Owner's Manual for SONICWALL models including: SonicOS 8 TZ80 Switch, SonicOS 8, TZ80 Switch, Switch
SonicOS 8 SD-WAN
Administration Guide
SonicWall Inc.
File Info : application/pdf, 36 Pages, 1.34MB
DocumentDocument
sonicos-8-0-sdwan SonicOS 8
SD-WAN
Administration Guide
�About SonicOS Working with SonicOS SonicOS Workflow How to Use the SonicOS Administration Guides Guide Conventions
About SD-WAN
SD-WAN Groups About SD-WAN Groups Configuring SD-WAN Groups
Creating an SD-WAN Group Editing an SD-WAN Group Deleting an SD-WAN Group Deleting Multiple SD-WAN Groups
SLA Probes About SLA Probes Configuring SLA Probes
Adding SD-WAN SLA Probes Editing an SD-WAN SLA Probe Deleting an SD-WAN SLA Probe Deleting Multiple SD-WAN SLA Probes
SLA Class Objects About SLA Class Objects Configuring SD-WAN SLA Class Objects
Adding an SD-WAN SLA Class Object Editing an SD-WAN SLA Class Object Deleting an SD-WAN SLA Class Object Deleting All Custom SLA Class Objects
Path Selection Profiles About Path Selection Profiles Configuring Path Selection Profiles
Adding Path Selection Profile Editing a Path Selection Profile Deleting a Path Selection Profile
Contents
4 4 5 6 8
9
10 10 11 11 12 12 13
14 14 15 16 17 17 19
20 20 21 22 23 23 23
24 24 25 25 27 27
SonicOS 8 SD-WAN Administration Guide
2
Contents
�Deleting Multiple Path Selection Profiles
27
SD-WAN Rules
28
About SD-WAN Rules
28
Configuring SD-WAN Rules
29
Adding SD-WAN Rules
29
Editing SD-WAN Rules
30
Deleting SD-WAN Rule
31
Deleting Multiple SD-WAN Rules
31
Monitoring SD-WAN
32
Viewing SD-WAN Rules Connections
33
SonicWall Support
35
About This Document
36
SonicOS 8 SD-WAN Administration Guide
3
Contents
�1
About SonicOS
This guide is a part of the SonicOS collection of administrative guides that describe how to administer and monitor the SonicWall family of firewalls. SonicOS provides network administrators with the management interface, API (Application Program Interface), and Command Line Interface (CLI) for firewall configuration. You can configure and manage your firewall by setting objects to secure and protect the network services, manage traffic, and provide the desired level of network service. This guide focuses on how to configure SD-WAN group, SLA Probles, SLA Class Objects, Path Selection Profiles, and Rules on the SonicWall security appliances.
Topics:
l Working with SonicOS l SonicOS Workflow l How to Use the SonicOS Administration Guides l Guide Conventions
Working with SonicOS
SonicOS provides a web management interface for configuring, managing, and monitoring the features, policies, security services, connected devices, and outside threats to your network. SonicOS functions in conjunction with SonicCore, SonicWall's secure underlying operating system.
The SonicOS management interface facilitates:
l Setting up and configuring your firewall l Configuring external devices such as access points or switches l Configuring networks and external system options that connect to your firewall l Defining objects and policies for protection l Monitoring the health and status of the security appliance, network, users, and connections l Monitoring traffic, users, and threats l Investigating events
SonicWall offers different modes of operation in SonicOS; the modes differ mainly in the areas of policy, object configuration, and diagnostics.
SonicOS 8 SD-WAN Administration Guide
4
About SonicOS
�l Classic Mode is more consistent with earlier releases of SonicOS; in that you need to develop individual policies and actions for specific security services. Classic Mode has a redesigned interface.
This following table identifies which of these modes can be used on various SonicWall firewalls:
Firewall Type TZ Series
Classic Mode Comments
yes
The entry level TZ Series, also known as desktop firewalls,
delivers revamped features such as 5G readiness, better
connectivity options, improved threat protection, SSL and
decryption performance that addresses HTPPS bandwidth
issues; built-in SD-WAN, and lawful TLS 1.3 decryption support. It
provides advanced networking and security features, like the
multi-engine Capture Advanced Threat Protection (ATP) cloud-
based sandbox service with patent-pending Real-Time Deep
Memory Inspection (RTDMITM).
In addition to the management interface, SonicOS also has a full-featured API and a command-line interface (CLI) to manage the firewalls.
SonicOS Workflow
When working with SonicWall products, you can use the following workflow as a guide for setting up your security solution.
You begin your planning as you start making your purchasing decisions. Your sales partners can help you assess your network and make recommendations based on the kinds of security services you need. You can learn more about SonicWall products by reviewing product information and solutions. After selecting the solution, you can schedule your implementation.
