Introduction to SonicWall SD-WAN (Software-Defined Wide Area Network)

02/06/2024 598 People found this article helpful 486,586 Views

Download

Print

Share

• LinkedIn
• Twitter
• Facebook
• Email
• Copy URL The link has been copied to clipboard

Description

SD-WAN (Software-Defined Wide Area Network) is a technology that uses Software-defined networking (SDN) concepts to provide software-based control over wide area network connection. It enables distributed organizations to build, operate and manage high-performance networks using readily-available, low-cost public Internet services. An alternative to more expensive technologies such as MPLS, Secure SD-WAN allows retailers, banks, manufacturers and other organizations to connect sites spread over great distances for the purpose of sharing data, applications and services. Features such as intelligent Failover, load balancing help ensure more consistent performance and availability of critical business and SaaS applications.

SonicWall SD-WAN is supported only on SonicWall devices and not compatible with 3rd party VPN Solutions.

SonicOS SD-WAN offers these features:

• Application-aware routing
• Dynamic path selection based on Latency, jitter, and/or packet loss
• User-defined thresholds for quality assessment
• SD-WAN Interface Groups for WAN and VPN Numbered Tunnel Interface
• Path Performance Probes for metrics
• Connection-based traffic distribution
• Automatic connection Failover over VPN
• Provisioning and management (GMS and Capture Security Center)
• Zero-Touch Deployment firewall configuration 
• Centralized management and policy configuration 
• Analytics 

Elements of SD-WAN:

SD-WAN Groups

SD-WAN Groups are logical groups of interfaces that can be used for load-balancing as well as dynamic path selection based on the performance criterion through each interface path. You can create your own custom groups.

Constraints for SD-WAN Groups

• Group need to have at-least one member interface
• Groups cannot have mix of WAN, Numbered Tunnel interface and Unnumbered Tunnel Interface
• Groups cannot share member interfaces with other groups

Constraints for Member Interfaces

• Member interfaces can only be WAN, Numbered Tunnel Interface or Unnumbered Tunnel Interface
• Member interfaces cannot be Wire mode or L2 bridge interfaces
• Maximum member interfaces per group – 10

Performance Probes

SD-WAN Performance Probes are used to determine performance metrics such as latency, jitter, packet loss for a Network path. These are similar to Network Monitor Probes. SonicOS supports the ICMP and TCP probe types. A SD-WAN probe can be used by multiple Path Selection profiles.

Performance Class Objects

SD-WAN Performance Class Objects is used to configure the desired performance characteristics for the application/traffic categories. These objects are used in the Path Selection Profile to automate the selection of paths based on these metrics.

The default Performance Class Objects are:

• Lowest Jitter
• Lowest Latency
• Lowest Packet Loss

Custom class object can be configured with the thresholds that best meet the needs of your application/traffic categories with Performance Class Objects.

Path Selection Profiles

Path Selection Profiles (PSPs) are the settings that help to determine the network path that satisfies a specific network performance criteria, from a pool of available network paths. The dynamic path selection mechanism is implemented using the PSP settings when associated with Policy Based Routes (PBR). When more than one network path meets the criterion (as per the performance class in the PSP), then traffic is load balanced among the network paths. When associated with a policy-based routing policy, a path selection profile helps select the optimal path among the SD-WAN interfaces for the application/service.

SD-WAN Routing

Dynamic Path selection for specific traffic flows uses Policy Based Routes. A SD-WAN Policy Based Route is used to configure the route policy for the specific source/destination service/App combination, with a corresponding Path Selection Profile that determines the outgoing path dynamically based on the Path Selection Profile. If there is more than one path qualified by the Path Selection Profile, the traffic is automatically load balanced among the qualified paths. If none of the paths are qualified by the path selection profile and the backup interface in the profile is not configured or is down, the route is disabled.

Resolution

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

SD-WAN is supported on all SonicWall TZ series, SonicWall NSA series, SonicWall TZ GEN7 series and SonicWall SM 9000 series firewall from firmware version 6.5.3 onwards. 

• Add an SD-WAN group:
  
  
  

1. Navigate to Network|SD-WAN|Groups to add a SD-WAN group.
2. Enter a descriptive name in the Name field.
3. Select one or more interfaces from the Group Members Select here column. Member interface can only be WAN, Numbered Tunnel Interface or Unnumbered Tunnel Interface.
   NOTE: An interfaces cannot be a member of more than one SD-WAN group. 
   
   
4. Click the Right Arrow to move the selected interfaces to the In group column.
5. To change the priority of the selected group members:
   -Select the interface.
   -Click the Up Arrow or Down Arrow.
6. Repeat Step 5 for each interface to prioritize.
7. Click OK.

• Add a SD-WAN SLA/Performance Probe
  
  
   TIP: For VPN tunnel interface SD-WAN groups, internal, system-created performance class object are created automatically to probe the remote end point, and creating custom performance probes is not permitted.
  
