Create an Error Correction profile to apply Forward Error Correction (FEC) or packet
duplication for applications specified in an SD-WAN policy rule.
| Where Can I Use This? | What Do I Need? |
|---|
- NGFW (Managed by PAN-OS or Panorama)
- NGFW (Managed by Strata Cloud Manager)
|
|
Forward error correction (FEC) is a method of correcting certain data transmission
errors that occur over noisy communication lines, thereby improving data reliability
without requiring retransmission. FEC is helpful for applications that are sensitive
to packet loss or corruption, such as audio, VoIP, and video conferencing. With FEC,
the receiving firewall can recover lost or corrupted packets by employing parity
bits that the sending encoder embeds in an application flow. Repairing the flow
avoids the need for SD-WAN data to fail over to another path or for
TCP to resend packets. FEC can also help with UDP applications by recovering the
lost or corrupt packets, since UDP does not retransmit packets.
SD-WAN FEC supports branch and hub firewalls acting as encoders and
decoders. The FEC mechanism has the encoder add redundant bits to a bitstream, and
the decoder uses that information to correct received data if necessary, before
sending it to the destination.
SD-WAN also supports packet duplication as an alternative method of
error correction. Packet duplication performs a complete duplication of an
application session from one tunnel to a second tunnel. Packet duplication requires
more resources than FEC and should be used only for critical applications that have
low tolerance for dropped packets.
Modern applications that have their own embedded recovery mechanisms may not need
FEC or packet duplication. Apply FEC or packet duplication only to applications
that can really benefit from such a mechanism; otherwise, much additional
bandwidth and CPU overhead are introduced without any benefit. Neither FEC nor
packet duplication is helpful if your SD-WAN problem is
congestion.
Neither FEC nor packet duplication should be used on DIA links; they are only for VPN
tunnel links between branches and hubs.
FEC and packet duplication is supported only for SD-WAN enabled
PAN-OS firewalls. FEC and packet duplication is not supported for Prisma Access Hubs.
To configure FEC or packet duplication on the encoder (the side that initiates FEC or
packet
duplication):
- Create an SD-WAN Interface Profile that specifies
Eligible for Error Correction Profile interface
selection and apply the profile to one or more interfaces.
- Create an Error Correction Profile to implement FEC or packet duplication.
- Apply the Error Correction Profile to an SD-WAN policy rule and
specify a single application to which the rule applies.
- Push the configuration to encoders. (The decoder [the receiving side] requires
no specific configuration for FEC or packet duplication; the mechanisms are
enabled by default on the decoder as long as the encoder initiates the error
correction.)
FEC and packet duplication support an MTU of 1,340 bytes. A packet larger than
that will not go through the FEC or packet duplication process.
PAN-OS & Panorama
In PAN-OS, create an Error Correction profile to apply Forward Error
Correction (FEC) or packet duplication for applications specified in an SD-WAN policy rule.
FEC and packet duplication functionality require Panorama to run PAN-OS 10.0.2 or a later release and SD-WAN plugin 2.0
or a later release that is compatible with the PAN-OS release. The
encoder and decoder must both be running PAN-OS 10.0.2 or a later
release. If one branch or hub is running an older software release than what is
required, traffic with an FEC or packet duplication header is dropped at that
firewall.
Beginning with PAN-OS 10.0.3, FEC and packet duplication are supported
in a full mesh topology, in addition to the hub-spoke topology already
supported.
Log in to the Panorama Web
Interface.
Define your ISP connections and link
types, where you select
Eligible for Error Correction
Profile interface selection to indicate that the firewall can
automatically use the interfaces (where the
SD-WAN Interface
Profile is applied) for error correction. Whether this option defaults to
selected or not depends on the
Link Type you select for
the profile.
You can have Eligible for Error Correction Profile interface
selection unchecked in a profile and apply the profile
to an expensive 5G LTE link, for example, so that costly error
correction is never performed on that link.
Configure a physical Ethernet interface for
SD-WAN and apply the
SD-WAN Interface Profile that you
created to an Ethernet interface.
Create an Error Correction Profile for FEC or packet duplication.
Select .
Add an Error Correction profile and enter a
descriptive
Name of up to 31 alphanumeric
characters; for example, EC_VOIP.
