SD-WAN Connection Type -" Overlay - VPN"

Use Case and Example for "Overlay - VPN"

Branch offices with a direct WAN Link to the Internet and with a direct WAN Link to the Headquarters.

Branch offices must connect to a server behind the Headquarters Security Gateway.

Example:

1. A branch Security Gateway with two ISPs.

2. A Remote Desktop server is installed on an internal network behind the Headquarters Security Gateway.

3. A connection from an internal network behind a branch Security Gateway to the Remote Desktop server must go over a direct WAN Link (denoted "ISP1" below), while its latency is low.

4. When the latency of the direct WAN Link becomes greater than the latency of the direct private MPLS Link, the Remote Desktop connection must go over a direct private MPLS Link.

Example topology:

• User ---> Branch Gateway ---> ISP1 ---> (Internet) ---> ISP2 ---> HQ Gateway ---> Remote Desktop

• User ---> Branch Gateway ---> MPLS ---> HQ Gateway ---> Remote Desktop

Example of an SD-WAN Policy rule:

Traffic, using the "Remote Desktop Control" services, must go between an RDP Client behind the Branch Security Gateway and an RDP Server behind the Headquarters Security Gateway.

The Branch Security Gateway sends the traffic over this VPN tunnel, if the Access Control Policy allows this traffic.

Important Notes for "Overlay - VPN"

• Requirements for this connection type:

  1. In SmartConsole > Menu > Manage policies and layers > Layers page > Access Control page > edit the applicable Layer in your policy > General page > Blades section > select Application & URL Filtering.

  2. In the Security Gateway object, enable these Software Blades:

     1. Application Control

     2. URL Filtering

     3. IPsec VPN

  3. Configure a Site-to-Site VPN tunnel between a Branch Security Gateway (that works as a Satellite VPN Gateway) and a Headquarters Security Gateway (that works as a Center VPN Gateway).

     Configure the applicable VPN Community of type Star.

     On the VPN Routing page, select To center only or To center and to other satellites through center.

     See the Site to Site VPN Administration Guide for your version.

• Make sure the Access Control Policy and Threat Prevention Policy allow the "Overlay - VPN" traffic between the VPN Gateways.

  • The Access Control Policy must allow the ICMP probing (echo-requests) between the VPN Gateways.

    The applicable rule must be above the "Stealth" rule.

    If needed, in the VPN column of this rule, select only the required VPN Community.

  • The Access Control Policy must allow the ICMP probing (echo-requests) to be encrypted between the VPN Gateways:

    1. Click Menu > Global properties > click Firewall > -select Accept ICMP requests and in the drop-down menu, select any option except First > click OK.

       This makes sure to match the traffic on an explicit Access Control rule.

    2. Edit the applicable VPN Community object > click Excluded Services > make sure "icmp-proto" and "echo-requests" are not excluded from encryption.

    3. Edit the object of each VPN Gateway > click Network Management > click VPN Domain > clear the checkbox Exclude gateway’s external IP addresses from the VPN Domain > click OK.

    4. Make sure the applicable crypt.def file on the Management Server does not exclude "echo-requests" from encryption between the VPN Gateways.

  See the:

  • Quantum Security Management Administration Guide for your version.

  • Threat Prevention Administration Guide for your version.

• If you did not use the SD-WAN Wizard during the initial deployment:

  • You must configure the required settings manually.

    See Configuring Steering Behavior.

  • For this connection type, you must configure a "Clean Up" rule in the SD-WAN Policy in Infinity Portal (as the last rule) to catch all the overlay traffic, including the ICMP probing.

    The SD-WAN Wizard creates this rule automatically.

    You can add more overlay network objects in the Destination column.

    Name	Source	Destination	Services & Applications	Behavior	Enforcement
    Any-VPN	Any	Private Networks	Any	Select the applicable Steering object of type "Overlay - VPN"	<Applicable Profile>
    Any-VPN	Any	Public Networks	Any	Select the applicable Steering object of type "Internet - Backhaul Only"	<Applicable Profile>

• The IPsec VPN Software Blade on the Security Gateway makes the IKE negotiation routing decision, regardless the SD-WAN Policy rules.

• Each VPN tunnel from one SD-WAN interface on the SD-WAN Security Gateway to an SD-WAN interface on a peer SD-WAN Security Gateway is a VPN transport.

  Each SD-WAN Security Gateway constantly sends ICMP Echo Requests over each VPN transport to each VPN peer to select the best path to reach the VPN peer.

  The Security Gateway selects a VPN path for each packet.

  This preserves VPN connectivity during a failover of an existing VPN connection between different VPN transports.

Traffic Flow in "Overlay - VPN"

1. The Branch Security Gateway creates a Site-to-Site VPN tunnel with the Headquarters Security Gateway.

2. The Branch Security Gateway encrypts the traffic and sends the traffic directly to the Headquarters Security Gateway.

3. The Headquarters Security Gateway decrypts the traffic.

4. The Headquarters Security Gateway forwards the traffic to the destination server on the internal network.

5. The response arrives from the internal server to the Headquarters Security Gateway.

6. The Headquarters Security Gateway inspects the traffic.

7. The Headquarters Security Gateway encrypts the traffic and sends the traffic directly to the Branch Security Gateway.

8. The Branch Security Gateway decrypts the traffic.

Configuring Steering Candidates in "Overlay - VPN"

In the section Steering Candidates, configure the applicable settings:

• All Relevant WAN Links - To use all available WAN Links.

• Specific WAN Links - To use only the selected WAN Links.