Configuring Steering Behavior

Important - If you did not to use the SD-WAN Wizard during the initial deployment, then you must configure the required settings manually.

Steering Behavior objects are mandatory part of SD-WAN Policy.

Steering Behavior determines how the Security Gateway sends traffic to the Internet or over an overlay.

  1. Log in to Check Point Infinity Portal.

  2. Click the top left Menu > in the section Quantum, click SD-WAN.

  3. From the left navigation panel, click Network.

  4. In the middle section, click SD-WAN Policy.

  5. From the top toolbar, click Manage Objects.

    Note - From the top toolbar, you can:

    • Create a new Steering Behavior

    • Delete a selected Steering Behavior

    • Search for a Steering Behavior

    • Edit a selected Steering Behavior

  6. When you create a new Steering Behavior, or edit an existing Steering Behavior:

    1. In the Name field, enter a descriptive name that represents this Steering Behavior.

    2. Optional: In the Comment field, enter an applicable text that describes this Steering Behavior.

    3. Configure the Steering Candidates:

      1. Click the Steering Candidates tab.

      2. In the section Connection Type, select the applicable option:

        See SD-WAN Connection (Steering Behavior) Types.

        Steering Behavior

        Description

        Internet with "Local Breakout Only"

        This connection type represents a direct WAN Link to the Internet.

        See Routing Preference "Local Breakout Only".

        Internet with "Backhaul Only"

        This connection sends traffic from VPN spoke sites to the Internet through the Central VPN hub site.

        This connection type enables the VPN spoke site to use the Public lines / Private lines to reach the Internet through the Headquarters.

        See Routing Preference "Backhaul Only".

        Internet with "Prioritize Local Breakout"

        This connection type gives priority to the direct WAN Link (not through the Headquarters) to send all traffic directly to the Internet.

        If all direct WAN Links to the Internet are down, the Security Gateway uses the direct WAN Link with encrypted traffic to the Headquarters to connect to the Internet.

        See Routing Preference "Prioritize Local Breakout".

        Overlay - VPN

        This connection type represents a direct WAN Link with encrypted traffic to the Headquarters.

        The direct WAN Link with encrypted traffic to the Headquarters provides redundancy.

        See SD-WAN Connection Type -" Overlay - VPN".

      3. On the tab Steering Candidates, configure the applicable settings:

        Steering Candidates are WAN Links on the corresponding Security Gateway.

        Steering Behavior

        Steering Candidates

        Internet with "Local Breakout Only"

        • All Relevant WAN Links - To use all available WAN Links.

        • Specific WAN Links - To use only the selected WAN Links.

        Internet with "Backhaul Only"

        • All Relevant WAN Links

          The Security Gateway uses all available WAN Links.

        • Specific WAN Links

          The Security Gateway uses only the selected WAN Links.

        • Use the same settings for Branch to HQ connection

          Controls which WAN Links the Security Gateway uses to connect from a Branch office to the Headquarters ("All Relevant WAN Links" or "Specific WAN Links").

        Internet with "Prioritize Local Breakout"

        • All Relevant WAN Links

          The Security Gateway uses all available WAN Links.

        • Specific WAN Links

          The Security Gateway uses only the selected WAN Links.

        • Use the same settings for Branch to HQ connection

          Controls which WAN Links the Security Gateway uses to connect from a Branch office to the Headquarters ("All Relevant WAN Links" or "Specific WAN Links").

        Overlay - VPN

        • All Relevant WAN Links - To use all available WAN Links.

        • Specific WAN Links - To use only the selected WAN Links.

    4. Optional: Configure the Criteria settings:

      Note - If you do not configure these thresholds explicitly, then the SD-WAN Security Gateway considers all available WAN Links as candidates and uses the best WAN Link based on the defined margins.

      1. Click the Criteria tab.

      2. Click the Thresholds heading to expand this section and configure the applicable settings:

        Security Gateway uses only WAN Links that have characteristics with the current values that are lower than the configured maximums.

        If the characteristics of all WAN Links are beyond the maximum threshold, the SD-WAN Policy selects the first WAN Link in the alphabetical order of its name

        • The maximum Latency (in milliseconds).

        • The maximum Jitter (in milliseconds).

