configurare SD-WAN
Hello.
I would like to use watchguard's SD-WAN to direct certain traffic (windows updates, youtube, etc.)
to another line.
However, I have looked at the watchguard site to see how to set it up, and I have actually configured it, but it does not work as expected.
However, it did not work as expected.
I do not understand how to configure SD-WAN to work.
The points that are unclear are as follows
Link monitor target
The interface of the SD-WAN action
Firewall policy SD-WAN
The following is my environment.
Router (main line)
watchguard (PPPoE connected and want to flow specific traffic)
Best Answer
-
@XYLITOL said:
How can I check if SD-WAN is working properly?
I checked the firewall policy to send logs but it did not show up in the traffic monitor.For the policy that specifies the SD-WAN rule, make sure that logging is enabled for it - once done all "allowed" traffic will also show up in the Traffic Monitor window and any related logs.
1
Answers
For example - create 2 HTTPS policies - 1 for WAN 1, the other for WAN 2
On the policy for WAN 1 - you specify in the From and/or To fields the traffic that you want to use WAN 1. The To: field can include IP addrs, subnets and/or FQDNs.
The policy for WAN 2 needs to be below WAN 1, and the To: field can be Any-external, the From: field could be Any-trusted for whatever is appropriate.
And you need to create a SD-WAN action for WAN 1 primary with WAN 2 as secondary and apply that to the WAN -1 policy. And do the similar for the WAN 2 policy.
Review this to understand how FDQN works in a From: or To: field
About Policies by Domain Name (FQDN)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/policies/fqdn_about_c.html
Note that may sites use CDN (Content Delivery Network) URLs etc., so you would need to also ferret out those and add them to the appropriate policy To: field.
Turning on Logging on the WAN2 policy may help you locate those initially.
Also an Internet search for domain name used by selected sites (ie. YouTube) can help too.
Thanks for letting me know.
I need to specify a Link monitor target to configure the SD-WAN action. Here you can specify ping or dns.
Does the ping or dns I specify here actually specify the target I want to send to the other WAN that is not the primary in the SD-WAN?
On Link Monitor, you specify a target for checking for the WAN.
It is recommended to select something upstream from your firewall default gateway.
I use a public DNS server such as Google DNS server IP addr - 8.8.8.8 or 8.8.4.4; or another public DNS server 1.1.1.1
That Link Monitor selection will be reflected on the SD-WAN action(s).
The option(s) selected will determine when a failover to the other interface(s) in the SD-WAN action.
Loss Rate, Latency, and/or Jitter are SD-WAN action optional selections.
If you don't select any of the 3, failover will happen when Fireware marks the primary SD-WAN interface as down, which will happen based on the Link Monitor settings for that interface.
Thanks for letting me know.
I guess what I need to set up is something like this
WAN1
Firewall policy
SD-WAN action
Link monitor target
This configuration should be done for WAN2 as well.
For SD-WAN, look at the firewall policy before routing,
to the interface where the SD-WAN action for that policy is configured,
policy before routing?
No idea what you are asking.
Sorry.
How can I check if SD-WAN is working properly?
I checked the firewall policy to send logs but it did not show up in the traffic monitor.
You've helped me figure it out, thank you.