configurare SD-WAN

Hello.

I would like to use watchguard's SD-WAN to direct certain traffic (windows updates, youtube, etc.)
to another line.
However, I have looked at the watchguard site to see how to set it up, and I have actually configured it, but it does not work as expected.
However, it did not work as expected.
I do not understand how to configure SD-WAN to work.

The points that are unclear are as follows
Link monitor target
The interface of the SD-WAN action
Firewall policy SD-WAN

The following is my environment.
Router (main line)
watchguard (PPPoE connected and want to flow specific traffic)

Best Answer

  • Answer ✓

    @XYLITOL said:
    How can I check if SD-WAN is working properly?
    I checked the firewall policy to send logs but it did not show up in the traffic monitor.

    For the policy that specifies the SD-WAN rule, make sure that logging is enabled for it - once done all "allowed" traffic will also show up in the Traffic Monitor window and any related logs.

Answers

  • edited November 21

    For example - create 2 HTTPS policies - 1 for WAN 1, the other for WAN 2
    On the policy for WAN 1 - you specify in the From and/or To fields the traffic that you want to use WAN 1. The To: field can include IP addrs, subnets and/or FQDNs.
    The policy for WAN 2 needs to be below WAN 1, and the To: field can be Any-external, the From: field could be Any-trusted for whatever is appropriate.
    And you need to create a SD-WAN action for WAN 1 primary with WAN 2 as secondary and apply that to the WAN -1 policy. And do the similar for the WAN 2 policy.

    Review this to understand how FDQN works in a From: or To: field
    About Policies by Domain Name (FQDN)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/policies/fqdn_about_c.html

    Note that may sites use CDN (Content Delivery Network) URLs etc., so you would need to also ferret out those and add them to the appropriate policy To: field.
    Turning on Logging on the WAN2 policy may help you locate those initially.
    Also an Internet search for domain name used by selected sites (ie. YouTube) can help too.

  • Thanks for letting me know.
    I need to specify a Link monitor target to configure the SD-WAN action. Here you can specify ping or dns.
    Does the ping or dns I specify here actually specify the target I want to send to the other WAN that is not the primary in the SD-WAN?

  • edited November 21

    On Link Monitor, you specify a target for checking for the WAN.
    It is recommended to select something upstream from your firewall default gateway.
    I use a public DNS server such as Google DNS server IP addr - 8.8.8.8 or 8.8.4.4; or another public DNS server 1.1.1.1

    That Link Monitor selection will be reflected on the SD-WAN action(s).
    The option(s) selected will determine when a failover to the other interface(s) in the SD-WAN action.
    Loss Rate, Latency, and/or Jitter are SD-WAN action optional selections.
    If you don't select any of the 3, failover will happen when Fireware marks the primary SD-WAN interface as down, which will happen based on the Link Monitor settings for that interface.

  • Thanks for letting me know.

    I guess what I need to set up is something like this
    WAN1
    Firewall policy
    SD-WAN action
    Link monitor target
    This configuration should be done for WAN2 as well.

    For SD-WAN, look at the firewall policy before routing,
    to the interface where the SD-WAN action for that policy is configured,
    policy before routing?

  • No idea what you are asking.

  • Sorry.

    How can I check if SD-WAN is working properly?
    I checked the firewall policy to send logs but it did not show up in the traffic monitor.

  • You've helped me figure it out, thank you.

Sign In to comment.