Implementing SD-WAN

SD-WAN (software-defined wide area network) is a set of software features with which interconnected secure networks and multiple WAN links can be more easily managed.

One of the functional approaches in SD-WAN is its ability to automatically and transparently choose the network links to take depending on the traffic and its associated performance constraints, such as accepted latency, availability rate, etc.

SMC allows this feature to be used on SNS firewalls from version 4.3.3 and upwards.

To implement SD-WAN on SMC, create SLA (Software Level Agreement) objects that establish these commitment criteria, then use them in router objects. Set link monitoring criteria as well in router objects.

Next, create filter rules with these router objects to set up policy-based routing (PBR).

EXAMPLE
Create filter rules to optimize the selection of links for VoIP traffic.

For more information about the SD-WAN feature on SNS firewalls, refer to the technical note SD-WAN - Selecting the best network access.

In SMC, specific criteria can be configured to determine whether a WAN link meets the quality level adapted to its type of traffic (VoIP, video, etc.).

SLA object

To do so, for each traffic type, set an SLA commitment based on one or several thresholds out of the criteria below:

  • Latency,

  • Jitter,

  • Packet loss rate,

  • Unavailability rate.

As soon as any threshold is exceeded, the firewall will select another WAN link with a suitable SLA status for the traffic in question.

This SLA commitment is set through an SLA object that you can use in several router objects.

For the definition of these four commitment criteria, refer to the Router section in the Stormshield Network User Configuration Manual.

To create a SLA object:

  1. Create an SLA object in the Objects menu,

  2. Configure the thresholds that must not be exceeded, for SMC to consider that a link meets the expected quality level and can be used by traffic. If any of its thresholds are exceeded, traffic will be directed to another gateway that meets the SLA commitment criteria.

Refer to the next section for information on how to use the SLA object in a router object.

SMC offers two SLA objects by default: Visio and SaaS/Productivity.

NOTE
SLA objects cannot be seen on SNS firewalls.

Monitoring options are available in router objects. These options make it possible to set the detection method and parameters to use to verify the availability of a router object’s gateways:

  • Detection method,

  • Expiry date,

  • Interval,

  • Failures before degradation.

To configure monitoring:

  1. Display a router object’s Monitoring tab,

  2. Configure its settings. To understand the settings, refer to the Router section in the Stormshield Network User Configuration Manual.

In the same Monitoring tab, you can associate an SLA object to set the thresholds that the gateways attached to the router object must meet.

These settings also apply to backup gateways defined in the object.

Monitoring tab in the router object

In the router monitoring panel, the status of connections and gateways associated with an SNS firewall can be monitored. For more information, refer to the section Monitoring router objects.

NOTE
If you modify a monitored router object or an SLA object, you must deploy the configuration again to refresh the monitored data.