After planning and scheduling your solution, you begin setting up the firewalls. The Getting Started Guides for your products can help you begin setting up the pieces to your solution. The getting started guides are designed to help you install the firewall to a minimal level of operation. Before performing any detailed configuration tasks described in the SonicOS Administration Guides, you should have your firewall set up and basic operation validated.
The configuration block of the workflow refers to the many tasks that combine to define how your firewall is integrated into your security solution and how it behaves when protecting your environment. Depending on the features of your security solution, this task can be quite complex. The System Administration Guides are broken
SonicOS 8 SD-WAN Administration Guide
5
About SonicOS
�into the key command sets and features. Some documents may be used for all solutions, but others may be used use only if you integrated that feature into your solution. For example, High Availability or Wireless Access Points are not necessarily used by all customers. More information about a feature's workflow is presented in the feature administration guide. Refer to the specific Administration Guide for a SonicOS feature for more information. Configuration tends to be a one-time activity, although you might make minor adjustments after monitoring performance or after diagnosing an issue. The configuration activity can be broken down into the more detailed flow as the following figure shows. This also mirrors the key functions that are listed across the top of the management interface.
There is some flexibility in the order in which you do things, but this is the general work-flow you would follow when configuring your firewall. Start by defining the settings on the firewall. Next you set up the system and other devices that your firewall is connected to, and you can choose to implement High Availability when done. After your device, network, and system is configured, you should define the objects that you want to monitor. Then you use those objects to define the policies that protect your network. The final step to preparing your setup is to validate the user authentication.
How to Use the SonicOS Administration Guides
The SonicOS Administration Guide is a collection of guides that detail the features represented by each of the main menu items in the management interface. Within each guide, you can find topics covering commands in that menu group, along with procedures and in-depth information. The exceptions are the SonicOS 8 Monitor Guide and the SonicOS 8 Objects Guide which combine the topics for each of those functions into a single book. To help you understand how the books align with the features and commands, the following figure shows the books organized like the SonicOS management interface.
SonicOS 8 SD-WAN Administration Guide
6
About SonicOS
�The SonicOS Administration Guides, along with related documentation, such as the getting started guides, are available on the Technical Documentation portal.
SonicOS 8 SD-WAN Administration Guide
7
About SonicOS
�Guide Conventions
These text conventions are used in this guide: NOTE: A NOTE icon indicates supporting information. IMPORTANT: An IMPORTANT icon indicates supporting information. TIP: A TIP icon indicates helpful information. CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed. WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.
Convention Bold text
Function | Menu group > Menu item
Code <Variable>
Italics
Description
Used in procedures to identify elements in the management interface like dialog boxes, windows, screen names, messages, and buttons. Also used for file names and text or values you are being instructed to select or type into the interface.
Indicates a multiple step menu choice on the user interface. For example, NETWORK | System > Interfaces means to select the NETWORK functions at the top of the window, then click on System in the left navigation menu to open the menu group (if needed) and select Interfaces to display the page.
Indicates sample computer programming code. If bold, it represents text to be typed in the command line interface.
Represents a variable name. The variable name and angle brackets need to be replaced with an actual value. For example in the segment serialnumber=<your serial number>, replace the variable and brackets with the serial number from your device, such as serialnumber=2CB8ED000004.
Indicates the name of a technical manual. Also indicates emphasis on certain words in a sentence, such as the first instance of a significant term or concept.
SonicOS 8 SD-WAN Administration Guide
8
About SonicOS
�2
About SD-WAN
SD-WAN (Software-Defined Wide Area Network) provides software-based control over wide area network (WAN) connections. SonicOS SD-WAN offers these features:
l SD-WAN Interface Groups l WAN and VPN l Scalable from one to N interfaces
l Dynamic path selection based on: l Pre-defined Lowest Latency, jitter, or packet loss l User-defined thresholds based on any combination of 1 or more of latency, jitter, or packet loss criteria
l Application-aware routing l Path SLA (Service-Level Agreement) Probes for metrics l Connection-based traffic distribution l Automatic connection failover over VPN l Local or Centralized management via GMS or Network Security Manager. SD-WAN is best used for specific traffic types and/or applications requiring dynamically chosen optimal destination interfaces depending on how the network paths are behaving. To operate well, each application has a certain requirement from the network path. For example, the network quality for VoIP to operate well requires the optimal latency be 100 ms or less while a latency of 150 ms or higher results in choppy calls. SD-WAN helps in such scenarios by first dynamically measuring the various network SLA metrics, such as latency, jitter and packet loss on multiple network paths. SD-WAN then compares these metrics with the SLA threshold for a particular traffic flow and determines the optimal network that meets the flow's network quality accordingly.
SonicOS 8 SD-WAN Administration Guide
9
About SD-WAN
�3
SD-WAN Groups
Topics: l About SD-WAN Groups l Configuring SD-WAN Groups
About SD-WAN Groups
SD-WAN supports physical and Virtual WAN (VLAN) interface types as well as VPN Numbered and UnNumbered Tunnel Interface instances, all choices provided while creating an SD-WAN group. SD-WAN Groups are logical groups of interfaces that can be used for load-balancing as well as dynamic path selection based on the SLA criterion through each interface path. The SD-WAN Groups page displays the custom pool of interfaces used for optimized and resilient traffic flow.
Name Zone
IP Address Link Status
Name of the SD-WAN group. The zone of the interface member: l WAN l VPN IP address of physical, virtual (VLAN) interfaces or Numbered Tunnel Interfaces. Un-Numbered will be 0.0.0.0. Indicates whether the link is: l Link Up (green) l Link Down (red)
SonicOS 8 SD-WAN Administration Guide 10 SD-WAN Groups
�Priority
Priority of the interface in the group.
Configuring SD-WAN Groups
Topics: l Creating an SD-WAN Group l Editing an SD-WAN Group l Deleting an SD-WAN Group l Deleting Multiple SD-WAN Groups
Creating an SD-WAN Group
You can create multiple SD-WAN Groups to meet your requirements.
To add an SD-WAN group: 1. Navigate to Network | SDWAN > Groups. 2. Click the Add icon. The Add SD-WAN Group dialog displays.
3. Enter a descriptive name in the Name field. 4. Select one or more interfaces from the Not in Group list. Member interfaces available to select included
Physical WAN, virtual (VLAN) WAN, numbered tunnel (VPN) interfaces and VPN policies for unnumbered tunnel interfaces.
IMPORTANT: An interface cannot be a member of more than one SD-WAN group. IMPORTANT: The maximum number of interfaces that can be added in an SD-WAN group is 10. 5. Click the Right Arrow to move the selected interfaces to the In Group column.
SonicOS 8 SD-WAN Administration Guide 11 SD-WAN Groups
�6. To change the priority of the selected group members: a. Select the interface. b. Click the Up Arrow or Down Arrow. NOTE: If user is using VPN tunnel interface for SD-WAN configuration, then in both the firewall the priority for the tunnel interface should be maintained same.
7. Repeat Step 6 for each interface to prioritize. 1. Click Add.
If the group is created, a confirmation message is displayed. 2. Click Close.
Editing an SD-WAN Group
To edit an SonicOS group: 1. Navigate to Network | SDWAN > Groups. 2. Hover over an SD-WAN group, click the Edit icon of the group to edit.
The Edit this entry is displayed. 3. Make required changes as described in Creating an SD-WAN Group. 4. Click Save.
Deleting an SD-WAN Group
To delete an SD-WAN group: 1. Navigate to Network | SDWAN > Groups. 2. Hover over an SD-WAN group, click the Delete icon. 3. Click Confirm. The message confirming the deletion of SD-WAN group is displayed.
SonicOS 8 SD-WAN Administration Guide 12 SD-WAN Groups
�Deleting Multiple SD-WAN Groups
To delete SD-WAN groups: 1. Navigate to Network | SDWAN > Groups. 2. Hover over an SD-WAN group, click the Delete All icon. 3. Click Confirm. The message confirming the deletion of all SD-WAN group is displayed.
SonicOS 8 SD-WAN Administration Guide 13 SD-WAN Groups
�4
SLA Probes
Topics: l About SLA Probes l Configuring SLA Probes
About SLA Probes
Network path performance metrics are determined using SD-WAN SLA probes, which are similar to Network Monitor Probes. SonicOS supports ICMP and TCP probe types. An SD-WAN SLA probe can be used by multiple Path Selection Profiles, for further information, see About Path Selection Profiles. The Network| SD-WAN > SLA Probes page shows the dynamic performance data (latency/jitter/packet loss) and probe status for each path (interface) in the SD-WAN group, in both tabular and graphic displays. The display can show data for the last minute (default), last day, last week, or last month.
#
NAME SD-WAN GROUP PROBE TARGET NAME
Number of the probe. The Collapse/Expand icon toggles the display of the graphs. Name of the SD-WAN SLA probe. Name of the SD-WAN group associated with the SD-WAN SLA probe. Target address object of the SD-WAN SLA probe.
NOTE: This field is empty for VPN based interfaces.
SonicOS 8 SD-WAN Administration Guide 14 SLA Probes
�PROBE TYPE
PORT INTERVAL (S) LATENCY (MS) JITTER (MS) PACKET LOSS (%) ADDITIONAL INFO COMMENTS
Type of SLA probe:
l PingExplicit Route
l TCPExplicit Route
NOTE: When "TCP-Explicit Route" is selected, both Port field and "RST Response Counts As Miss" become available. Port for the SD-WAN SLA probe. The minimum/maximum values are 1 to 65535.
