Introduction to Quantum SD-WAN

With Quantum SD-WAN you can configure your Security Gateway / Cluster to steer traffic dynamically between the configured WAN Links based on the measured ISP link quality. This does not require dynamic routing configuration on your Security Gateway / Cluster.

With Quantum SD-WAN customers get the most efficient use of high-cost Wide Area Network connections and best user experience for consuming cloud-hosted services in branch offices.

The Security Gateway / Cluster sends different types of traffic through different Internet Service Providers (ISPs) based on application / identity and dynamic measurement of WAN Link characteristics.

The Security Gateway / Cluster applies the configured SD-WAN rules only if the Security Policy allows this traffic.

After you install the SD-WAN Policy, it becomes the main decision maker for traffic paths, traffic priorities, and so on for WAN connections. The SD-WAN policy makes these decisions based on the settings you configure in Infinity Portal.

For additional information, see sk180605.

SD-WAN Use Case

A Security Gateway is connected to two Internet Service Providers.

Traffic from the Zoom application goes to the Internet through ISP #1.

Traffic from the Outlook 365 application goes to the Internet through ISP #2.

Basic SD-WAN Action

You can use SD-WAN for:

  • Local breakout – to control the steering and select the best path for outbound traffic to the Internet.

  • Overlay – to control the best VPN path between VPN peers, for routing internal traffic between the organization sites, either from VPN Spokes to the Hub (Satellites to Center), or between VPN sites in a mesh topology.

  • Backhaul - to route Internet traffic on VPN spoke sites through the Headquarters over the VPN tunnel. This connection uses the overlay-based connection from the Branch to the Center, and a Breakout-based connection from the Center to the Internet.

The Security Gateway uses the WAN Links you configured as SD-WAN interfaces, for Breakout (non-MPLS SD-WAN interfaces) and for Overlay VPN (all SD-WAN interfaces).

SD-WAN Policy

The SD-WAN Policy contains these ordered rules:

  1. Classification of traffic:

    • Source and Destination – IP address, Network address, User / Computer Identity.

    • Service or Application - Zoom, Teams, https, ftp (see Objects Supported in SD-WAN Policy).

      Notes

      • When using Application Signatures in the SD-WAN Policy, the matching methodology requires multiple application packets flowing through the Security Gateway. As a result, SD-WAN Policy may not apply to the first connection of a service / application. In this case, an SD-WAN Policy log shows "Skipping SD-WAN routing decision" (in the "SD-WAN" section > the "SD-WAN Outgoing ISP" field of the log), while an Access Control log shows the detected service / application as expected.

      • The Security Gateway uses these heuristics to identify connections on the first packet:

        • DNS heuristic – The Security Gateway saves the DNS domains during the DNS query phase and associates the connection that follows with the applicable DNS domain.

        • SNI heuristic – The Security Gateway learns about HTTPS connections and applies the learned data to subsequent connections.

        • DPI heuristic – The Security Gateway applies Deep Packet Inspection to subsequent connections.

        As a result of these multiple heuristics, the Security Gateway might not detect the application on the first packet of its connection. For example, when two applications are hosted on the same server.

      Best Practice - Use Updatable Objects in the "Destination" column of the SD-WAN Policy. This allows matching of application connections on the first packet and most accurate traffic steering.

    #

    Name

    Source

    Destination

    Services & Applications

    Behavior

    1

    Teams

    Net_192.168.20.0

    Public Networks

    Microsoft Teams

    Aggregate

    2

    Zoom

    Net_192.168.20.0

    Zoom Services

    Any

    Prioritize_WAN2

    3

    YouTube for Sales

    SalesRole

    Public Networks

    YouTube

    High_Quality

    • Rule #1 - For all traffic from the network 192.168.20.0/24 to the Internet, from the application with the signature of Microsoft Teams, apply the steering behavior "Aggregate".

    • Rule #2 - For all traffic from the network 192.168.20.0/24 to IP addresses that are resolved from the Updatable object "Zoom Services", from any application, apply the steering behavior "Prioritize_WAN2".

    • Rule #3 - For all traffic from users (IP addresses) determined by the Access Role "SalesRole" to the Internet, from the application with the signature of "YouTube", apply the steering behavior "High_Quality".

  2. Steering Behavior:

    Steering tactics include a measurement target and a steering decision to select a WAN Link.

Basic Workflow

To steer traffic with SD-WAN, you configure the required settings:

  1. On the Security Gateway / each Cluster Member - The SD-WAN interfaces and the Nano-Agent.

  2. In SmartConsole - The required objects and the connection to your account in Infinity Portal.

    In Smart-1 Cloud - The required objects.

  3. In Infinity Portal - The required SD-WAN objects, WAN Link settings, and SD-WAN Policy.