Blockbit UTM contemplates multiple internet links, being able to segment and prioritize traffic through network interfaces according to the data obtained by monitoring various performance indicators, allowing traffic to be routed through the interfaces configured through the best path available, this benefit is obtained through the SD-WAN.

The acronym SD-WAN stands for Software-Defined Networking in Wide Area Network, it is a means of performing dynamic traffic distribution, monitoring and decision making according to the best available performance. Thanks to the disassociation of control methods from the network hardware, the SD-WAN enables a holistic view of the applications in use, which enables the provision of intelligent load balancing, facilitating decision making during the process of creating SD- WAN.

The monitoring function of the SD-WAN is to allow the supervision of specific data from the WAN, enabling the best network path according to the factors determined by the administrator, this allows directing the most appropriate resources according to predetermined rules and policies or based on in the specific profile of users. Monitoring monitors the following factors:

  • Latency;
  • Jitter;
  • Packet Loss;
  • Bandwidth Consumption.

Using the data obtained through this monitoring, the SD-WAN offers the function "Tolerance to failures", having a redundancy feature (Failover) that allows the use of the best link available in case of any irregularity in the primary link. In addition, the SD-WAN monitors the status of the network card, if it is detected as off (for example, in a network cable disconnection event), it will automatically mark the affected link as down without waiting for the monitoring time. and immediately switch to the best link.

The link failure controller is capable of applying availability tests in real time, enabling the performance of Load Balance defined by%, which allows the division of the load between the links, which represents a minimization of the response time, guaranteeing the quality of use of links. Finally, the system also includes the Spillover and Dynamic Selection types.

The SD-WAN contemplates 4 modes of operation:


Link persistence

Link persistence is only available in the Load Balance, Spillover and Dynamic Selection options.

The main purpose of the "link persistence" function is to prevent dropped connections in applications that use SSL encrypted traffic. With the checkbox enabled, each source IP address will use a single link from the profile specified in the policy that the connection was released, this condition is only changed after the idle time defined in the field “Persistence timeout 1-1440 minutes”, or even if some irregularity is detected in the performance indicators, indicating an instability in the link.

In summary, each source IP address will use only one link defined in the profile, this configuration makes SSL encryption protocols no longer affected by balancing the use of multiple connection links.

To activate connection persistence, the “Persistent connection” check box must be enabled, which will be available in the SD-WAN profile panel in any operating mode where dynamic balancing occurs (Failover does not perform balancing).



Connection persistence


By enabling the checkbox in the SD-WAN profile panel, the administrator determines whether the connection from a single source address will be persistent.

Having this option enabled, it is possible to determine a time limit for the operation of this resource, with the default time being 30 minutes after the last activity.


Failback


The Failback feature is available for all types of SD-WAN, it is a process that makes it possible to restore the service so that it returns to its functional state in case the connection is unstable or inoperable.

If a link stops responding the failback is activated, it acts by performing connectivity tests, taking into account the counter value determined by the user, which determines the number of successes in sequence necessary to define if this inactive link has become stable again. Therefore, packet routing will only be restored if the failback verification tests reach the user-defined limit. If in the middle of the tests a new connection connection failure is detected, the failback counter is reset.


Failback


If the SD-WAN profile was created before the implementation of this feature, the value will be automatically 1. New profiles are created by default with a value of 5.


SD-WAN Features

  • Performance Monitoring: Link monitoring based on performance indicators;
  • Dynamic Path Selection: Traffic prioritization based on performance indicators;
  • Link Failover & Load Balance: Redundancy and link balancing based on performance indicators;
  • Traffic Shapping & QoS: Bandwidth control and metrics definition for quality and service prioritization;
  • Traffic Duplication: Duplication of packets across multiple network interfaces;
  • Secure SD-WAN: Routing controls based on security policies.


Note that thanks to the encapsulation, it may be necessary to increase the MTU values of the interfaces in order to avoid fragmentation. For more information, see this page.


It is possible to view the SD-WAN debug logs through the CLI console, for more information, check the chapter about the command line.


To access the SD-WAN screen, select the option as shown in the image below:



Services - SD-WAN


A tela abaixo será exibida:


SD-WANProfiles


The SD-WAN screen has the following tabs:


Next, we will analyze each component of the Profiles tab.