NOTE: Ports are displayed only for TCP - Explicit Route probe types. A hyphen () displays for Ping - Explicit Route probe types. Time between SD-WAN SLA probes, in seconds. Round trip delay for the probes sent through a particular path/interface to reach the probe target and acknowledge back, in milliseconds. This is also displayed as a graph below the probe's entry in the SLA Probe table. Variation in the latency measurements for the probes through a particular path/interface, in milliseconds. This is also displayed as a graph below the probe's entry in the SLA Probe table. Percentage of probes that are missed of the probes sent through a particular path/interface. This is also displayed as a graph below the probe's entry in the SLA Probe table. When you hover over the icon, you can view the data for the following: Response timeout, Success Threshold, Failure Threshold, & RST in Failure. Displays the comment entered when the SLA probe was configured.
Configuring SLA Probes
Topics:
l Adding SD-WAN SLA Probes l Editing an SD-WAN SLA Probe l Deleting an SD-WAN SLA Probe l Deleting Multiple SD-WAN SLA Probes
SonicOS 8 SD-WAN Administration Guide 15 SLA Probes
�Adding SD-WAN SLA Probes
IMPORTANT: A SLA Probe is created automatically for an SD-WAN Group containing a VPN numbered tunnel interface/unnumbered tunnel interface. You do not need to create an additional SLA probe. To add a SLA probe for non-VPN SD-WAN Groups: 1. Navigate to Network | SDWAN > SLA Probes. 2. Click the Add icon.
The Add SD-WAN SLA Probe dialog is displayed.
3. Enter a meaningful name in the Name field. 4. Select an SD-WAN group from SD-WAN Group drop-down menu. 5. Select an address object from Probe Target. 6. From Probe Type, select:
l Ping (ICMP) - Explicit Route (default); go to Step 8. l TCP - Explicit Route; the Port field becomes available.
SonicOS 8 SD-WAN Administration Guide 16 SLA Probes
�7. Enter the port number of the explicit route in the Port field. 8. Enter the interval between probes in the Probe hosts every field. The minimum is 1 second, the
maximum is 3600 seconds, and the default is 3 seconds. TIP: The probe interval must be greater than the reply timeout.
9. Enter the maximum delay for a response in the Reply time out ... seconds field. The minimum is 1 second, the maximum is 60 seconds, and the default is 1 second.
10. Enter the maximum number of missed intervals before the SLA probe is set to the DOWN state in the Probe state is set to DOWN after ... missed intervals field. The minimum number is 1, the maximum is 100, and the default is 3.
11. Enter the maximum number of successful intervals before the SLA probe is set to the UP state in the Probe state is set to UP after ... successful intervals field. The minimum number is 1, the maximum is 100, and the default is 1.
12. If you selected TCP - Explicit Route for Probe Type, the RST Response Counts As Miss option becomes available. Select the option to count RST responses as missed intervals. This option is not selected by default.
13. Optionally, enter a comment in the Comment field. 14. Click Add.
A confirmation message is displayed.
Editing an SD-WAN SLA Probe
To edit an SD-WAN SLA probe: 1. Navigate to Network | SDWAN > SLA Probes. 2. Hover over the SD-WAN SLA probe and click the Edit icon that appears.
3. The Edit SD-WAN SLA Probe dialog displays. 4. Make changes as described in Adding SD-WAN SLA Probes. 5. Click Save.
Deleting an SD-WAN SLA Probe
To delete an SD-WAN SLA probe: 1. Navigate to Network | SD-WAN > SLA Probes. 2. Hover over the SD-WAN SLA probe and click the Delete icon that appears.
SonicOS 8 SD-WAN Administration Guide 17 SLA Probes
�A confirmation message is displayed. 3. Click Confirm.
SonicOS 8 SD-WAN Administration Guide 18 SLA Probes
�Deleting Multiple SD-WAN SLA Probes
To delete multiple SD-WAN SLA probes: 1. Navigate to Network | SDWAN > SLA Probes. 2. Click Delete All icon at the top of the SD-WAN SLA Probe table. A confirmation message is displayed. 3. Click Confirm.
SonicOS 8 SD-WAN Administration Guide 19 SLA Probes
�5
SLA Class Objects
Topics: l About SLA Class Objects l Adding an SD-WAN SLA Class Object
About SLA Class Objects
A SLA Class specifies the SLA criterion for selecting the optimal path. It could be the: l Best latency/jitter/packet loss among the existing paths. l SLA Class Object that defines the metric thresholds for any combination of latency, jitter and packet loss.
You use SD-WAN SLA Class Objects to configure the desired SLA characteristics for the application/traffic categories. These objects are used in the Path Selection Profile to automate the selection of paths based on these metrics. These are the default SLA Class Objects:
l Lowest Jitter l Lowest Latency l Lowest Packet Loss NOTE: These default SLA Class Objects cannot be edited or deleted. You can configure custom SLA thresholds that best meet the needs of your application/traffic categories with custom SLA Class Objects. You can include or exclude the Latency, Jitter, or Packet Loss attributes in your custom object, although you cannot exclude all three attributes in the same object. When excluded, the value of that attribute is not used as a criterion or threshold when determining whether a particular path is qualified or not. For example, if you want to evaluate a particular path only on the Latency attribute but you don't care about the other attributes, you can include Latency and exclude Jitter and Packet Loss in your custom object.
SonicOS 8 SD-WAN Administration Guide 20 SLA Class Objects
�NAME
Name of the SLA Class Object
LATENCY (MS)
Threshold time for the round trip delay for the probes sent through a particular path/interface to reach the probe target and acknowledge back, in milliseconds. For the Lowest Latency SLA Class Object, the time is always LOWEST; for the other default SLA Class Objects, a hyphen () displays.
JITTER (MS) Threshold variation in the latency measurements for the probes through a particular path/interface, in milliseconds. For the Lowest Jitter SLA Class Object, the time is always LOWEST; for the other default SLA Class Objects, a hyphen () displays.
LOSS (%)
Threshold percentage of probes that are missed of the probes sent through a particular path/interface. For the Lowest Packet Loss SLA Class Object, the percentage is always LOWEST; for the other default SLA Class Objects, a hyphen () displays.
COMMENT Displays the comment entered when the SLA Class Object was configured.
Configuring SD-WAN SLA Class Objects
Topics:
l Adding an SD-WAN SLA Class Object l Editing an SD-WAN SLA Class Object l Deleting an SD-WAN SLA Class Object l Deleting All Custom SLA Class Objects
SonicOS 8 SD-WAN Administration Guide 21 SLA Class Objects
�Adding an SD-WAN SLA Class Object
To add a SLA Class Object: 1. Navigate to Network | SDWAN > SLA Class Objects. 2. Click the Add icon. The Add SLA Class Object dialog appears.
3. Enter a meaningful name in the Name field. 4. Enable Include Latency to include the SLA class latency attribute for this object to exclude the latency
attribute. This option is selected by default. 5. If Include Latency is enabled, enter the acceptable latency, in milliseconds, in the Latency (ms) field.
The minimum is 0 milliseconds, the maximum is 1000 milliseconds, and the default is 0 milliseconds. 6. Enable Include Jitter to include the SLA class jitter attribute for this object to exclude the jitter attribute.
This option is selected by default. 7. If Include Jitter is enabled, enter the acceptable jitter, in milliseconds, in the Jitter (ms) field. The
minimum is 0 milliseconds, the maximum is 1000 milliseconds, and the default is 0 milliseconds. 8. Enable Include Loss to include the SLA class packet loss attribute for this object to exclude the packet
loss attribute. This option is selected by default. 9. If Include Loss is enabled, enter the acceptable percentage of packet loss in the Loss (%) field. The
minimum is 0, the maximum is 100, and the default is 0.
SonicOS 8 SD-WAN Administration Guide 22 SLA Class Objects
�NOTE: 1. You cannot exclude all three attributes (Latency, Jitter, Packet Loss) in the same object. 2. You can view the SLA Probe section to see what you are getting on each link to determine practical
thresholds. 10. Optionally, enter a comment in the Comment field. 11. Click OK.
Editing an SD-WAN SLA Class Object
To edit an SD-WAN SLA class object: 1. Navigate to Network | SDWAN > SLA Class Objects. 2. Hover over a SLA class object, click the Edit icon. The Edit SLA Class Object dialog appears, make required changes as described in Adding an SD-WAN SLA Class Object. 3. Click OK.
Deleting an SD-WAN SLA Class Object
To delete an SD-WAN SLA Class Object: 1. Navigate to Network | SDWAN > SLA Class Objects. 2. Hover over an object and click the Delete icon.
3. Click Confirm in the confirmation prompt that is displayed.
Deleting All Custom SLA Class Objects
To delete multiple SD-WAN SLA Class Objects: 1. Navigate to Network | SDWAN > SLA Class Objects. 2. To delete all the Custom SLA Class Objects, click Delete All icon at the top of the SLA Class Object table. A confirmation message is displayed. 3. Click Confirm.
SonicOS 8 SD-WAN Administration Guide 23 SLA Class Objects
�6
Path Selection Profiles
Topics: l About Path Selection Profiles l Configuring Path Selection Profiles
About Path Selection Profiles
Path Selection Profiles (PSPs) determine the network paths or interfaces that satisfy a specific network SLA criteria from a pool (SD-WAN Group) of available network paths/interfaces. The dynamic path selection mechanism is implemented using the PSP settings when associated with Policybased Routes (PBR). When more than one network path meets the criterion (as per the SLA class in the PSP), then traffic is load balanced among the qualified network paths/interfaces. When associated with a policy-based routing policy or SD-WAN Rule, a Path Selection Profile helps select the optimal path among the SD-WAN interfaces for the application/service.
Name SD-WAN Group Interface Status
SLA Probe
Name of the Path Selection Profile. SD-WAN interface group to which the profile applies. Status of the members of the SD-WAN interface group: l Qualified (green) l Not Qualified (red) SLA Probe used by the Path Selection Profile.
SonicOS 8 SD-WAN Administration Guide 24 Path Selection Profiles
�SLA Class Object
Backup Interface Probe Default UP
SLA Class Object used by the Path Selection Profile:
l Lowest Latency l Lowest Jitter l Lowest Packet Loss l Custom SLA Class Object Indicates the interface chosen when none of the SD-WAN group interfaces meet the performance criteria. If a backup interface was not chosen, None displays. Indicates whether the default state of the SLA probe is:
l UP (Checkmark icon) l DOWN (Crossmark icon)
Configuring Path Selection Profiles
Topics: l Adding Path Selection Profile l Editing a Path Selection Profile l Deleting a Path Selection Profile l Deleting Multiple Path Selection Profiles
Adding Path Selection Profile
To add a Path Selection Profile: 1. Navigate to Network | SDWAN > Path Selection Profiles. 2. Click the Add icon above the table. The Add SD-WAN Path Selection Profile dialog is displayed.
SonicOS 8 SD-WAN Administration Guide 25 Path Selection Profiles
�3. Add a meaningful name in the Name field. 4. From SD-WAN Group, select the SD-WAN interface group to which the profile applies.
You have an option to create a new SD-WAN group from this dialog and then select the newly created group. 5. From SLA Probe, select the probe to use in the profile. A probe, if added for the SD wan group you selected, is displayed by default. Otherwise, select the appropriate probe. 6. From SLA Class Object, select the SLA Class Object for the dynamic selection of the optimal network path:
l Lowest Latency l Lowest Jitter l Lowest Packet Loss l Custom SLA Class Object You have an option to create a New SLA Class Object from the drop-down menu. 7. From Backup Interface, select the most optimum interface to use when all the SD-WAN Group interfaces fail to meet the SLA criteria specified in SLA Class: l None (default) l Individual interface l VPN Tunnel Interface (if any)
NOTE: If user selecting backup interface as VPN Tunnel interface, then in both the Firewall and Tunnel interface should be same in Backup Interface.
8. To specify whether the default state of the SLA probe should be treated as DOWN, disable SLA Probe default state is UP. This option is enabled by default and is treated as UP.
9. For path selection profiles with Non-VPN SD-WAN groups, if existing connections on the path should be reset when the path does not meet the performance criteria any more, select Reset conditions if path does not meet the performance criteria. This option is disabled by default.
10. Click Save. A confirmation message is displayed.
SonicOS 8 SD-WAN Administration Guide 26 Path Selection Profiles
�Editing a Path Selection Profile
To edit a Path Selection Profile: 1. Navigate to Network | SDWAN > Path Selection Profiles. 2. Hover over a path selection profile, click the Edit icon. The Edit SD-WAN Path Selection Profile dialog is displayed. 3. Make changes as described in Adding Path Selection Profile. 4. Click Save.
Deleting a Path Selection Profile
To delete an SD-WAN Path Selection Profile: 1. Navigate to Network | SDWAN > Path Selection Profiles. 2. Hover over a path selection profile, click the Delete icon. 3. Click OK to confirm deletion.
Deleting Multiple Path Selection Profiles
To delete multiple Path Selection Profiles: 1. Navigate to Network | SDWAN > Path Selection Profiles. 2. Select the profiles that you want to delete or click the Delete All icon above the Path Selection Profiles table to delete all the profiles.
3. Click OK to confirm deletion.
SonicOS 8 SD-WAN Administration Guide 27 Path Selection Profiles
�7
SD-WAN Rules
Topics:
l About SD-WAN Rules l Configuring SD-WAN Rules
About SD-WAN Rules
SD-WAN Rules bring Path Selection Profiles and routing criteria together to provide dynamic path selection. SDWAN Rules combine a Path Selection Profile with either a Source and/or Destination and/or Service Object/Group or a specific Match Object of type "Application List" or "Application Category List" which determines the outgoing path dynamically based on the Path Selection Profile's parameters. If there is more than one path qualified by the Path Selection Profile, the traffic is automatically load balanced among the qualified paths. If none of the paths are qualified by the Path Selection Profile and the backup interface in the profile is not configured or is down, the rule is disabled.
