How to configure SD-WAN policy routes

You can use SD-WAN policies to route traffic from a branch office to the head office and to cloud applications using the MPLS network and ISP links.

Introduction

In this example, you create an SD-WAN policy to route traffic from the branch office to the servers in the head office using an existing MPLS network. You create another SD-WAN policy to route traffic from the sales team in the branch office LAN to cloud applications using ISP links. You also create firewall rules to allow the traffic.

  • Route-1: Route traffic from the branch office to the web servers in the head office:
    • Create an SD-WAN policy route using MPLS-1 and MPLS-2.
  • Route-2: Route traffic from the sales team in the branch office LAN to cloud applications:
    • Create an application object for the applications used by the sales team, for example conferencing, lead management, VoIP, and storage and backup applications.
    • Create an SD-WAN policy to route branch office traffic to these cloud applications using the links, ISP-1 and ISP-2.
  • Create a firewall rule to allow the traffic.


Creating an SD-WAN policy to route branch office traffic to servers in the head office (Route-1)

In this example, all the traffic from the LAN network 172.16.16.0/24 is routed through the primary gateway MPLS-1. MPLS-2 is the backup gateway.

  1. Go to Routing > SD-WAN policy routing. Scroll down to IPv4 or IPv6 SD-WAN policy route and select Add.
  2. Specify the following settings:

    Name

    Description

    Name

    Type a name.

    BO_to_HO_Servers

    Incoming interface

    Any

    Source network

    172.16.16.0/24

    Destination network

    192.168.1.0/24

    Primary gateway

    MPLS-1_10.10.11.1

    Backup gateway

    MPLS-2_10.10.12.2

Firewall rules: You need to create a firewall rule to allow traffic from the specified source to destination.

NAT rule: Source NAT rules aren't required for MPLS traffic.

SD-WAN policy route in the head office: You must create an SD-WAN policy on the XG Firewall in the head office to route the reply packets generated for this route.

Creating a firewall rule to allow traffic from the branch office LAN to web servers in the head office

  1. Go to Rules and policies > Firewall rules. Select IPv4 or IPv6 protocol and select Add firewall rule. Select New firewall rule.
  2. Specify the rule name and position.
  3. Specify the following settings:

    Name

    Description

    Source zones

    LAN

    Source networks and devices

    172.16.16.0/24

    Destination zones

    MPLS_DMZ

    Created the MPLS network in the DMZ at the branch office.

    Destination networks

    192.168.1.0/24

    Services

    Web_traffic

    In this example, this service includes TCP 80 and TCP 443 ports and protocols.

    Alternatively, you can specify the services in the SD-WAN policy route rather than in the firewall rule.

  4. Click Save.

Creating an application object (Route-2)

Create an application object with cloud applications used by the sales team.

  1. Go to Applications > Application object and click Add.
  2. Enter a name for the application object, for example CloudApps_Sales.
  3. Select the applications. You can use the smart filter to list the applications you want. Alternatively, use the application profile lists or use the filter next to Name and select the applications.

    In this example, you selected Citrix GoToTraining, Citrix Online, SalesForce, Vonage, Whatsapp Call, Carbonite, DropBox File Upload, and OneDrive applications.

  4. Click Save.

Creating an SD-WAN policy to route traffic to cloud applications (Route-2)

All the traffic from the LAN network 172.16.16.0/24 is routed through the primary gateway ISP-1. ISP-2 is the backup gateway.

  1. Go to Routing > SD-WAN policy routing. Scroll down to IPv4 or IPv6 SD-WAN policy route and select Add.
  2. Specify the following settings:

    Name

    Description

    Name

    Type a name.

    BO_to_CloudSalesApps

    Incoming interface

    Port3

    Port3 was configured for the LAN zone.

    Application object

    CloudApps_Sales

    Users or groups

    Sales_Team

    Primary gateway

    ISP-1_173.20.10.2

    Backup gateway

    ISP-2_9.8.10.2

  3. Click Save.

You need to create a firewall rule to allow traffic from the specified source to destination. The default source NAT rule performs the translation.

Creating a firewall rule to allow branch office sales team to access cloud applications

  1. Go to Rules and policies > Firewall rules. Select IPv4 or IPv6 protocol and select Add firewall rule. Select New firewall rule.
  2. Specify the rule name and position.
  3. Specify the following settings:

    Name

    Description

    Source zones

    LAN

    Source networks and devices

    172.16.16.0/24

    Destination zones

    WAN

    Destination networks

    Any

    Services

    Any

    Note You don't need to specify users or groups in the firewall rule because you specified them in the SD-WAN policy route.
  4. Click Save.