        • The maximum Packet Loss (in per cent).

      3. Click the WAN Link Utilization heading to expand this section and configure the applicable settings:

        • Link Aggregation - To use all available WAN Links (in parallel) that meet the maximum values you configured in the Thresholds section. This is the default setting.

          In the Selection Method field, select the applicable option:

          Note - This feature requires these Security Gateway versions:

          • Connection Hash

            Distributes the connections between the WAN Links based on a 4-tuple - [Source IP, Destination IP, Destination port, IP protocol].

            This is the default value.

          • Round Robin

            Distributes the connections between the WAN Links equally in a circular order.

          • Proportionally To Download Bandwidth

            Distributes the connections between the WAN Links based on a 4-tuple [Source IP, Destination IP, Destination port, IP protocol], proportionally to the download bandwidth configured in the corresponding interfaces on the Security Gateway.

            This requires the configuration of the download speed limit in the corresponding SD-WAN interface.

            See Step 3 - Configuration on Security Gateways > Section "Part 2 - Configuration of SD-WAN interfaces on the Security Gateway".

          • Proportionally To Upload Bandwidth

            Distributes the connections between the WAN Links based on a 4-tuple [Source IP, Destination IP, Destination port, IP protocol], proportionally to the upload bandwidth configured in the corresponding interfaces on the Security Gateway.

            This requires the configuration of the download speed limit in the corresponding SD-WAN interface.

            See Step 3 - Configuration on Security Gateways > Section "Part 2 - Configuration of SD-WAN interfaces on the Security Gateway".

        • Prioritize - To use specific WAN Links (available only if in the Steering Candidates section, you selected Specific WAN Links).

          Select the applicable option:

          Option

          Description

          Link attributes

          Configures the SD-WAN Policy to select a better WAN Link among the WAN Links based on the current link attribute values.

          This is the default setting.

          • To configure the order, in which the SD-WAN Policy examines the link attributes, click the rows and drag them to the applicable positions.

          • To disable a link attribute, clear its checkbox.

          • In the "Margin" column, click the current value and configure the applicable difference value between the WAN Links for each attribute.

            If the difference between the current attribute values of WAN Links becomes greater than this difference value, then the SD-WAN Policy must select a WAN Link with the lower current attribute value.

            • The configured latency threshold is 150 ms.

            • WAN Link "ISP1" has a current latency of 100 ms.

            • WAN Link "ISP2" has a current latency of 110 ms.

            • The configured latency margin is 15 ms.

            • If the difference between these latency values becomes greater than 15, then the SD-WAN Policy selects the WAN Link with the lower latency value.

          Manual order of WAN Links

          Configures the SD-WAN Policy to select the WAN Links in the specific order, regardless of their link attribute values.

          • To select this option, on the tab Steering Candidates, you must select Specific WAN Links and select at least two WAN Links.

          • To configure the order, in which the SD-WAN Policy uses these WAN Links, click the rows and drag them to the applicable positions.

      4. Click the Quality Check Methodology heading to expand this section and configure the applicable settings.

        These settings determine how a special "prober" on the Security Gateway measures the WAN Link quality.

        1. Select the probe type:

          • If you selected Best Practice:

            SD-WAN sends ICMP pings to a Google DNS Server (8.8.8.8).

          • If you selected Specific destination:

            1. In the field Using, select the probing protocol:

              • Ping - The Security Gateway sends ICMP pings to the specified destination

              • HTTP - The Security Gateway sends HTTP packets to the specified destination

                Note - Support for the HTTP probing is integrated in:

            2. In the field Host, enter the probing destination in the correct format:

              You can enter a maximum of 5 destinations.

              • For Ping probes, enter an IPv4 address (for example, 8.8.8.8)

              • For HTTP probes, enter an HTTP FQDN (for example: http://www.example.com:8080)

        2. In the Check interval field, configure a frequency of the WAN Link tests (in milliseconds).

          Note - There are different thresholds for the "Ping" and the "HTTP" probing protocols.

    5. Click OK.

  7. From the top toolbar, click Publish to save the changes.

  8. From the top toolbar, click Enforce to apply the changes.

    The orange frame on this button means there are changes that are not enforced.

    In the popup window that opens, click Publish & Enforce Policy.