TIP: SD-WAN Rules can also be configured or viewed from the Policy | Rules and Policies > Routing Rules page. The Network | SDWAN > Rules page, however, only shows the SD-WAN Rules and only allows configuration of SD-WAN-type rules.
NAME IP VERSION
SOURCE DESTINATION SERVICE
Name of the SD-WAN Rules. The IP version is shown by an icon showing whether the rule is for IPv4 and/or IPv6. Source address object for the SD-WAN Rule. Destination address object for the SD-WAN Rule. Service object for the for the SD-WAN Rule. If App was selected instead of Service for the type of rule, N/A appears.
SonicOS 8 SD-WAN Administration Guide 28 SD-WAN Rules
�APP
TOS/Mask PATH PROFILE INTERFACE METRIC PRIORITY COMMENT
Application match object for the for the SD-WAN Rule. If Service was selected instead of App for the type of rule, N/A appears .
NOTE: "Application List" or "Application Category List" Match Objects used here are created at Object | Match Objects > Match Objects.
Hexadecimal TOS and TOS Mask. If these options were not configured, you will see this field as blank.
Path Selection Profile for the SD-WAN Rule.
SD-WAN interface group associated with the SD-WAN Rule.
Metric used for the SD-WAN Rule.
Priority of the rule in Routing Rules route table.
When you hover over the comment icon, the comment entered when the SDWAN Rule was configured is displayed.
Configuring SD-WAN Rules
Topics:
l Adding SD-WAN Rules l Editing SD-WAN Rules l Deleting SD-WAN Rule l Deleting Multiple SD-WAN Rules
Adding SD-WAN Rules
To add an SD-WAN rule: 1. Navigate to Network | SDWAN > Rules. 2. Click the Add SDWAN Rule icon. The Add SDWAN Rule dialog is displayed. NOTE: The Interface and Disable rule when the interface is disconnected to delineate the two settings options are dimmed and cannot be edited. The Interface option is populated with the SDWAN group name associated with the Path Selection Profile (PSP) you select. 3. Enter a meaningful name in the Name field. 4. From Source, select the source address object for the static route or select Create new Address object to dynamically create a new address object. The default is Any. 5. From Destination, select the destination address object or select Create new Address object to dynamically create a new address object. The default is Any.
SonicOS 8 SD-WAN Administration Guide 29 SD-WAN Rules
�6. Choose the type of rule: l Service (default) l App IMPORTANT: Application Control Licensing is required for application-based rule.
7. If you selected Service, select a Service Object from the drop-down. For a generic static rule that allows all traffic types, simply select Any (the default).
8. If you selected App, select an App Match Object from App Object drop-down. NOTE: "Application List" or "Application Category List" Match Objects used here are created at Object | Match Objects > Match Objects.
9. From Path Profile, select a Path Selection Profile. 10. Enter the Metric (weighted cost) for the route. The minimum is 1, and the maximum is 254.
TIP: Lower metrics are considered better and take precedence over higher metrics (costs). 11. Optionally, enter a Comment for the route policy. This field allows you to enter a descriptive comment for
the new static route policy. 12. Click Advanced. 13. Optionally enter a TOS value in the TOS (Hex) field. The maximum value is FF. If the TOS and TOS
Mask fields are not configured, a value of 0 is used. 14. Enter the same value in the TOS Mask (Hex) field. 15. To manually specify an administration distance:
a. Deselect Auto. This option is selected by default. The Admin Distance field becomes available.
b. Enter the administration distance in the Admin Distance field. 16. Click Add.
Editing SD-WAN Rules
To edit a SDWAN rule: 1. Navigate to Network | SDWAN > Rules. 2. Hover over a rule and click the Edit icon.
3. The Update SDWAN Rule dialog is displayed. 4. Make changes as described in Adding SD-WAN Rules. 5. Click Update.
SonicOS 8 SD-WAN Administration Guide 30 SD-WAN Rules
�Deleting SD-WAN Rule
To delete a rule: 1. Navigate to Network | SDWAN > Rules. 2. Hover over a rule and click the Delete icon. 3. Click Confirm.
Deleting Multiple SD-WAN Rules
To delete multiple SD-WAN Rules: 1. Navigate to Network | SDWAN > Rules. 2. Select the Path Selection Profiles to delete or click Delete All icon above the SD-WAN Rules table.
3. Click Confirm.
SonicOS 8 SD-WAN Administration Guide 31 SD-WAN Rules
�8
Monitoring SD-WAN
NOTE: A chart may be empty or blank if there are no recent data entries received within the viewing range.