Select
Shared to make the Error Correction
profile available to all device groups on Panorama and to the default
vsys on a single-vsys hub or branch, or to vsys1 on a multi-vsys hub or
branch to which you push this configuration.
Specify the
Activate when packet loss exceeds
(%) setting—When packet loss exceeds this percentage,
FEC or packet duplication is activated for the configured applications
in the
SD-WAN policy rule where this Error Correction
profile is applied. Range is 1 to 99; the default is 2.
Select
Forward Error Correction or
Packet Duplication to indicate which error
correction method the firewall uses when an
SD-WAN policy
rule references this
SD-WAN Interface Profile; the
default is Forward Error Correction. If you select Packet Duplication,
SD-WAN selects an interface over which to send
duplicate packets. (
SD-WAN selects one of the interfaces
you configured with
Eligible for Error Correction Profile
interface selection in the prior step.)
(
Forward Error Correction only) Select the
Packet
Loss Correction Ratio:
10%
(20:2),
20% (20:4),
30%
(20:6),
40% (20:8), or
50% (20:10)—Ratio of parity bits to data
packets; the default is 10% (20:2). The higher the ratio of parity bits
to data packets that the sending firewall (encoder) sends, the higher
the probability that the receiving firewall (decoder) can repair packet
loss. However, a higher ratio requires more redundancy and therefore
more bandwidth overhead, which is a tradeoff for achieving error
correction. The parity ratio applies to the encoding firewall’s outgoing
traffic. For example, if the hub firewall parity ratio is 50% and the
branch firewall parity ratio is 20%, the hub firewall will receive 20%
and the branch firewall will receive 50%.
Specify the
Recovery Duration (ms)—Maximum
number of milliseconds that the receiving firewall (decoder) can spend
performing packet recovery on lost data packets using the parity packets
it received (range is 1 to 5,000; default is 1,000). The firewall
immediately sends data packets it receives to the destination. During
the Recovery Duration, the decoder performs packet recovery for any lost
data packets. When the recovery duration expires, all the parity packets
are released. You configure the recovery duration in the Error
Correction Profile for the encoder, which sends the Recovery Duration
value to the decoder. A Recovery Duration setting on the decoder has no
impact.
Start by using the default Recovery Duration setting and adjust
it if necessary, based on your testing with normal and
intermittent brown-outs.
Click
OK.
Configure an SD-WAN policy
rule, reference the
Error Correction Profile
you created in the rule, and specify a critical application to which the rule
applies.
Specify only one application in the SD-WAN policy rule
when configuring FEC or packet duplication. You should not combine
multiple applications in a single policy rule for FEC or packet
duplication.
Commit and Commit and Push your
configuration changes to the encoding firewalls (branches and hubs).
Strata Cloud Manager
In Strata Cloud Manager, create an Error Correction profile to apply Forward Error
Correction (FEC) or packet duplication for applications specified in an SD-WAN policy rule.
Log in to
Strata Cloud Manager.
Select and in the
Overview, select the branch
folder for which you want to create your
SD-WAN Link Management
profiles.
To make the Error Correction profile available to all SD-WAN
firewalls regardless of folder association, select All
Firewalls.
Create an Error Correction profile.
SD-WAN supports Forward Error Correction (FEC) to correct
certain data transmission errors that occur over noisy communication lines
to improve data reliability without requiring retransmission or Packet
Duplication to duplicate application sessions from one tunnel to another.
Select .
To make the Error Correction profile available to all SD-WAN firewalls regardless of folder association,
select All Firewalls.
Add Profile.
Enter a descriptive
Name.
Specify the
Activation Threshold (Packet Loss %)
to set the packet loss percentage that must be exceeded before error
correction is activated.
Select the error correction
Mode.
Only a single error correction Mode can be
selected for an Error Correction profile.
(
Forward Error Correction only) Select the
Packet
Loss Correction Ratio to specify the ratio of parity
bits to data packets.
The higher the ratio of parity bits to data packets that the sending
firewall sends, the higher the probability that the receiving
firewall can repair packet loss. However, a higher ratio requires
more redundancy and therefore more bandwidth overhead, which is a
tradeoff for achieving error correction. The parity ratio applies to
the receiving firewall’s outgoing traffic.
Also specify the Recovery Duration (ms) to set
the maximum number of milliseconds that the receiving firewall can
spend performing packet recovery on last data packets using the
parity packets it received.
Save.
