Multi-WAN vs SD-WAN, a little confused....

I am in the process of migrating from an XTM515 to an M270. I have brought my configuration over from the XTM device, and when I first tried to save it to the M270, I did get flagged that the PBR no longer works in this version (M270 came with V12.4.1 installed), so I modified all the policies using PBR to remove that option.

I did only have a set number of outbound policies using PBR, as the backup circuits are much smaller than our primary fiber circuit and we were limiting what would go out in the event our primary circuit went down.

I have read that to accomplish the same type of action I now need to setup an SD-WAN action, and apply that to the policies I had been using the PBR in the XTM setup, I think I understand that enough to setup (maybe lol)

I think I am just a little confused, because when I look at the Multi-WAN section, it shows failover configured for my 3 external interfaces.

So my question is:
How does Multi-WAN failover vs SD-WAN setup really work?
On my XTM, I also had multi-wan failover setup,
If I have a policy that is not configured to use the SD-WAN routing, am I correct in believing that the outbound traffic on other policies will not go out? That was how I believed the PBR had worked in the past.

Thanks for any help clearing up my confusion, my brain is a bit overwhelmed in trying to read up on all the changes from my lowly 12.1.3 XTM up to the more current updates I will now be able to use.

Thanks again for all the read through (hope I made sense), and helping me understand :)


  • Options
    edited September 2020

    Multi-WAN failover should work the same way.
    From the docs:
    "When you use the failover method to route traffic through the Firebox external interfaces, you select one external interface to be the primary external interface. Other external interfaces are backup interfaces, and you set the order for the Firebox to use the backup interfaces."

    Packets matching a policy that is not configured to use the the SD-WAN routing will go the primary external interface.

  • Options

    Thanks Bruce still trying to reason it out in my head.
    Quick followup question if you don't mind

    Our external interface setup is like this:
    ext1 (primary) ext2(secondary) ext 3(cell service device)
    If our multi-wan setup is 1, 2, 3
    and I setup SD-WAN configs to just be if ext1 fails, use ext2
    Am I correct in thinking that would accomplish the failure of ext1 to use ext2, as long as it is configured in the policies?
    Any other outbound policy not configured would use the multi-wan setting of 1 fails, use 2 or 3?

    Again, thanks for your kind assistance,


  • Options

    Again from the docs - same link as above:
    "The Firebox monitors the primary external interface. If it goes down, the Firebox sends all traffic to the next external interface in its configuration. While the Firebox sends all traffic to the backup interface, it continues to monitor the primary external interface. When the primary interface is active again, the Firebox immediately starts to send all new connections through the primary external interface again.
    You control the action for the Firebox to take for existing connections; these connections can failback immediately, or continue to use the backup interface until the connection is complete."

    So, with Failover Multi-WAN, you don't need any SD-WAN settings to guarantee that packets will go out the expected WAN interface - if ext1 fails, use ext2, if ext1 & ext2 fails, go out ext3.

  • Options

    OK, sorry for being so dense on this, not sure why I just could not see it through, guess the options to do PBR or SD-WAN threw me off.
    I think I got it now ;) Thanks again Bruce!

Sign In to comment.