topic Re: SD-WAN + VPN Service-based link selection in SD-WAN

SD-WAN + VPN Service-based link selection

RS_Daniel — Tue, 24 Oct 2023 16:56:15 GMT

Hello CheckMates,

I am working in a deployment for SD-WAN with Overlay VPN use case. Customer has many Internet connections and one MPLS between HQ and branchs. What we want to achieve is to send all internal traffic in clear text routed thorugh the MPLS connection.

We were planning to use VPN Service-based link selection to send the some traffic routed through the MPLS link in clear-text and only if MPLS is DOWN, failover to encrypted VPN connections with Internet interfaces. We are ok until here.

The problem is that above this configuration, we wanted to work with SD-WAN to route traffic through specific Internet interfaces (encrypted) based on link monitoring parameter.

Wanted to ask if it is supported to work with SDWAN above a VPNA Service-based link selection scenario. Where only if MPLS clear text link fails, re route all traffic based on SDWAN. Or maybe if it is supported to work with MPLS clear text and Internet links encrypted with SDWAN only.

Regards

Re: SD-WAN + VPN Service-based link selection

HeikoAnkenbrand — Tue, 24 Oct 2023 19:41:07 GMT

Hi @RS_Daniel ,

here you can find more information about the new Check Point SD-WAN solution via the Infinity Portal and Gateway SD-WAN Nano Agent.

With the new Quantum SD-WAN solution you can configure your Gateway / Cluster to steer traffic dynamically between the configured WAN Links based on the measured ISP link quality. This does not require dynamic routing configuration on your GW / Cluster. With SD-WAN customers get the most efficient use of high-cost Wide Area Network connections and best user experience for consuming cloud-hosted services in branch offices.

The GW / Cluster sends different types of traffic through different Internet Service Providers (ISPs) based on application / identity and dynamic measurement of WAN Link characteristics. The GW / Cluster applies the configured SD-WAN rules only if the Security Policy allows this traffic.

After you install the SD-WAN Policy, it becomes the main decision maker for traffic paths, traffic priorities, and so on for WAN connections. The SD-WAN policy makes these decisions based on the settings you configure in Infinity Portal.

For additional information, see:
Quantum SD-WAN Administration Guide - Configuring SD-WAN Policy
Quantum SD-WAN Administration Guide - SD-WAN Service GUI
sk180605: Quantum SD-WAN

SD-WAN Video's:
Best Security in the context of SD-WAN
Application based traffic steering
Understanding solution components
Management Architecture Details
Initial Deployment of SD-WAN environment
Onboarding additional Security Gateways to SD-WAN
Understanding outbound NATed traffic
Understanding inbound NATed traffic
Configuring VPN Overlay

Re: SD-WAN + VPN Service-based link selection

AmirArama — Tue, 24 Oct 2023 19:54:20 GMT

Currently all overlay traffic of our SD-WAN must go encrypted on all the lines. Private & public.

In the future we might add support for such use case.

Re: SD-WAN + VPN Service-based link selection

AmirArama — Wed, 25 Oct 2023 19:17:40 GMT

May i ask why is it important to the customer to have cleartext traffic over the mpls?

Re: SD-WAN + VPN Service-based link selection

RS_Daniel — Fri, 27 Oct 2023 18:30:05 GMT

Hello @AmirArama,

All the branchs are quamtum spark clusterXL gateways centrally managed and only HQ is regular quantum. We have found that VPN's are somewhat unstables on spark appliances specially with central management. We face strange VPN outage scenarios all the time. The VPN becomes DOWN without any change and we need to do one of these things to get it up again: pushing policy, failover, restart sfwd process, reboot appliance, etc... Regards

Re: SD-WAN + VPN Service-based link selection

AmirArama — Fri, 27 Oct 2023 18:49:50 GMT

I understand.

That sound very strange.

I suggest to open TAC and ask them to investigate it until they found the root cause. This shouldn't happend. And i'm not familiar with such issues.

As always feel free to reach out to me for every SD-WAN related project.

Thanks