It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

How to Configure Performance-Based Transport Selection for VPN Tunnels with SD-WAN

  • Last updated on

Performance-Based Transport Selection selects the VPN transport offering the best latency (Round Trip Time) or bandwidth for the traffic matching the access rule. Only UDP transports with Dynamic Bandwidth and Round Trip Time Detection are supported. Performance-Based Transport Selection can route traffic using the following policies:

  • Optimize for Latency
  • Optimize for Outbound Bandwidth
  • Optimize for Inbound Bandwidth
  • Optimize for Combined Bandwidth

ti_performance_based_transport_selection1.png

Before You Begin

Create a multi-transport VPN tunnel between two CloudGen Firewalls:

Step 1. Enable Dynamic Bandwidth and Latency Detection for Each Transport

On both VPN endpoints, edit all transports to enable Dynamic Bandwidth and Round Trip Time Detection.

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > VPN Service > Site-to-Site.
  2. Click Lock.
  3. Double-click the TINA VPN tunnel. The TINA Tunnel window opens.
  4. Click the SD-WAN - Bandwidth Protection tab.
  5. From the Dynamic Bandwidth Detection list, select the policy:
    • Active Probing and Passive Monitoring
    • Active Probing Only
    • No Probing - use Estimated Bandwidth
  6. Enter the Estimated Bandwidth bandwidth.
  7. (optional) Select the Consolidated Shaping check box
    adapt_bandw_protection_01.png
  8. Click OK.
  9. Click Send Changes and Activate.

After completing these changes, go to VPN > Site-to-Site. Right-click the transport and select Monitor Traffic. The Round Trip Time, drop rate, and traffic on the transport is now displayed in real time.

TI_dyn_bandwidth_detect_no_traffic.png

Step 2. Create a Custom Connection Object for the SD-WAN Primary

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules.   
  2. In the left menu, click Connections.
  3. Right-click the table and select New Connection. The Edit/Create a Connection Object window opens.  
  4. In the Name field, enter a name for the connection object.
  5. From the Translated Source IP list, select Original Source IP.
    performance_based_transport_selection_01.png
  6. To edit the VPN SD-WAN   settings, click Edit/Show . The SD-WAN Settings window opens.
  7. Configure the Transport Policies:
    • Transport Selection Policy – Select the criteria to optimize for:
      • Optimize for Inbound Bandwidth 
      • Optimize for Outbound Bandwidth
      • Optimize for Combined Bandwidth 
      • Optimize for Latency
    • SD-WAN Learning Policy – Select Primary.
    performance_based_transport_selection_011a (1).png
  8. Configure the Explicit Transport Selection as the fallback if no more transports with Dynamic Bandwidth and Round Trip Time Detection are available.
    • Primary Transport Class – Select the primary transport class.
    • Primary Transport ID – Select the ID for the primary transport.
    • Secondary Transport Class – Select the secondary transport class.
    • Secondary Transport ID – Select the ID for the secondary transport.
    performance_based_transport_selection_01b.png
  9. Click OK.
  10. Click Send Changes and Activate.

Step 3. Create a Custom Connection Object for the SD-WAN Secondary

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules.   
  2. In the left menu, click Connections.
  3. Right-click the table and select New Connection. The Edit/Create a Connection Object window opens.  
  4. Enter a Name.
  5. From the Translated Source IP list, select Original Source IP.
    performance_based_transport_selection_01a.png
  6. To edit the VPN SD-WAN settings, click Edit/Show. The SD-WAN Settings window opens.
  7. From the SD-WAN Learning Policy drop-down list, select Secondary.
    performance_based_transport_selection_03.png
  8. Click OK.
  9. Click Send Changes and Activate.

Step 4. Modify Access Rule on the Firewall Acting as SD-WAN Primary

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules.
  2. Click Lock.
  3. Right-click the ruleset and select New > Rule to create an access rule to match the VPN traffic you want to balance:
    • Action –  Select Pass.
    • Bi-Directional – Select the check box to apply the rule in both directions.
    • Source – Select a network object for all local networks. 
    • Service– Select a service object from the list.
    • Destination – Select the network object containing the remote networks.
    • Connection Method – Select the connection object for the SD-WAN primary created in step 2.
    performance_based_transport_selection_05.png
  4. Click OK.
  5. Click Send Changes and Activate.

Step 5. Modify Access Rule on the Firewall Acting as SD-WAN Secondary

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules.
  2. Click Lock.
  3. Right-click the ruleset and select New > Rule to create an access rule to match the VPN traffic you want to balance:  
    • Action –  Select Pass.
    • Bi-Directional – Select the check box to apply the rule in both directions.
    • Source – Select a network object for all local networks. 
    • Service– Select a service object from the list.
    • Destination – Select the network object containing the remote networks.
    • Connection Method – Select the connection object for the SD-WAN secondary created in step 3.
    performance_based_transport_selection_04.png
  4. Click OK.
  5. Click Send Changes and Activate.

Traffic matching the access rule is now balanced according to the performance criteria selected in the SD-WAN settings of the connection object in the matching access rule. To find out which transport has the best bandwidth or Round Trip Time, go to the VPN > Site-to-Site page and compare the values in the Eff Bandwidth Down, Eff Bandwidth Up, or Latency columns for all transports configured in the connection object. Go to the FIREWALL > Live page and, in the SD-WAN column of the traffic matching the access rule with the Performance-Based Transport Selection connection object, verify that the best transport is used. In this case, the Q0 transport is the primary transport, but the B0 transport offers the better bandwidth. Therefore, according to the Best Combined Bandwidth policy, traffic is sent through the B0 transport.

transport_selection_vpn_s2s.png

transport_selection_fw_live.png

Next Steps

Combine Performance-Based Transport Selection with Adaptive Bandwidth Protection.

For more information, see How to Configure Adaptive Bandwidth Protection for VPN Tunnels with SD-WAN.