Path Selection Policy¶
Path Selection enables application based routing in flexiWAN. With Path Selection and its policies, users can decide through which interface certain traffic is routed, whether tunnels or local internet breakout. It also introduces load balancing, redundancy and traffic differentiation. This capability also allows blocking specific applications (details further in the document).
Path Selection operates by these three components:
- App Identifications - L3/L4 application identification and categorization with user configurable custom App Identifications.
- Path Labels - Policies are applied using Path Labels that are assigned to the tunnels or local internet breakout / Direct Internet Access (DIA).
- Policies - Users can create Policies with rules and assign Path Labels through which selected traffic is routed.
Policy is only applied for tunnels or DIA interfaces with Path Lables. Normal routing is applied for unlabeled tunnels. Therefore it is recommended to assign Path Labels on all network tunnels when using policies.
Please read Path Labels overview and create a few Path Labels in order to successfully follow the Path Selection guide. Make sure you have tunnel and DIA Path Labels created prior to reading further.
Policies, Rules and Traffic classification¶
Path selection policy is enabled by:
- Creating a policy
- Installing the policy on the required devices
Multiple policies can be defined and different devices can have different policies. Path Selection policy includes rules. Each policy can have a single or multiple rules. Navigate to Policies > Path Selection. From there you can create new policies or edit / view existing ones.
The Path Selection Policies page below shows multiple policies. Each policy provides installation status information as well as actions to:
- Edit a policy
- Filter and display all devices installed with a given policy
- Delete a policy
Each policy contains rules in which users can specify application based routing. Every new policy has a “Default” single rule which is disabled by default, with the purpose to match all traffic that is not matched by other higher priority rule. This rule is disabled by default, the purpose of this rule will be explained later in this document.
Rules and Traffic Classification¶
Navigate to Policies > Path Selection and click on the “New Policy” button on the top left. Fill in Policy name and description.
Once the policy is created, the user can start adding rules to it by clicking on the + sign in the Rules section. Every rule includes a classification section and action section. The classification section defines the type of traffic selected by this rule. Classification can be based on individual application, application categories, IP/Port rules. The action section defines the paths to select for the classified traffic
By default, creating new rules will be in “Simple” mode, which offers a quick and easy way to add new rules.
In most cases, a simple version of adding rules will suffice, however “Advanced mode” enables selection between multiple Traffic Classifications and advanced actions. Below is a breakdown of all types of traffic classifications; for best results make sure to follow the best practices section.
The following Traffic Classifications are supported:
- Application name. Uses a built-in database of predefined application identifiers. Port based examples
- “FTP”, “Git”, “BitTorrent” etc. and also IP range based: “Facebook”, “Microsoft Office 365”, “Dropbox”, etc.
- Application categories, with three different categories, where each can be used alone or together with the other two categories:
- Category, defines what the application is used for. e.g. “file-sharing”, “management”, “auth-service” etc.
- Service class, defines the traffic type. e.g. “default”, “real-time”, “high-throughput”
- Importance, defines the priority of the application, “High”, “Medium” or “Low”.
- IP rules, using destination IP and mask, port range and protocol type.
The best recommended practice for using path selection policies is to define the high priority applications your organization uses by setting its importance to High/Medium/Low. Then use the importance category in the policy classification rules to select the link to use. Use the high priority link for high priority traffic.
The Action section next is the place where you can choose how the traffic will be routed and through which interfaces. In the Groups area you can add Path Labels you wish to use with this rule. These can be Tunnel or DIA (Direct Internet Access / local internet breakout) Path Labels. The order in which Path Labels are added is respected, and within Selection Order you can choose between prioritizing or load balancing between multiple Path Labels,which in turn are assigned to WAN interfaces.
The Actions section allows a flexible configuration on where and how traffic is routed:
- Path Labels - list of the path labels to use for the action
- Selection Order - how to route the traffic between labels
- Priority - select the path in the order of the available labels
- Load Balance - share the links when routing traffic. Load balancing is done per session in order to prevent packet reordering and drops in the network
- Order Between Groups - When multiple groups are defined, select the across group order
- Priority - Groups are selected by order
- Load Balance - Load balance traffic across groups
- Fallback Action - action to perform when no policy label is available
- By Destination - Use normal routing
- Drop - Drop the traffic (be careful when defining this option to prevent network blackholes)
The action section also supports adding multiple groups and ordering them per load balancing or prioritization. See advanced configuration examples for more information when using multiple groups.
Once the rules are added, each can be viewed in the Policy table. Rules with a policy are executed in order, the first rule that matches the traffic classification will be used.
Each rule has a priority, with 0 being highest priority. Selecting each rule will allow moving rule up or down the priority list.
Applying policies to devices¶
After successfully creating a policy, navigate to Inventory > Devices page in order to install the policy. The procedure is very similar to the way tunnels are added. Simply select the devices you wish to install policy on and click on the action button.
Within the Actions menu select Install Policy. A new section will show a menu from where you can select the policy you have previously created. After selecting policy click on the Install button.
To verify that the policy has been installed on a selected device, navigate to the device settings and click on Policies tab.
How Path Selection Operates¶
Path selection and routing works in combination. In order to make sure traffic is always routed via a routable path, routing takes priority over path selection. The shortest path routes to a given destination are found first. The policy selects which and how to use the available routes. If no route exists, the traffic is routed only according to the policy. In a typical deployment where multiple tunnels to a given destination are available, there are multiple routes with the same cost, the policy will choose the route according to the policy definition.
Policy routing options and best practices¶
Prior to continuing with this section, create the following Path Labels:
- Direct (DIA marked)
- Direct2 (DIA marked)
After creating the Path Labels, navigate to Inventory > App Identification and read the rules per its importance, in order to understand what is included in the high, medium and low importance category. For the easier viewing table offers sorting by importance and at the bottom part of the screen number of items can be changed to up to 100 results.
All of the below policy routing examples will rely on the above Path Labels.
Policy Routing with importance category¶
This is by far the easiest and recommended approach to achieve traffic load balancing or failover across multiple interfaces. For the following example we will failover / prioritize traffic with high importance, while low important traffic will utilize the direct link.
Navigate to Policies > Path Selection and click on “New Policy”. Enter the Policy Name and its description. Click on + sign to add a rule. In the new rule click on “Advanced mode” checkbox.
Fill in the rule as screenshot above and click add rule. This rule will prioritize the ISP1 label over ISP2 and act as failover in case ISP1 is unavailable.
Now click on + sign to add another rule. This time we will create a rule for all the low importance traffic and assign it to the Path Label “Direct”, which is Direct Internet Access.
Verify that the both rules are configured correctly and click on “Save Policy”.
flexiEdge devices with this policy installed will route all traffic of high importance across two interfaces, where interface with ISP1 will be prioritized while ISP2 labeled interface will act as failover. Also, low importance traffic will be applied to direct internet access / local internet breakout.
Policy routing specific applications¶
In this example we will policy route Microsoft Remote Desktop traffic across two load balanced interfaces. As in the previous example, navigate to Policies > Path Selection and create a new policy. Add the rule with the following configuration:
Save and apply the policy. flexiEdge devices with this policy installed will load balance all RDP traffic (using port 3389) across two interfaces, labeled ISP1 and ISP2.
Policy routing with categories¶
The Application Category section includes the following categories based on which traffic can be routed:
- Service class
View Inventory > App Identifications to explore each of the categories listed above. It’s important to point out that it is possible to use a single Application Category or combine multiple. When multiple categories are defined, the traffic is classified if all categories are matched. In the following example we will create a policy which routes all authentication services across ISP1 labeled interfaces:
Category “Auth-service” includes authentication services such as LDAP, RADIUS and Active Directory.
Navigate to Policies > Path Selection and create a new policy. Add the advanced rule with the following configuration:
Save and apply the policy. flexiEdge devices with this policy installed will route all authentication services traffic using interfaces labeled ISP1.
Policy routing with IP based rules¶
In the following example we will create a IP based policy in order to route load balance traffic to specific IP across ISP1 and ISP2 labeled interfaces.
Navigate to Policies > Path Selection and create a new policy. Add the advanced rule with the following configuration:
Save and apply the policy. flexiEdge devices with this policy installed will route outbound traffic towards the example IP 18.104.22.168/32, using port 443 and protocol TCP, across ISP1 and ISP2 labeled interfaces (in this case load balanced).
Path Selection Use Cases¶
In order to enable and use Path Selection first create several different Path Labels as described in its documentation section.
There are several best practices and tricks we will cover:
- Best way to load balance traffic across multiple link with importance category
- Setting up failover across two links
- Routing across multiple local internet breakouts
- Advanced groups setup
- Blocking with Path Selection
Any of the above scenarios can be used with Tunnel or DIA Path Labels.
With Path Selection, load balancing certain or all traffic across multiple links is possible in just a few clicks and a single policy. We will demonstrate the preferred way to load balance, however any rule and its configuration can be load balanced across multiple links.
In order to load balance traffic across multiple links, make sure to create and assign labels to your internet links. For the purposes of this section, we will use ISP1 and ISP2 Path Labels. These Path Labels can be DIA if you wish to set up load balancing across two or more WAN local internet breakouts. For this example we are demonstrating how to load balance tunnel traffic however the approach is the same with DIA Path Labels.
Navigate to Policies > Path Selection and create a new policy. The quickest way to load balance ALL outgoing traffic across multiple links is to enable the Default policy. Using Default policy is the preferred way because it will match all traffic with just a single rule.
Under Rule Actions, click on the settings icon and enable the rule from the Status drop-down. Add ISP1 and ISP2 path labels in the Action > Path Labels section. Finally from “Select by” choose “Load balancing”.
Verify that the rule is correctly configured and save the policy. From there navigate to Inventory > Devices and install the policy to the devices on which you want to load balance all traffic.
Path Selection feature enables you to load balance traffic across multiple links and also offers failover functionality in a similar way. The use case for this functionality is if there are multiple internet links however they vary by quality or throughput. For the purposes of this section, we will use three internet links:
- Fibre - considered the most stable connection
- Coax - backup link over coaxial internet connection
- 4G ISP - third option in case terrestrial connectivity is missing
Prior to creating the Path Selection policy, navigate first to Inventory > Path Labels and add the three new Path Labels:
- 4G ISP
In this section we will utilize the tunnel labels however the guide is applicable to Direct Internet Access labels as well. After creating the above labels, navigate to the Policies > Path Selection and create a new Policy. Just like in the load balancing guide, we will also use the default rule to match all traffic. This is a particularly useful rule because any other traffic you wish to direct elsewhere, can easily be defined by adding a second rule.
From the Rule Actions click on the settings icon and enable the rule. In the Actions > Path Labels section add Path Labels in the following order:
- 4G ISP
Order is respected, so the first label will have top priority. Finally, keep the “Select by” Priority selected. This will ensure that interfaces with the above labels will be used for failover in the order they’re added.
That’s it, that’s all it takes to enable multi-link failover with flexiWAN. Confirm the rule is configured correctly and save it. Navigate to the Inventory > Devices and install the Path Selection Policy to the device which has the three path labels / internet connections assigned.
Using multiple local internet breakouts¶
In this section we will rely only on DIA - Direct Internet Access Path Labels, which are used for utilizing internet breakout of a specific interface. This guide assumes the device has multiple WAN interfaces. The following Path Labels are required:
- Direct - primary DIA label
- Direct 2 - secondary DIA label
For the purpuse of this guide we will consider interface to which Direct label is assigned to be a primary interface, while the “Direct 2” should be assigned to secondary WAN. The goal of this demonstration is to have high priority traffic only use primary WAN interfaces to which “Direct” Path Label is assigned. All low priority traffic should use secondary WAN.
In this demonstration two rules are added, one to route all traffic classified as high importance through primary WAN internet breakout and low importance traffic throuhg secondary WAN. To view what exact traffic is high or low importance, navigate to Application Identification page.
The same approach is valid for all other types of traffic classification.
For using path selection policy across multiple local internet breakouts, a DIA label has to be set to all WAN interfaces
Advanced groups setup¶
In this example we will explain and configure load balancing between multiple Path Labels Groups. For the purpose of this document, let’s assume that there are multiple sites, in our case two datacenter sites, each with two internet links and a single remote site, where the branch client is.
Site A: DC1
- WAN1 - ISP1 label
- WAN2 - ISP2 label
Site B: DC2
- WAN1 - ISP3 label
- WAN2 - ISP4 label
Site C: DC3
- Single WAN - ISP1, ISP2, ISP3, ISP4 labels
In this example we want to make sure that branche device on Site C prefers site Site A via its two links. In case Site A fails, traffic is redirected and failovers to Site B. To achieve such functionality first create Path Labels ISP1, ISP2, ISP2, ISP3, ISP4 and then assign them to three sites as described above.
After creating and assigning Path Labels, navigate to Policies > Path Selection and create a new policy. Add a new rule to the policy and make sure to assign the Path Labels as depicted in the following image:
Save and apply the newly created Policy, then navigate to Inventory > Devices and install the policy on the remote branch Site C / DC3. That’s it, now all the outgoing RDP traffic from Site C will prioritize Site A and in case of connectivity issues with it, will switch to Site B.
Blocking outgoing traffic¶
While the current Path Selection feature doesn’t offer blocking sections, it is still possible to block traffic on IP basis. In the section below we will create a Path Label which will be used for blocking traffic, however the Path Label will not be assigned to any interface.
To block with Path Selection policies, first create a new tunnel Path Label “Drop”. This label name and color is purely for cosmetic reasons, traffic can be blocked with any Path Label. However, it is easier to read and navigate policies with a clear label name.
After creating the label, navigate to Policies > Path Selection and create a new policy. For the purpose of demonstration we will create a policy and add rules to block Facebook, Teamviewer and Netflix. Please note that each device can only have a single policy installed, so if you have another policy in use, make sure to add the blocking rules to it.
Click + sign and add a new rule. We will first add a rule to block Facebook. Select Facebook from the “Application Name” dropdown menu. Then select the Drop label in the Path Labels section. The final and key step is to select “Drop” in the Fallback action section. Because the label will not be assigned to any interface, all the traffic matching the rule will be dropped and therefore blocked.
After adding Facebook, do the same for Teamviewer and Netflix. The final result will be like the following screenshot:
Save and apply the policy, or update if you’re adding this to an existing policy. The next step is to navigate to Inventory > Devices page, select the devices on which you want to block the specified traffic and install the policy. That’s it, now all the outgoing traffic matching the rule will be blocked!