SD-WAN Connection (Steering Behavior) Types

SD-WAN supports different connection (Steering Behavior) types to steer traffic from internal networks behind the Branch Security Gateway to the Internet or the Security Gateway at Headquarters.

Comparison of SD-WAN Connection (Steering Behavior) Types

Steering Behavior

Use Case and Example

Requirements on the Security Gateway

SD-WAN Connection Type - "Internet" -

with

Routing Preference "Local Breakout Only"

This connection type represents a direct WAN Link to the Internet.

Example:

  1. A Security Gateway with two ISPs.

  2. The Zoom application traffic must go over an ISP Link with lower latency.

  3. The backup transfer traffic must go over an ISP Link with higher latency.

  • Application Control Software Blade.

  • URL Filtering Software Blade

SD-WAN Connection Type - "Internet" -

with

Routing Preference "Backhaul Only"

This connection sends traffic from VPN spoke sites to the Internet through the Central VPN hub site.

This connection type enables the VPN spoke site to use the Public lines / Private lines to reach the Internet through the Headquarters.

Example:

  1. A branch Security Gateway with two ISPs.

  2. Regular web traffic must go over a direct WAN Link to the Internet.

  3. Email traffic must go through the Headquarters Security Gateway for deep inspection.

Example topology:

  • User ---> Branch Gateway ---> ISP1 ---> (Internet)

  • User ---> Branch Gateway ---> ISP2 ---> HQ Gateway ---> (Internet)

  • Application Control Software Blade.

  • URL Filtering Software Blade

  • Site-to-Site VPN between the Branch Security Gateway and the Headquarters Security Gateway.

SD-WAN Connection Type - "Internet" -

with

Routing Preference "Prioritize Local Breakout"

This connection type gives priority to the direct WAN Link (not through the Headquarters) to send all traffic directly to the Internet.

If all direct WAN Links to the Internet are down, the Security Gateway uses the direct WAN Link with encrypted traffic to the Headquarters to connect to the Internet.

Example:

  1. A branch Security Gateway with two ISPs.

  2. All traffic must go over a direct WAN Link to the Internet (denoted "ISP1" below).

  3. When the direct WAN Link to the Internet is down (denoted "ISP1" below), the Security Gateway connects to the Internet through the other WAN Link with encrypted traffic to the Headquarters (denoted "ISP2" below).

Example topology:

  • User ---> Branch Gateway ---> ISP1 ---> (Internet)

  • User ---> Branch Gateway ---> ISP2 ---> HQ Gateway ---> (Internet)

  • Application Control Software Blade.

  • URL Filtering Software Blade

  • Site-to-Site VPN between the Branch Security Gateway and the Headquarters Security Gateway.

SD-WAN Connection Type -" Overlay - VPN"

This connection type represents a direct WAN Link with encrypted traffic to the Headquarters.

The direct WAN Link with encrypted traffic to the Headquarters provides redundancy.

Example:

  1. A branch Security Gateway with two ISPs.

  2. A Remote Desktop server is installed on an internal network behind the Headquarters Security Gateway.

  3. A connection from an internal network behind a branch Security Gateway to the Remote Desktop server must go over a direct WAN Link (denoted "ISP1" below), while its latency is low.

  4. When the latency of the direct WAN Link becomes greater than the latency of the direct private MPLS Link, the Remote Desktop connection must go over a direct private MPLS Link.

Example topology:

  • User ---> Branch Gateway ---> ISP1 ---> (Internet) ---> ISP2 ---> HQ Gateway ---> Remote Desktop

  • User ---> Branch Gateway ---> MPLS ---> HQ Gateway ---> Remote Desktop

  • Application Control Software Blade.

  • URL Filtering Software Blade

  • Site-to-Site VPN between the Branch Security Gateway and the Headquarters Security Gateway.