We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
Accept
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Campus Barracuda Campus
Barracuda CloudGen Firewall
Overview Documentation Training Certification Materials

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

How to Configure Traffic Intelligence Using the VPN GTI Editor

  • Last updated on

Traffic Intelligence (TI) is a feature of the TINA VPN protocol that can be used in site-to-site VPN tunnels to send traffic via multiple transports simultaneously. Depending on the type of traffic, you can decide which transport route should be used and what kind of fallback should be provided if one of the transport routes goes down. You can use the GTI editor to add additional IPv4 and IPv6 transports to TINA VPN tunnels.

Step 1. Add a VPN transport to a VPN tunnel

  1. Go to CONFIGURATION > Configuration Tree > Multi-Range > Global Settings > VPN GTI Editor.
  2. Click Lock.
  3. Select the VPN Group in the Group tab. The VPN services and configured tunnels are displayed in the GTI editor map.
  4. Click on a VPN tunnel.
  5. Click on Add Transport. The TINA Tunnel window opens. 
  6. Configure the network settings for the transport. The peer IP addresses must be different for each transport. For more information, see How to Create a VPN Tunnel with the VPN GTI Editor.
  7. In the Tunnel Properties column configure:
    • TI Classification – Select Bulk, Quality or Fallback.
    • TI-ID – Select the Traffic Intelligence ID. Each TI Class/ID combination can only be used once per VPN tunnel. 
  8. Click OK.
  9. Click Send Changes and Activate.

The number of VPN transports for a VPN tunnel is now displayed in the GTI editor map. E.g., two transports: 2!!
gti_ti_01.png

Step 2.  Create Connection Objects to use VPN Transports

To choose a specific TI class and ID you must create connection objects. Connection objects can also contain information on fallback and failover transports. One of the VPN services is the master in for the VPN connection. You must configure one master and one slave for the VPN connection. For more information, see Traffic Intelligence.

  1. Create a new custom Connection Object object in the Forwarding Firewall service for each location. For more information, see How to Create a Custom Connection Object.
    In the NAT Settings, select Original Source IP. 
    gti_ti_02.png
  2. Click Edit/Show in the VPN Traffic Intelligence (TI) Settings section. The TI Settings window opens.
  3. Configure the TI Transport Selection:
    • Preferred Transport Class Select the transport class you configured for the VPN transport.
    • Preferred Transport ID – Select the transport ID you configured for the VPN transport.
    • TI Learning Policy – One VPN service is the master, the other the slave. The TI settings in the connection object of the master will override the TI settings of the slave.

    • Advanced TI Settings – Configure failover, backup transports, session balancing and priority levels of transports.

      Click here to for advanced TI Settings...
      SettingDescription
      Preferred Transport Class |
      Preferred Transport ID

      Select a transport class and transport ID for the preferred VPN transport.

      If the preferred VPN transport goes down, the session is switched seamlessly to the backup VPN transport specified by the Second Try Transport Class and Second Try Transport ID settings.

      Second Try Transport Class |
      Second Try Transport ID

      Select a transport class and transport ID for the backup VPN transport.

      The backup VPN transport is used when the preferred VPN transport goes down.

      Balance SessionsSpecifies how many transports and/or which transports are used to balance the session.
      Further Tries Transport Selection Policy

      Specifies which transports should be used if the backup VPN transport fails. You can select of the following predefined policies:

      • First try Cheaper then try Expensive
      • Only Cheaper
      • Only Expensive

      • Stay on transport (no further tries)

        Depending on the available VPN transports, you can define more than one backup path.

      TI Learning PolicyThe TI Learning Policy setting is required because the traffic selection of VPN transport assignment is done by a matching firewall rule of the Firewall service. Because a firewall is required for each end of the site-to-site tunnel, different settings can be configured for the preferred VPN transport at each site. To prevent this, define one site as the master site that synchronizes its TI Transport Selection settings with those of its partner site.
      Allow Bulk Transports |
      Allow Quality Transports |
      Allow Fallback Transports      		To limit the classes that can be used for a backup path when you enable the Further Tries Transport Selection Policy setting, select or clear these check boxes.
      When using BULK Transports
      		The priority level for the Bulk transport class. This setting only applies to bandwidth protected VPNs.
      When using QUALITY TransportsThe priority level for the Quality transport class. This setting only applies to bandwidth protected VPNs.
  4. Click OK.
  5. Click OK.

Make sure you are using the connection objects on both NextGen F-Series Firewalls.

Step 3. Assign access rules to use the Traffic Intelligence connection objects

You must modify access rules which allow traffic to enter and exit the VPN tunnel to use the custom connection objects created in Step 2.

Monitoring

Each VPN transport is listed on the VPN > Site-to-Site and VPN > Status pages when logged directly in to the NextGen Firewall F-Series.

gti_ti_04.png

Verify the intended traffic is using the intended transport by checking the TI ID column in Firewall > Liveand Firewall > History.

gti_ti_03.png

Last updated on
Previous Article Next Article