Adaptive Bandwidth Protection is used to effectively shape traffic on the VPN transport by using the link quality metrics collected by Dynamic Bandwidth and Latency Detection. This allows the firewall to always shape traffic using, instead of a static number as the bandwidth, a consistently, dynamically updated value that reflects the current state of the transport. Changing link metrics are immediately applied to Adaptive Bandwidth Detection. Traffic shaping uses an internal traffic shaping tree for Traffic Intelligence, distinguishing only between no-delay (VOIP) and standard traffic.
Before You Begin
Create a multi-transport VPN tunnel between two CloudGen Firewalls:
- Create a TINA site-to-site VPN tunnel. For more information, see How to Create a TINA VPN Tunnel between CloudGen Firewalls or How to Create a VPN Tunnel with the VPN GTI Editor.
- Add one or more additional transports to the VPN tunnel. For more information, see How to Add a VPN Transport to a TINA VPN Tunnel with Explicit Transport Selection or How to Configure Traffic Intelligence Using the VPN GTI Editor.
- Create access rules for each type of traffic going through the VPN tunnel. For more information, see How to Create Access Rules for Site-to-Site VPN Access.
- (Consolidated Shaping only) Set the QoS Profile and enable shaping for the physical interfaces used by the VPN traffic.
Step 1. Modify Default Shaping Tree
On both VPN endpoints, edit the Internet QoS band to use the STD virtual interface.
- Go to CONFIGURATION > Configuration Tree > Box > Traffic Shaping.
- Click Lock.
- Right click on the QoS profile and click Add new virtual Interface.
-
Enter
STD
as the Virtual Interface. - Click OK.
- Click on the QoS Band tab.
- Right click and select Add new QoS Band. The QoS Band window opens.
- Create the QoS Band for nodelay traffic :
- ID – Enter an unused ID. E.g., 14
-
Name – Enter
NoDelay
.
- Click OK. The QoS Band Rule window opens.
- Create the QoS band rule:
- Priority – Select NoDelay.
- Virtual Device – Select root.
- Click OK.
- Create the QoS Band:
- ID – Enter an unused ID.
-
Name – Enter
StandardTraffic
.
- Click OK. The QoS Band Rule window opens.
- Create the QoS band rule:
- Priority – Select class1.
-
Virtual Device – Select STD.
- Click OK.
- (optional) add additional classes to the StandardTraffic QoS band.
- Click Send Changes and Activate.
The two QoS band are now listed - VoIP using the root interface and StandardTraffic using the STD virtual interface.
Step 2. Enable Dynamic Bandwidth and Latency Detection and TI Bandwidth Protection
On both VPN endpoints, edit the TINA site-to-site VPN tunnel to use the SDWAN QoS profile and enable Dynamic Bandwidth and Latency Detection.
- Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > Assigned Services > VPN Service > Site to Site VPN.
- Click Lock.
- Double-click the TINA VPN tunnel. The TINA Tunnel window opens.
- Click the TI - Bandwidth Protection tab.
- From the Dynamic Bandwidth Detection list, select the policy:
- Active Probing and Passive Monitoring
- Active Probing Only
- No Probing - use Estimated Bandwidth
- Enter the Estimated Bandwidth bandwidth.
- (optional) Select the Consolidated Shaping check box.
- Click OK.
- Click Send Changes and Activate.
After completing these changes, go to VPN > Site-to-Site. Right-click the transport and select Monitor Traffic.
Step 3. Set QoS Band for No-delay Traffic
Set the QoS band for all access rules matching VPN traffic that should be handled as no-delay traffic. no-delay traffic should not make up more than 30% of total traffic.
- Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > Assigned Services > Firewall.
- Click Lock.
- Double-click the access rule matching the no-delay traffic.
- From the QoS Band (Fwd) list, select NoDelay (ID 14) created in step 1.
- From the QoS Band (Reply) list, select Like-Fwd.
- Click OK.
- Click Send Changes and Activate.
Step 4. Set QoS Band for Standard Traffic
All other VPN traffic is classified as standard traffic. Standard traffic can take up to 70% of the bandwidth.
- Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > Assigned Services > Firewall.
- Click Lock.
- Double-click the access rule matching the standard traffic.
- From the QoS Band (Fwd) list, select StandardTraffic (ID 15) created in step 1.
- From the QoS Band (Reply) list, select Like-Fwd.
- Click OK.
- Click Send Changes and Activate.
The firewall now protects the no-delay traffic and automatically adjusts shaping to the currently available bandwidth. Shaping down happens continuously as needed; shaping up is detected every couple of minutes. Go to the FIREWALL > Shaping page to see the built-in shaping tree used for the adaptive Traffic Intelligence features.
Go to VPN > Site-to-Site and enable monitoring on the transport to see the effective bandwidth, drops, latency, and a stacked graph for no-delay and standard traffic. Note how the dark blue no-delay traffic is protected even through bandwidth changes.
- Example monitoring diagram for deteriorating bandwidth:
- Example monitoring diagram adjusting for more available bandwidth: