Traffic Intelligence (TI) is a feature of the TINA VPN protocol that can be used in site-to-site VPN tunnels to send traffic via multiple transports simultaneously. Depending on the type of traffic, you can decide which transport route should be used and what kind of fallback should be provided if one of the transport routes goes down. You can use the GTI editor to add additional IPv4 and IPv6 transports to TINA VPN tunnels.
Step 1. Add a VPN transport to a VPN tunnel
- Go to CONFIGURATION > Configuration Tree > Multi-Range > Global Settings > VPN GTI Editor.
- Click Lock.
- Select the VPN Group in the Group tab. The VPN services and configured tunnels are displayed in the GTI editor map.
- Click on a VPN tunnel.
- Click on Add Transport. The TINA Tunnel window opens.
- Configure the network settings for the transport. The peer IP addresses must be different for each transport. For more information, see How to Create a VPN Tunnel with the VPN GTI Editor.
- In the Tunnel Properties column configure:
- TI Classification – Select Bulk, Quality or Fallback.
- TI-ID – Select the Traffic Intelligence ID. Each TI Class/ID combination can only be used once per VPN tunnel.
- Click OK.
- Click Send Changes and Activate.
The number of VPN transports for a VPN tunnel is now displayed in the GTI editor map. E.g., two transports: 2!!
Step 2. Create Connection Objects to use VPN Transports
To choose a specific TI class and ID you must create connection objects. Connection objects can also contain information on fallback and failover transports. One of the VPN services is the master in for the VPN connection. You must configure one master and one slave for the VPN connection. For more information, see Traffic Intelligence.
- Create a new custom Connection Object object in the Forwarding Firewall service for each location. For more information, see How to Create a Custom Connection Object.
In the NAT Settings, select Original Source IP.
- Click Edit/Show in the VPN Traffic Intelligence (TI) Settings section. The TI Settings window opens.
- Configure the TI Transport Selection:
- Preferred Transport Class – Select the transport class you configured for the VPN transport.
- Preferred Transport ID – Select the transport ID you configured for the VPN transport.
- TI Learning Policy – One VPN service is the master, the other the slave. The TI settings in the connection object of the master will override the TI settings of the slave.
Advanced TI Settings – Configure failover, backup transports, session balancing and priority levels of transports.
Setting Description Preferred Transport Class |
Preferred Transport ID
Select a transport class and transport ID for the preferred VPN transport.
Second Try Transport Class |
Second Try Transport ID
Select a transport class and transport ID for the backup VPN transport.
Balance Sessions Specifies how many transports and/or which transports are used to balance the session. Further Tries Transport Selection Policy
Specifies which transports should be used if the backup VPN transport fails. You can select of the following predefined policies:
- First try Cheaper then try Expensive
- Only Cheaper
- Only Expensive
Stay on transport (no further tries)
TI Learning Policy The TI Learning Policy setting is required because the traffic selection of VPN transport assignment is done by a matching firewall rule of the Firewall service. Because a firewall is required for each end of the site-to-site tunnel, different settings can be configured for the preferred VPN transport at each site. To prevent this, define one site as the master site that synchronizes its TI Transport Selection settings with those of its partner site. Allow Bulk Transports |
Allow Quality Transports |
Allow Fallback Transports
To limit the classes that can be used for a backup path when you enable the Further Tries Transport Selection Policy setting, select or clear these check boxes. When using BULK Transports The priority level for the Bulk transport class. This setting only applies to bandwidth protected VPNs. When using QUALITY Transports The priority level for the Quality transport class. This setting only applies to bandwidth protected VPNs.
- Click OK.
- Click OK.
Make sure you are using the connection objects on both NextGen F-Series Firewalls.
Step 3. Assign access rules to use the Traffic Intelligence connection objects
You must modify access rules which allow traffic to enter and exit the VPN tunnel to use the custom connection objects created in Step 2.
Each VPN transport is listed on the VPN > Site-to-Site and VPN > Status pages when logged directly in to the NextGen Firewall F-Series.