To monitor SD-WAN SLA: 1. Navigate to Monitor | SD-WAN > SDWAN Monitor. 2. From SD-WAN Probes drop-down box, select the SLA probe you would like to use to monitor. 3. Indicate the Refresh rate, in seconds, in the Refresh Every field. 4. Select a View Range: l 60 seconds (default) l 2 minutes l 5 minutes l 10 minutes 5. Choose an interface to track or select All Interfaces from the drop-down menu on the right side.
SonicOS 8 SD-WAN Administration Guide 32 Monitoring SD-WAN
�9
Viewing SD-WAN Rules Connections
You can view the connections that have been associated with SD-WAN Rules on the Monitor | SDWAN > SDWAN Connections page.
l To view the activities associated with IPv4 SD-WAN Rules, click IPv4 tab.
l To view the activities associated with IPv6 SD-WAN Rules, click IPv6 tab.
SD-WAN CONNECTION DETAILS
SRC MAC SRC VENDOR SRC IP SRC PORT DST MAC DST VENDOR DST IP DST PORT PROTOCOL SRC IFACE DST IFACE SRC ROUTE DST ROUTE FLOW TYPE IPS CATEGORY
ABR APP ID ABR CATEGORY ID EXPIRY (SEC) TX BYTES RX BYTES TX PKTS
MAC address of the appliance that is the source of the connection. Name of the vendor of the appliance that is the source of the connection. IP address of the appliance that is the source of the connection. Port on the appliance that is the source of the connection. MAC address of the appliance that is the destination of the connection. Name of the vendor of the appliance that is the destination of the connection. IP address of the appliance that is the destination of the connection. Port on the appliance that is the destination of the connection. Protocol used for the connection. Interface on the appliance that is the source of the connection. Interface on the appliance that is the destination of the connection. Source route of the connection. Destination route of the connection. Type of data flow control, such as FTP Control. Internet Provider Security (IPS) category. If this information is not available or relevant, the column displays N/A. App-Based Routing Application ID. App-Based Routing Category ID. Number of seconds until the connection expires. Number of bytes transmitted on the connection. Number of bytes received on the connection. Number of packets transmitted on the connection.
SonicOS 8 SD-WAN Administration Guide 33 Viewing SD-WAN Rules Connections
�Rx PKTS Flush Total
Number of packets received on the connection. Displays the Flush icon. Clicking the icon flushes the connection. Total number of entries on the page. This is displayed at the bottom of the page.
You can perform the following actions on the SD-WAN Connections page: l To search a log, enter a keyword related to an activity in the Search bar l To filter the logs, click Filter icon, select the appropriate filter options, and then click APPLY FILTERS. l To clear the filters applied, click Clear Filter icon l To export the logs in CSV or TEXT files, click Export icon and select the required format l To refresh the page, click Refresh icon
SonicOS 8 SD-WAN Administration Guide 34 Viewing SD-WAN Rules Connections
�10
SonicWall Support
Technical support is available to customers who have purchased SonicWall products with a valid maintenance contract. The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year. The Support Portal enables you to:
l View Knowledge Base articles and Technical Documentation l View and participate in the Community Forum discussions l View Video Tutorials l Access MySonicWall l Learn about SonicWall Professional Services l Review SonicWall Support services and warranty information l Register at SonicWall University for training and certification
SonicOS 8 SD-WAN Administration Guide 35 SonicWall Support
�About This Document
SonicOS SD-WAN Administration Guide Updated - November 2024 Software Version - 8 232-006191-00 Rev A Copyright © 2024 SonicWall Inc. All rights reserved. The information in this document is provided in connection with SonicWall and/or its affiliates' products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, SONICWALL AND/OR ITS AFFILIATES ASSUME NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL SONICWALL AND/OR ITS AFFILIATES BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF SONICWALL AND/OR ITS AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SonicWall and/or its affiliates make no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. and/or its affiliates do not make any commitment to update the information contained in this document. For more information, visit https://www.sonicwall.com/legal.
End User Product Agreement
To view the SonicWall End User Product Agreement, go to: https://www.sonicwall.com/legal/end-user-product-agreements/.
Open Source Code
SonicWall Inc. is able to provide a machine-readable copy of open source code with restrictive licenses such as GPL, LGPL, AGPL when applicable per license requirements. To obtain a complete machine-readable copy, send your written requests, along with certified check or money order in the amount of USD 25.00 payable to "SonicWall Inc.", to:
General Public License Source Code Request Attn: Jennifer Anderson 1033 McCarthy Blvd Milpitas, CA 95035
SonicOS 8 SD-WAN Administration Guide 36 SonicWall Support
�
References
madbuild
Customer Community
sonicwall.com/legal