SD-WAN Connection Type - "Internet"

The connection (Steering Behavior) type "Internet" has these routing preference modes:

  • Local Breakout Only

  • Backhaul Only

  • Prioritize Local Breakout

Routing Preference "Local Breakout Only"

This connection type represents a direct WAN Link to the Internet.

Offices with multiple direct WAN Links to the Internet.

Example:

  1. A Security Gateway with two ISPs.

  2. The Zoom application traffic must go over an ISP Link with lower latency.

  3. The backup transfer traffic must go over an ISP Link with higher latency.

Example of an SD-WAN Policy rule:

Traffic, using the "YouTube" services, must go from any source behind the Security Gateway to the Internet.

The Security Gateway sends the traffic through the WAN Links configured in the Steering Behavior, if the Access Control Policy allows this traffic.

Name

Source

Destination

Services & Applications

Behavior

Enforcement

Breakout

Any

SD-WAN Internet

YouTube

Select the applicable

Steering object of type

"Internet - Local Breakout Only"

<Applicable Profile>

Important:

  • Requirements for this connection type:

    1. In SmartConsole > Menu > Manage policies and layers > Layers page > Access Control page > edit the applicable Layer in your policy > General page > Blades section > select Application & URL Filtering.

    2. In the Security Gateway object, enable these Software Blades:

      1. Application Control

      2. URL Filtering

  • Make sure the Access Control Policy and Threat Prevention Policy allow this traffic.

    See the:

  • If you did not to use the SD-WAN Wizard during the initial deployment, then you must configure the required settings manually.

    See Configuring Steering Behavior.

  • On the Security Gateway, the SD-WAN Policy rules always have higher priority than the operating system routing table. When the Security Gateway marches traffic to an SD-WAN rule that has the "Local Breakout" behavior, the Security Gateway routes the traffic based on the configured steering behavior between all applicable ISPs that meet the criteria.

  • The packet loss configured in the Steering object is calculated based on the last 100 probes.

The Security Gateway sends the traffic directly to the Internet, based on the Services & Applications column of the SD-WAN Policy.

In the section Steering Candidates, configure the applicable settings:

  • All Relevant WAN Links - To use all available WAN Links.

  • Specific WAN Links - To use only the selected WAN Links.

Routing Preference "Backhaul Only"

This connection sends traffic from VPN spoke sites to the Internet through the Central VPN hub site.

This connection type enables the VPN spoke site to use the Public lines / Private lines to reach the Internet through the Headquarters.

Branch offices with a direct WAN Link to the Internet and with a direct WAN Link to the Headquarters.

Branch offices must send specific traffic to the Internet through the Headquarters Security Gateway.

Example:

  1. A branch Security Gateway with two ISPs.

  2. Regular web traffic must go over a direct WAN Link to the Internet.

  3. Email traffic must go through the Headquarters Security Gateway for deep inspection.

Example topology:

  • User ---> Branch Gateway ---> ISP1 ---> (Internet)

  • User ---> Branch Gateway ---> ISP2 ---> HQ Gateway ---> (Internet)

Example of an SD-WAN Policy rule:

Name

Source

Destination

Services & Applications

Behavior

Enforcement

Backhaul Only

<Name of a Client Object>

 

<Name of an Email Server Object>

<Name of a Client Object>

 

<Name of an Email Server Object>

Office365

Select the applicable Steering object of type "Internet - Backhaul Only"

<Applicable Profile>

Important:

  • Requirements for this connection type:

    1. In the Security Gateway object, enable the IPsec VPN Software Blade.

    2. Configure a Site-to-Site VPN tunnel between a Branch Security Gateway (that works as a Satellite VPN Gateway) and a Headquarters Security Gateway (that works as a Center VPN Gateway).

      Configure the applicable VPN Community of type Star.

      On the VPN Routing page, select To center or through the center to other satellites, to Internet and other VPN targets.

      This configuration is mandatory when working with Domain-Based VPN (see SD-WAN and Route-Based VPN).

      See the Site to Site VPN Administration Guide for your version.

  • Make sure the Access Control Policy and Threat Prevention Policy allow this traffic.

    See the:

  • If you did not to use the SD-WAN Wizard during the initial deployment, then you must configure the required settings manually.

    See Configuring Steering Behavior.

  • The IPsec VPN Software Blade on the Security Gateway makes the IKE negotiation routing decision, regardless the SD-WAN Policy rules.

  • Each VPN tunnel from one SD-WAN interface on the SD-WAN Security Gateway to an SD-WAN interface on a peer SD-WAN Security Gateway is a VPN transport. Each SD-WAN Security Gateway constantly sends ICMP Echo Requests over each VPN transport to each VPN peer to select the best path to reach the VPN peer. The Security Gateway selects a VPN path for each packet. This preserves VPN connectivity during a failover of an existing VPN connection between different VPN transports.

  • The packet loss configured in the Steering object is calculated based on the last 100 probes.

  1. The Branch Security Gateway creates a Site-to-Site VPN tunnel with the Headquarters Security Gateway.

  2. The Branch Security Gateway encrypts the traffic and sends the traffic directly to the Headquarters Security Gateway.

  3. The Headquarters Security Gateway decrypts the traffic.

  4. The Headquarters Security Gateway forwards the traffic to the Internet.

  5. The response arrives from the Internet to the Headquarters Security Gateway.

  6. The Headquarters Security Gateway inspects the traffic.

  7. The Headquarters Security Gateway encrypts the traffic and sends the traffic directly to the Branch Security Gateway.

  8. The Branch Security Gateway decrypts the traffic.

In the section Steering Candidates, configure the applicable settings:

  • All Relevant WAN Links

    The Security Gateway uses all available WAN Links.

