We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda NextGen Firewall F
Barracuda NextGen Firewall F

How to Configure Adaptive Bandwidth Protection for VPN Tunnels with Traffic Intelligence

  • Last updated on

Adaptive Bandwidth Protection is used to effectively shape traffic on the VPN transport by using the link quality metrics collected by Dynamic Bandwidth and Latency Detection. This allows the firewall to always shape traffic using, instead of a static number as the bandwidth, a consistently, dynamically updated value that reflects the current state of the transport. Changing link metrics are immediately applied to Adaptive Bandwidth Detection. Traffic shaping uses an internal traffic shaping tree for Traffic Intelligence, distinguishing only between no-delay (VOIP) and standard traffic.

Bandwidth_protection.png

Before You Begin

Create a multi-transport VPN tunnel between two F-Series Firewalls:

Step 1. Modify Default Shaping Tree

On both VPN endpoints, edit the Internet QoS band to use the STD virtual interface.

  1. Go to CONFIGURATION > Configuration Tree > Box > Traffic Shaping.
  2. Click Lock.
  3. Right click on the QoS profile and click Add new virtual Interface.
  4. Enter STD as the Virtual Interface.

    All other settings of this virtual interface are handled by the SD-WAN Traffic Intelligence features.

  5. Click OK
    sdwan_shaping_01.png
  6. Click on the QoS Band tab.
  7. Right click and select Add new QoS Band. The QoS Band window opens.
  8. Configure the QoS Band for nodelay traffic :
    • ID – Enter an unused ID. E.g., 14
    • Name – Enter NoDelay.
    sdwan_shaping_04.png
  9. Click OK.  The QoS Band Rule window opens.
  10. Configure the QoS band rule:
    • Priority – Select NoDelay.
    • Virtual Device – Select root. 
    sdwan_shaping_05.png
  11. Click OK.
  12. Configure the QoS Band:
    • ID – Enter an unused ID.
    • Name – Enter StandardTraffic.
    sdwan_shaping_02.png
  13. Click OK.  The QoS Band Rule window opens.
  14. Configure the QoS band rule:
    • Priority – Select class1.
    • Virtual Device – Select STD.
    sdwan_shaping_03.png
  15. Click OK.
  16. (optional) add additional classes to the StandardTraffic QoS band.
  17. Click Send Changes and Activate.

The two QoS band are now listed - VoIP using the root interface and StandardTraffic using the STD virtual interface.

sdwan_shaping_06.png

Step 2. Enable Dynamic Bandwidth and Latency Detection and TI Bandwidth Protection

On both VPN endpoints, edit the TINA site-to-site VPN tunnel to use the SDWAN QoS profile and enable Dynamic Bandwidth and Latency Detection.

  1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > Assigned Services > VPN Service > Site to Site VPN.
  2. Click Lock.
  3. Double-click the TINA VPN tunnel. The TINA Tunnel window opens.
  4. Click the TI - Bandwidth Protection tab.
  5. From the Dynamic Bandwidth Detection list, select the policy:
    • Active Probing and Passive Monitoring
    • Active Probing Only
    • No Probing - use Estimated Bandwidth
  6. Enter the Estimated Bandwidth bandwidth.
  7. (optional) Select the Consolidated Shaping check box.

    adapt_bandw_protection_01.png

  8. Click OK.
  9. Click Send Changes and Activate.

After completing these changes, go to VPN > Site-to-Site. Right-click the transport and select Monitor Traffic.

Step 3. Set QoS Band for No-delay Traffic

Set the QoS band for all access rules matching VPN traffic that should be handled as no-delay traffic. no-delay traffic should not make up more than 30% of total traffic.

  1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > Assigned Services > Firewall.
  2. Click Lock.
  3. Double-click the access rule matching the no-delay traffic.
  4. From the QoS Band (Fwd) list, select NoDelay (ID 14) created in step 1.
  5. From the QoS Band (Reply) list, select Like-Fwd.
    adapt_bandw_protection_03.png
  6. Click OK.
  7. Click Send Changes and Activate.

Step 4. Set QoS Band for Standard Traffic

All other VPN traffic is classified as standard traffic. Standard traffic can take up to 70% of the bandwidth.

  1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > Assigned Services > Firewall.
  2. Click Lock.
  3. Double-click the access rule matching the standard traffic.
  4. From the QoS Band (Fwd) list, select StandardTraffic (ID 15) created in step 1.
  5. From the QoS Band (Reply) list, select Like-Fwd.
    adapt_bandw_protection_04.png
  6. Click OK.
  7. Click Send Changes and Activate.

The firewall now protects the no-delay traffic and automatically adjusts shaping to the currently available bandwidth. Shaping down happens continuously as needed; shaping up is detected every couple of minutes. Go to the FIREWALL > Shaping page to see the built-in shaping tree used for the adaptive Traffic Intelligence features.

Bandwidth_protection_Shaping_view.png

Go to VPN > Site-to-Site and enable monitoring on the transport to see the effective bandwidth, drops, latency, and a stacked graph for no-delay and standard traffic. Note how the dark blue no-delay traffic is protected even through bandwidth changes.

  • Example monitoring diagram for deteriorating bandwidth:
    probing_monitoring.png
  • Example monitoring diagram adjusting for more available bandwidth:

    Bandwidth_protection.png

Last updated on