle.Configure a physical Ethernet interface for each SaaS application DIA link.All physical Ethernet interfaces for DIA links must be Layer3.Configure a Virtual SD-WAN Interface that groups all physical Ethernet interfaces for the SaaS application DIA links into a single interface group.The firewall virtual router uses this virtual SD-WAN interface to route SD-WAN traffic to a DIA location. The SD-WAN path health and Traffic Distribution profiles in the SD-WAN policy rule then determine which path to use and the order in which to consider new paths if a path health deteriorates.Create a Path Quality profile to configure the latency, jitter, and packet loss thresholds and sensitivity in order to specify when the branch firewall should swap to the next DIA link.Create a SaaS Quality profile to specify your SaaS application and the frequency the DIA link is monitored.Create a Traffic Distribution profile to specify the order the branch firewall swaps to DIA links in the event of link health degradation.Configure an SD-WAN policy rule to specify the SaaS application and link health metrics, and determine how the firewall selects the preferred link for the critical SaaS application traffic.In the Application tab, add the SaaS application you are monitoring to the SD-WAN policy rule to ensure the SaaS monitoring settings are applied only to the desired SaaS application.