What's new in SD-WAN policy routing in 18.0

A comparison of features and behavior of the routing settings in 17.5 and earlier with SD-WAN policy routing in 18.0.

Introduction

You can create SD-WAN policy routes for the following:
  • Application-based routes
  • User and group-based routes
  • System-generated traffic
  • Reply packets

Routing (17.5) vs SD-WAN policy routing (18.0)

17.5 and earlier

18.0

Rules and policies that are required

Firewall rules with routing and NAT settings.

  • Firewall rules without routing and NAT settings.
  • NAT rules
  • SD-WAN policy routing.

Primary and backup gateways

Yes

Yes

When the gateways go down

Evaluates other SD-WAN policy routes. If it doesn't find another matching policy route, it applies the default route (WAN link load balancing).

Based on the Override gateway monitoring decision:

Selected: The firewall drops the traffic.

Not selected: Evaluates other SD-WAN policy routes. If it doesn't find another matching policy route, it applies the default route (WAN link load balancing). The default route load balances traffic among the active WAN links. Routing remains persistent.

When the primary gateway is deleted

Evaluates other SD-WAN policy routes. If it doesn't find another matching policy route, it applies the default route (WAN link load balancing).

Evaluates other SD-WAN policy routes. If it doesn't find another matching policy route, it applies the default route (WAN link load balancing).

Routing of internal traffic

Applies the routing settings of the firewall rule with source and destination zones set to internal zones.

Applies routing to all the zones in a network, including internal zones based on the destination networks.

If you create policy routes with Destination networks set to Any, XG Firewall also routes internal traffic to the WAN interface.

For details, see Troubleshooting.

How migrated SD-WAN policy routes work

Functionality

Migrated SD-WAN policy routes

Firewall rules

Migrated as independent rules and policies:

  • Firewall rules without routing settings.
  • Migrated NAT rules.
  • Migrated SD-WAN policy routes with the associated firewall rule ID and name.

XG Firewall uses the firewall rule ID to match traffic with migrated routes.

Firewall rules with the following settings:

  • Destination zones: LAN
  • No gateway

Migrated SD-WAN policy routes aren't created.

Firewall rules with the following settings:

  • Destination zones: WAN
  • WAN link load balance

Migrated SD-WAN policy routes aren't created. Evaluates other SD-WAN policy routes. If it doesn't find another matching policy route, it applies the default route (WAN link load balancing).

Zones in firewall rules

Individual migrated SD-WAN policy routes are created when multiple firewall rules differ only in the source and destination zone criteria.

Sequence of migrated SD-WAN policy routes

You can't change the sequence because these routes correspond to the firewall rule sequence.

Settings you can change in migrated SD-WAN policy routes

Only routing parameters:

  • Primary gateway
  • Backup gateway
  • Override gateway monitoring decision

Migrated firewall rule is deleted

The associated migrated SD-WAN policy route is deleted.

Routing precedence

The routing precedence specified in the earlier version is migrated.

You may want to set it to the default precedence for 18.0: Static route, SD-WAN policy route, VPN route.

New functionality in SD-WAN policy routing

Functionality

18.0

Application-based routing

Requires an active Web Protection License.

WAN link load balance: The first connection from an application is routed using the default route (WAN link load balance). The specified application-based route applies to subsequent connections, after XG Firewall learns the session details.

High availability: The cached application-based routing details are synchronized over the dedicated HA link using the multicast IP address 226.1.1.1 on port 4455.

Micro apps: Web proxy mode doesn't support application-based routing for micro apps. It supports only pattern applications and Synchronized Security applications. The DPI engine supports application-based routing for all applications, including micro apps.

To configure application-based routing, see How to configure SD-WAN policy routes.

Users and groups

You can create SD-WAN policy routes based on users and groups.

System-generated traffic

  • You can create SD-WAN policy routes.
  • You can specify the gateways.
  • It requires a WAN interface.

SD-WAN policy routing is turned off by default. To turn it on, go to the command-line console.

Reply packets

  • You can create SD-WAN policy routes.
  • You can select a specific gateway. Reply packets can use a different route compared to the original route based on the specified gateway. You can specify primary and backup gateways.

SD-WAN policy routing is turned off by default. To turn it on, go to the command-line console.