  
  

1. Navigate to Network | SD-WAN |SLA Probes.
2. Click Add icon. The Add SD-WAN SLA/Performance Probe dialog displays.
3. Enter a meaningful name in the Name field.
4. Select a SD-WAN group from SD-WAN Group.
5. Select an address object from Probe Target.
6. From Probe Type, select: 
   
   • Ping (ICMP) - Explicit Route (default); go to Step 8.
   • TCP - Explicit Route; the Port field becomes available.
7. Enter the port number of the explicit route in the Port field.
8. Enter the interval between probes in the Probe every … seconds field. The minimum is 1 second, the maximum is 3600 seconds, and the default is 5 seconds.
   TIP:  The probe interval must be greater than the reply timeout.
   
   
9. Enter the maximum delay for a response in the Reply time out … seconds field. The minimum is 1 second, the maximum is 60 seconds, and the default is 1 second.
10. Enter the maximum number of missed intervals before the probe is set to the DOWN state in the Probe state is set to DOWN after … missed intervals field. The minimum number is 1, the maximum is 100, and the default is 3
11. Enter the maximum number of successful intervals before the probe is set to the UP state in the Probe state is set to UP after … successful intervals field. The minimum number is 1, the maximum is 100, and the default is 3.
12. If you selected TCP - Explicit Route for Probe Type, the RST Response Counts As Miss option becomes available. Select the option to count RST responses as missed intervals. This option is not selected by default.
13. Optionally, enter a comment in the Comment field.
14. Click ADD.
15. Repeat Step 3 through Step 14 to add more probes.
16. Click CLOSE.

• Add a SLA/Performance class object
  
  
  
  

1. Navigate to Network|SD-WAN | SLA Class Object.
2. Click Add icon. The Add SLA Class Object dialog displays.
3. Enter a meaningful name in the Name field.
4. Enter the acceptable latency, in milliseconds, in the Latency (ms) field. The minimum is 0 milliseconds, the maximum is 1000, and the default is 0.
5. Enter the acceptable jitter, in milliseconds, in the Jitter (ms) field. The minimum is 0 milliseconds, the maximum is 100milliseconds, and the default is 0 milliseconds.
6. Enter the acceptable percentage of packet loss in the Packet Loss (%)field. The minimum is 0, the maximum is 100, and the default is 0
7. Click OK.

• Add a Path Selection Profile
  
  
  
  

1. Navigate to Network | SD-WAN|Path Selection Profiles.
2. Click Add icon. The Add Path Selection Profile dialog displays.
3. Add a meaningful name in the Name field.
4. From SD-WAN Group, select the group to which the profile applies.
5. From SLA probe, select the probe to use in the profile.
6. From SLA Class, select the Performance Class Object for the dynamic selection of the optimal network path:
   1. Lowest Latency
   2. Lowest Jitter 
   3. Lowest Packet Loss 
   4. Custom Performance Class Object
7. From Backup Interface, select the interface to use when any interface does not meet the performance criterion (as per the Performance class; that is, when all the SD-WAN Group members fail to meet the performance criteria or all the interfaces are down):
   • None (default)
   • Individual interface
   • Drop_TunnelIf
8. To specify whether the default state of the SLA probe should be treated as Up, select SLA Probe default state is UP. If this option is not selected, the performance probe is treated as DOWN. This option is selected by default.
9. For path selection profiles with Non-VPN SD-WAN groups, if existing connections on the path should be rest when the path does not meet the performance criteria anymore,  select Reset conditions if path does not meet the performance criteria. This option is not selected by default.
10. Click ADD.
11. To add more Path Selection Profiles, repeat Step 3 through Step 10 for each additional profile.
12. Click CLOSE.

• Add a SD-WAN route Policy
  
   
  

1. Navigate to Network |SD-WAN|Rules.
2. Click the Add icon. The Add SD-WAN Rule dialog displays. 
3. Configure the options as you would for a regular route.
   
   NOTE: The Interface and Disable route when the interface is disconnected options are dimmed because these options cannot be edited in SD-WAN policies. The Interface option is populated with the SD-WAN group name in the associated Path Selection Profile (PSP) and cannot be changed. The interface for the SD-WAN route is selected from the SD-WAN group that is part of the PSP associated with the SD-WAN route and, therefore, cannot be configured. 
   
   
4. Click OK.

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

SD-WAN is support on all SonicWall TZ Series, SonicWall NSA Series, NSa Series and  SonicWall SM 9000 Series firewalls from firmware version 6.5.3 onwards

• Add an SD-WAN group
  

1. Navigate to MANAGE I System Setup |SD-WAN | SD-WAN Groups.
2. Click  Add icon. The Add SD-WAN Group dialog displays.
3. Enter a descriptive name in the Name field.
4. Select one or more interfaces from the Group Members Select here column. Member interface can only be WAN, Numbered Tunnel Interface or Unnumbered Tunnel Interface.

   NOTE: An interfaces cannot be a member of more than one SD-WAN group. 

5. Click the Right Arrow to move the selected interfaces to the Selected Interface Ordering column.
6. To change the priority of the selected group members:
   • Select the interface.
   • Click the Up Arrow or Down Arrow.
7. Repeat Step 6 for each interface to prioritize.
8. Click OK.

• Add a Performance Probe
  
  TIP: For VPN tunnel interface SD-WAN groups, internal, system-created performance probes are created automatically to probe the remote end point, and creating custom performance probes is not permitted.
  
  

1. Navigate to MANAGE I System Setup | SD-WAN |Performance Probes.
2. Click Add icon. The Add SD-WAN Performance Probe dialog displays.
3. Enter a meaningful name in the Name field.
4. Select a SD-WAN group from SD-WAN Group.
5. Select an address object from Probe Target.
6. From Probe Type, select:
   • Ping (ICMP) - Explicit Route (default); go to Step 8.
   • TCP - Explicit Route; the Port field becomes available.
7. Enter the port number of the explicit route in the Port field.
8. Enter the interval between probes in the Probe every … seconds field. The minimum is 1 second, the maximum is 3600 seconds, and the default is 5 seconds.

   TIP: The probe interval must be greater than the reply timeout. 

9. Enter the maximum delay for a response in the Reply time out … seconds field. The minimum is 1 second, the maximum is 60 seconds, and the default is 1 second.
10. Enter the maximum number of missed intervals before the probe is set to the DOWN state in the Probe state is set to DOWN after … missed intervals field. The minimum number is 1, the maximum is 100, and the default is 3
11. Enter the maximum number of successful intervals before the probe is set to the UP state in the Probe state is set to UP after … successful intervals field. The minimum number is 1, the maximum is 100, and the default is 3.
12. If you selected TCP - Explicit Route for Probe Type, the RST Response Counts As Miss option becomes available. Select the option to count RST responses as missed intervals. This option is not selected by default.
13. Optionally, enter a comment in the Comment field.
14. Click ADD.
15. Repeat Step 3 through Step 14 to add more probes.
16. Click CLOSE.

• Add a Performance Class Object
  

1.  Navigate to MANAGE I System Setup | SD-WAN | Performance Class Object.
2. Click Add icon. The Add Performance Class Object dialog displays.
3. Enter a meaningful name in the Name field.
4. Enter the acceptable latency, in milliseconds, in the Latency (ms) field. The minimum is 0 milliseconds, the maximum is 1000, and the default is 0.
5. Enter the acceptable jitter, in milliseconds, in the Jitter (ms) field. The minimum is 0 milliseconds, the maximum is 100 milliseconds, and the default is 0 milliseconds.
6. Enter the acceptable percentage of packet loss in the Packet Loss (%) field. The minimum is 0, the maximum is 100, and the default is 0.

   TIP: On firmware version 6.5.4.5 there is an option to exclude any unneeded attribute e.g. Latency, Jitter, Packet Loss .

7. Optionally, enter a comment in the Comment field.
8. Click OK.

• Add a Path Selection Profile
  

1. Navigate to MANAGE I System Setup | SD-WAN|Path Selection Profiles.
2. Click Add icon. The Add Path Selection Profile dialog displays.
3. Add a meaningful name in the Name field.
4. From SD-WAN Group, select the group to which the profile applies.
5. From Performance Probe, select the probe to use in the profile.
6. From Performance Class, select the Performance Class Object for the dynamic selection of the optimal network path:
   1. Lowest Latency
   2. Lowest Jitter 
   3. Lowest Packet Loss 
   4. Custom Performance Class Object
7. From Backup Interface, select the interface to use when any interface does not meet the performance criterion (as per the Performance class; that is, when all the SD-WAN Group members fail to meet the performance criteria or all the interfaces are down):
   • None (default)
   • Individual interface
   • Drop_TunnelIf
8. To specify whether the default state of the performance probe should be treated as Up, select Performance Probe default state is UP. If this option is not selected, the performance probe is treated as DOWN. This option is selected by default.
9. For path selection profiles with Non-VPN SD-WAN groups, if existing connections on the path should be rest when the path does not meet the performance criteria anymore,  select Reset conditions if path does not meet the performance criteria. This option is not selected by default.
10. Click ADD.
11. To add more Path Selection Profiles, repeat Step 3 through Step 10 for each additional profile.
12. Click CLOSE.

• Add a SD-WAN route policy
  

1. Navigate to MANAGE I System Setup > SD-WAN > SD-WAN Routing.
2. Click the Add icon. The Add SD-WAN Route Policy dialog displays. 
3. Configure the options as you would for a regular route.

   NOTE: The Interface and Disable route when the interface is disconnected options are dimmed because these options cannot be edited in SD-WAN policies. The Interface option is populated with the SD-WAN group name in the associated Path Selection Profile (PSP) and cannot be changed. The interface for the SD-WAN route is selected from the SD-WAN group that is part of the PSP associated with the SD-WAN route and, therefore, cannot be configured. 

4. Click OK.

Related Articles

• How to block Hotspot Shield proxy/VPN using Advanced Application Control
• DC Security Logs with Advanced Auditing
• How to configure numbered VPN tunnel

Categories

• Firewalls > NSa Series > SD-WAN
• Firewalls > SonicWall NSA Series > SD-WAN