  • Specific WAN Links

    The Security Gateway uses only the selected WAN Links.

  • Use the same settings for Branch to HQ connection

    Controls which WAN Links the Security Gateway uses to connect from a Branch office to the Headquarters ("All Relevant WAN Links" or "Specific WAN Links").

Routing Preference "Prioritize Local Breakout"

This connection type gives priority to the direct WAN Link (not through the Headquarters) to send all traffic directly to the Internet.

If all direct WAN Links to the Internet are down, the Security Gateway uses the direct WAN Link with encrypted traffic to the Headquarters to connect to the Internet.

Example:

  1. A branch Security Gateway with two ISPs.

  2. All traffic must go over a direct WAN Link to the Internet (denoted "ISP1" below).

  3. When the direct WAN Link to the Internet is down (denoted "ISP1" below), the Security Gateway connects to the Internet through the other WAN Link with encrypted traffic to the Headquarters (denoted "ISP2" below).

Example topology:

  • User ---> Branch Gateway ---> ISP1 ---> (Internet)

  • User ---> Branch Gateway ---> ISP2 ---> HQ Gateway ---> (Internet)

Special scenario:

To send one traffic type directly to the Internet, and send another traffic type to the Internet through the Headquarters, configure two Steering objects and two rules in the SD-WAN Policy (rule numbers below are only for convenience):

#

Name

Source

Destination

Services & Applications

Behavior

1

Connect through HQ

Select the applicable Source object(s)

Select the applicable Destination object(s)

Select a service or application

Select the applicable Steering object of type "Internet - Backhaul Only"

2

Connect directly

Select the applicable Source object(s)

Select the applicable Destination object(s)

Select a service or application

Select the applicable Steering object of type "Internet - Prioritize Local Breakout"

Example:

#

Name

Source

Destination

Services & Applications

Behavior

1

Connect through HQ

Internal_Network

SD-WAN Internet

Office365

Connect through Headquarters

2

Connect directly

Internal_Network

SD-WAN Internet

http

https

Connect Directly

  1. If at least one direct WAN Link to the Internet is up, the Security Gateway uses the "Local Breakout Only" connection:

    The Security Gateway sends the traffic directly to the Internet, based on the Services & Applications column of the SD-WAN Policy.

  2. If all direct WAN Links to the Internet are down, the Security Gateway uses the "Backhaul Only" connection:

    1. The Branch Security Gateway creates a Site-to-Site VPN tunnel with the Headquarters Security Gateway.

    2. The Branch Security Gateway encrypts the traffic and sends the traffic directly to the Headquarters Security Gateway.

    3. The Headquarters Security Gateway decrypts the traffic.

    4. The Headquarters Security Gateway forwards the traffic to the Internet.

    5. The response arrives from the Internet to the Headquarters Security Gateway.

    6. The Headquarters Security Gateway inspects the traffic.

    7. The Headquarters Security Gateway encrypts the traffic and sends the traffic directly to the Branch Security Gateway.

    8. The Branch Security Gateway decrypts the traffic.

Important:

  • Requirements for this connection type:

    1. In the Security Gateway object, enable the IPsec VPN Software Blade.

    2. Configure a Site-to-Site VPN tunnel between a Branch Security Gateway (that works as a Satellite VPN Gateway) and a Headquarters Security Gateway (that works as a Center VPN Gateway).

      Configure the applicable VPN Community of type Star. On the VPN Routing page, select To center or through the center to other satellites, to Internet and other VPN targets.

      This configuration is mandatory when working with Domain-Based VPN (see SD-WAN and Route-Based VPN).

      See the Site to Site VPN Administration Guide for your version.

  • Make sure the Access Control Policy and Threat Prevention Policy allow this traffic.

    See the:

  • If you did not to use the SD-WAN Wizard during the initial deployment, then you must configure the required settings manually.

    See Configuring Steering Behavior.

  • The IPsec VPN Software Blade on the Security Gateway makes the IKE negotiation routing decision, regardless the SD-WAN Policy rules.

  • Each VPN tunnel from one SD-WAN interface on the SD-WAN Security Gateway to an SD-WAN interface on a peer SD-WAN Security Gateway is a VPN transport. Each SD-WAN Security Gateway constantly sends ICMP Echo Requests over each VPN transport to each VPN peer to select the best path to reach the VPN peer. The Security Gateway selects a VPN path for each packet. This preserves VPN connectivity during a failover of an existing VPN connection between different VPN transports.

  • The routing preference "Prioritize Local Breakout" equals to having both "Local Breakout" and "Backhaul" enabled. "Backhaul" between two Security Gateways acts like "Overlay - VPN".

  • The packet loss configured in the Steering object is calculated based on the last 100 probes.

In the section Steering Candidates, configure the applicable settings:

  • All Relevant WAN Links

    The Security Gateway uses all available WAN Links.

  • Specific WAN Links

    The Security Gateway uses only the selected WAN Links.

  • Use the same settings for Branch to HQ connection

    Controls which WAN Links the Security Gateway uses to connect from a Branch office to the Headquarters ("All Relevant WAN Links" or "Specific WAN Links").