How to Configure Dynamic Bandwidth Protection for VPN Tunnels with SD-WAN

Dynamic Bandwidth Protection is used to effectively shape traffic on the VPN transport by using the link quality metrics collected by Dynamic Bandwidth and Latency (Round Trip Time) Detection. This allows the firewall to always shape traffic using, instead of a static number as the bandwidth, a consistently, dynamically updated value that reflects the current state of the transport. Changing link metrics are immediately applied to Dynamic Bandwidth Detection. Traffic shaping uses an internal traffic shaping tree for SD-WAN, distinguishing only between no-delay (Realtime) and standard traffic.

Before You Begin

Create a multi-transport VPN tunnel between two CloudGen Firewalls:

• Create a TINA site-to-site VPN tunnel. For more information, see How to Create a TINA VPN Tunnel between CloudGen Firewalls or How to Create a VPN Tunnel with the VPN GTI Editor.
• Add one or more additional transports to the VPN tunnel. For more information, see How to Add a VPN Transport to a TINA VPN Tunnel with Explicit Transport Selection or How to Configure SD-WAN Using the VPN GTI Editor.
• Create access rules for each type of traffic going through the VPN tunnel. For more information, see How to Create Access Rules for Site-to-Site VPN Access.
• (Consolidated Shaping only) Set the QoS profile and enable shaping for the physical interfaces used by the VPN traffic.

Step 1. Modify Default Shaping Tree

On both VPN endpoints, edit the Internet QoS band to use the STD virtual interface.

1. Go to CONFIGURATION > Configuration Tree > Box > Traffic Shaping.
2. Click Lock.
3. Right click on the QoS profile and click Add new virtual Interface.

4. Enter STD as the Virtual Interface.

   All other settings of this virtual interface are handled by the SD-WAN features.

   

5. Click OK. 
6. Click on the QoS Band tab.
7. Right-click and select Add new QoS Band. The QoS Band window opens.
8. Create the QoS Band for no-delay traffic :
   
   • ID – Enter an unused ID. E.g., 14
   • Name – Enter NoDelay.
   
9. Click OK. The QoS Band Rule window opens.
10. Create the QoS band rule:
    • Priority – Select NoDelay.
    • Virtual Device – Select root. 
    
11. Click OK.
12. Create the QoS band:
    
    • ID – Enter an unused ID.
    • Name – Enter StandardTraffic.
    
13. Click OK.  The QoS Band Rule window opens.
14. Create the QoS band rule:
    • Priority – Select class1.
    • Virtual Device – Select STD.
      
    
15. Click OK.
16. (optional) add additional classes to the Standard Traffic QoS band.
17. Click Send Changes and Activate.

The two QoS band are now listed - NoDelay using the root interface and StandardTraffic using the STD virtual interface.

Step 2. Enable Dynamic Bandwidth and Latency Detection and SD-WAN Bandwidth Protection

On both VPN endpoints, edit the TINA site-to-site VPN tunnel to use the SD-WAN QoS profile and enable Dynamic Bandwidth and Round Trip Time Detection.

1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > VPN-Service > Site to Site VPN.
2. Click Lock.
3. Double-click the TINA VPN tansport. The TINA Tunnel Transport window opens.
4. Click the SD-WAN - Bandwidth Protection tab.
5. From the Dynamic Bandwidth Detection list, select the policy:
   • Active Probing and Passive Monitoring
   • Active Probing Only
   • No Probing - use Estimated Bandwidth
6. Enter the Estimated Bandwidth bandwidth.
7. (optional) From the Bandwidth Policy list, select Consolidated Shaping and select the Assigned QoS Profile. For more information, see TINA Tunnel Settings.
   
8. Click OK.
9. Click Send Changes and Activate.

After completing these changes, go to VPN > Site-to-Site. Right-click the transport and select Monitor Traffic.

Step 3. Set QoS Band for No-Delay Traffic

Set the QoS band for all access rules matching VPN traffic that should be handled as no-delay traffic. No-delay traffic should not make up more than 30% of total traffic.

1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall.
2. Click Lock.
3. Double-click the access rule matching the no-delay traffic.
4. From the QoS Band (Fwd) list, select NoDelay (ID 14) created in Step 1.
5. From the QoS Band (Reply) list, select Like-Fwd.
   
6. Click OK.
7. Click Send Changes and Activate.

Step 4. Set QoS Band for Standard Traffic

All other VPN traffic is classified as standard traffic. Standard traffic can take up to 70% of the bandwidth.

1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall.
2. Click Lock.
3. Double-click the access rule matching the standard traffic.
4. From the QoS Band (Fwd) list, select StandardTraffic (ID 15) created in Step 1.
5. From the QoS Band (Reply) list, select Like-Fwd.
   
6. Click OK.
7. Click Send Changes and Activate.

The firewall now protects the no-delay traffic and automatically adjusts shaping to the currently available bandwidth. Shaping down happens continuously as needed; shaping up is detected every couple of minutes. Go to the FIREWALL > Shaping page to see the built-in shaping tree used for the adaptive SD-WAN features.

Go to VPN > Site-to-Site and enable monitoring on the transport to see the effective bandwidth, drops, Round Trip Time, and a stacked graph for no-delay and standard traffic. Note how the dark blue no-delay traffic is protected even through bandwidth changes.

• Example monitoring diagram for deteriorating bandwidth:
  
• Example monitoring diagram adjusting for more available bandwidth: