Global settings

Global Settings are network-wide settings, applicable to all the sites.

To configure global setting, navigate to Configuration > Global Settings. Select Security, Inter-link Communication, Global Firewall Settings, or Certificates as needed.

localized image

Security

Select the encryption mechanism to be used across the network.

You can configure the global security settings that secure the entire SD-WAN network.

Network Encryption mode defines the algorithm used for all encrypted paths in the SD-WAN network. This is not applicable for non–encrypted paths. You can set the encryption as AES-128 or AES-256.

Virtual Path IPsec Settings defines the IPsec tunnel settings to ensure secure transmission of data over the virtual paths.

  • Secure Virtual Path User Data with IPsec: Secures the data transmitted over the virtual paths using an IPsec tunnel.
  • Encapsulation Type: Choose one of the following security types.
    • ESP: Data is encapsulated and encrypted.
    • ESP+Auth: Data is encapsulated, encrypted, and validated with an HMAC.
    • AH: Data is validated with an HMAC.
  • Encryption Mode: The encryption algorithm used when ESP is enabled.
  • Hash Algorithm: The hash algorithm used to generate an HMAC.
  • Lifetime (s): The preferred duration, in seconds, for an IPsec security association to exist. Enter 0 for unlimited.

For information on configuring IPsec service, see Delivery service set.

localized image

Inter-link communication settings are used for auto-path creation between compatible WAN links. You can override these settings under Site Configuration and Virtual Paths, wherein you can select or unselect individual member paths for a given virtual path.

Currently, the following two settings are available:

  • Rules to automate the creation of paths between compatible WAN links.
  • Global defaults for Dynamic Virtual Paths

These settings are inherited by all WAN links in the customer network.

  • Default inter-link communication groups

    Default inter-link communication groups are intended at automating the creation of paths between:

    • Any two internet links
    • Any two MPLS links that share the same service provider, and
    • Any two Private Intranet links that share service provider
  • Custom inter-link communication groups

    Custom inter-link communication groups enable private intranet or MPLS links to automatically create paths with other Private Intranet or MPLS links across varying service providers.

    For example, consider this scenario - A company has offices in the US and India. The US offices use AT&T MPLS links, while the India offices use Airtel MPLS links. Let’s say AT&T and Airtel MPLS links are compatible in terms of DSCP tags and related parameters and are amenable for the creation of paths with each other. Custom inter-link communication rules allow you to select an ISP pair (for example ATT – Airtel in this case) and enable auto-creation of paths among the links belonging to these ISPs.

    localized image

  • Dynamic virtual path settings

    The global dynamic virtual path settings allow admins to configure dynamic virtual path defaults across the network.

    A dynamic virtual path is instantiated dynamically between two sites to enable direct communication, without any intermediate SD-WAN node hops. Similarly, the dynamic virtual path connection is removed dynamically too. Both the creation and removal of dynamic virtual paths are triggered based on bandwidth thresholds and time settings as described following.

    The following are some of the supported settings:

    • Provision to enable or disable dynamic virtual paths across the network
    • The route cost for dynamic virtual paths
    • The QoS Profile to be used – Standard by default.
    • Dynamic Virtual Path Creation Criteria:

      • Measurement interval (seconds): The amount of time over which the packet count and bandwidth are measured to determine if dynamic virtual path needs to be created between two sites – in this case, between a given Branch and the Control Node.
      • Throughput threshold (kbps): The threshold of total throughput between two sites, measured over the Measurement interval, at which Dynamic Virtual Path is triggered. In this case the threshold applies to the Control Node.
      • Throughput threshold (pps) - The threshold of total throughput between two sites, measured over the Measurement interval, at which Dynamic Virtual Path is triggered.
    • Dynamic Virtual Path Removal Criteria:

      • Measurement interval (minutes): The amount of time over which the packet count and bandwidth are measured to determine if a Dynamic Virtual Path needs to be removed between two sites – in this case, between a given Branch and the Control Node.
      • Throughput threshold (kbps) - The threshold of total throughput between two sites, measured over the Measurement interval, at which Dynamic Virtual Path is removed.
      • Throughput threshold (pps) - The threshold of total throughput between two sites, measured over the Measurement interval, at which Dynamic Virtual Path is removed.
    • Timers

      • Wait time to flush dead virtual paths (m): The time after which a DEAD Dynamic Virtual Path is removed.
      • Hold time before the recreation of dead virtual paths (m): The time after which a Dynamic Virtual Path removed for being DEAD can be recreated.

    localized image

Global firewall settings

Using the Global firewall settings, you can configure the global firewall parameters, these settings are applied to all the sites on the virtual WAN network.

To configure the global firewall settings, navigate to Configuration > Global Settings > Global Firewall Settings.

localized image

Global Firewall Settings allows for the global parameters configuration that impact the firewall operation.

localized image

Enter values for the following firewall settings:

  • Default Firewall Action: Select an action (Allow/Drop) from the drop-down list for packets that do not match a policy.
  • Default Connection State Tracking: Enables directional connection state tracking for TCP, UDP, and ICMP flows that do not match a filter policy or NAT rule.

    NOTE:

    Asymmetric flows will be blocked when this is enabled even when there are no Firewall policies defined. The settings may be defined at the site level which will override the global setting. If there is the possibility of asymmetric flows at a site, the recommendation is to enable this at a site or policy level and not globally.

  • Denied Timeout (s): Time (in seconds) to wait for new packets before closing denied connections.
  • TCP Initial Timeout (s): Time (in seconds) to wait for new packets before closing an incomplete TCP session.
  • TCP Idle Timeout (s): Time (in seconds) to wait for new packets before closing an active TCP session.
  • TCP Closing Timeout: Time (in seconds) to wait for new packets before closing a TCP session after a terminate request.
  • TCP Time Wait Timeouts (s): Time (in seconds) to wait for new packets before closing a terminated TCP session.
  • TCP Closed Timeout (s): Time (in seconds) to wait for new packets before closing an aborted TCP session.
  • UDP Initial Timeout (s): Time (in seconds) to wait for new packets before closing the UDP session that has not seen traffic in both directions.
  • UDP Idle Timeout (s): Time (in seconds) to wait for new packets before closing an active UDP session.
  • ICMP Initial Timeout (s): Time (in seconds) to wait for new packets before closing an ICMP session that has not seen traffic in both directions.
  • ICMP Idle Timeout (s): Time (in seconds) to wait for new packets before closing an active ICMP session.
  • Generic Initial Timeout (s): Time (in seconds) to wait for new packets before closing a generic session that has not seen traffic in both directions.
  • Generic Idle Timeout (s): Time (in seconds) to wait for new packets before closing an active generic session.

Certificates

There are two types of certificates: Identity and Trusted. Identity Certificates are used to sign or encrypt data to validate the contents of a message and the identity of the sender. Trusted Certificates are used to verify message signatures. Citrix SD-WAN appliances accept both Identity and Trusted Certificates. Administrators can manage certificates in the Configuration Editor.

To add certificate click the + Add Certificate option.

localized image

  • Identity Certificates: Identity certificates require that the certificate’s private key be available to the signer. Identity Certificates or their certificate chains must be trusted by a peer to validate the contents and identity of the sender. The configured Identity Certificates and their respective Fingerprints are displayed in the Configuration Editor.

  • Trusted Certificates: Trusted Certificates are self-signed, intermediate certificate authority (CA) or root CA certificates used to validate the identity of a peer. No private key is required for a Trusted Certificate. The configured Trusted Certificates and their respective Fingerprints are listed here.

localized image

DNS settings

DNS settings allow you to configure default DNS servers that can be used across all the site in the network. Enter a name for the DNS server and specify the Primary and Secondary DNS server IP addresses. The default DNS servers are used to configure DNS proxy and DNS transparent forwarders. You can also configure site-specific DNS servers. For more information, see Domain name server.

localized image