Site Configuration

Basic Settings

Basic Settings allows the Configuration of the SD-WAN Edge Name, Secure Key, Model, Mode of the physical SD-WAN Edge at a specific site.

SD-WAN Edge Name:

Name for this SD-WAN Edge. The two SD-WAN Edge deployed in High Availability configuration can be named different.

Model:

The Model is the specific hardware located at the site and the Mode determines how the site will participate in the Adaptive Private Network. Note, not all models can operate in all modes.

Site Template:

A Site Template can be applied to the site if they exist.

Regions:

Regions are used as metadata for sites. You can associate one region per site. Each region can be associated with more than one site. Once a region is created, it cannot be removed if it is mapped to a site. You can also add a region directly from this screen if you do not see the one you want.

User Tags

User tags are used as metadata for sites. Each site can have one user tag associated with it. User tags can be associated with more than one site. You can also add a user tag from this screen if you do not see the one you want.

Secure Key:

Secure Key is used to encrypt and decrypt data exchanged between sites using conduit service.

Regenerate

Regnerate can be used to auto generate a new Secure Key.

Network Roles:

Primary SD-WAN Controller: The primary SD-WAN Controller for the SD-WAN Edge network. The SD-WAN Controller is responsible for managing SD-WAN Edge configurations and software versions for all clients and serves as a mediator between clients.
Secondary SD-WAN Controller: Typically a Geo-located client in the SD-WAN Edge network that has the ability to take over management functions of the SD-WAN Edge network in the event the Primary SD-WAN Controller becomes unavailable. Note, the Secondary SD-WAN Controller does not provide High Availability or Failover capabilities for an individual site.
Client: A client will receive its SD-WAN Edge Configuration from an SD-WAN Controller and participates in the SD-WAN Edge network as described by the Configuration.

Default Direct Route Cost:

The Default Direct Route Cost (1 to 15) can be set that will be used for all routes added to this SD-WAN Edge.

Gateway ARP Timer (ms):

Gateway ARP Timer (ms) is the time can be set to adjust the time (100 to 20,000 milliseconds), betweeen ARP requests for the configured Gateway IP Addresses.

Enable Source MAC Learning:

Enable Source MAC Learning when checked the SD-WAN Edge will store the Source MAC Address of received packets so that outgoing packets to the same destination can be sent to the same port.

Application Normal RTT adjust time (ms):

Application Normal RTT adjust time (ms), is the time (0 to 500 milliseconds), to adjust network-wide application normal round trip time.

Application Warning RTT adjust time (ms):

Application Warning RTT adjust time (ms), is the time (0 to 500 milliseconds), to adjust network-wide application normal round trip time.

WAN Threshold Overview:

At a site, all WAN Links will have the threshold event enabled by default. (Advanced->Sites->SiteName)->WAN Links->WANLinkName)->Settings->Advanced Settings->Enable WAN Link Threshold Event). Enabling it means that WAN link will be included in the computation of a threshold event. When the average combined WAN Egress or Ingress usages in a minute crosses this set threshold, an event will be generated. The maximum allowed configured threshold value is 100,000,000 Kbps and a value of 0 means it is disabled. There are 4 configurable thresholds:

WAN Ingress Lower Threshold (Kbps):

For example, this may be used in a WAN Ingress Usage Threshold warning alarm.

WAN Ingress Higher Threshold (Kbps):

For example, this may be used in a WAN Ingress Usage Threshold critical alarm.

WAN Egress Lower Threshold (Kbps):

For example, this may be used in a WAN Egress Usage Threshold warning alarm.

WAN Egress Higher Threshold (Kbps):

For example, this may be used in a WAN Egress Usage Threshold critical alarm.

Routing Domains

Routing Domains can be enabled, disabled, or set as the default on a Site by Site basis.

Interface Groups

An Interface Group allows one or more Ethernet Interfaces that share a common subnet to be configured together. If the subnet is behind a firewall or other secure device, the Security Zone should be set to Trusted. Untrusted interfaces will permit only Conduit, ICMP and ARP traffic.

Pass-through traffic may be enabled between two Ethernet Interfaces by creating a Bridge Pair. Setting the Bypass Mode to Fail-to-Wire will enable a physical connection between the bridge pairs, allowing traffic to flow in the event of SD-WAN Edge restart or failure. Setting the Bypass Mode to Fail-to-Block will disable the physical connection between the bridge pairs, preventing traffic from flowing in the event of SD-WAN Edge restart or failure. Only interfaces forming a hardware bypass pair are eligible for Fail-to-Wire.

VLAN traffic may be routed by creating a Virtual Interface. Traffic matching the given VLAN ID will be routed by the Oracle SD-WAN Edge based on user configuration while undefined VLAN traffic will pass through. Each Virtual Interface must have an associated Virtual IP Address.Each Virtual Interface is automatically associated with the default Routing Domain, but you can choose a different one from the drop-down list of configured Routing Domains for each site.

Enabling Port State Reflection on a Bridge Pair forces the SD-WAN Edge to administratively take the WAN-side port of a bridge pair down when its corresponding LAN-side port goes down and vice versa. This completely stops the flow of traffic through the bridge pair. This value can only be set when the automatic bridging has not been enabled on the Interface Group via the Bridged attribute.

Virtual IP Addresses are IP addresses for a Site on a particular Virtual Interface. The Virtual IP address is used for communications between Sites across the Oracle SD-WAN and can be used as next-hop routes for traffic transmitted across the Oracle WAN. Each Virtual IP Address must be associated with a Routing Domain. The Routing Domain determines which Virtual Interfaces can be used.

IP Address / Prefix: The full host and netmask of the Virtual IP Address.
Routing Domain: A drop-down menu of available Routing Domains.
Virtual Interface: A drop-down menu of available Virtual Interfaces determined by the Routing Domain.
Identity: If you click the Identity checkbox, the Virtual IP Address will be used as the peering IP for use with IP services (e.g., Used as the Source IP Address when peering with devices participating in dynamic routing).
Private: If you click the Private checkbox, the Virtual IP Address remains local to the SD-WAN Edge and is not shared with remote SD-WAN Edge.
Security: The security of the Virtual Interface Group's segment of the network. Security is either Trusted (i.e., protected by a firewall) or Untrusted.

Define WAN Links

A WAN Link provides for the description of individual Internet or Intranet connections of a Site to the WAN or direct connections to other Sites. Individual uses of a WAN Link would be used to describe connections such as: individual Cable, DSL, fiber or other Internet Service Providers; MPLS, IPSec or other site-to-site VPN connections; backup links such as Cellular or Advanced Wireless providers.

The WAN Link Settings configures the properties and behavior of a WAN Link

WAN Link - Basic Settings

The WAN Link Basic Settings allows for the description of the type of the link and any Public IP Address if available.

WAN Ingress

Physical Rate is the bit rate limit of the WAN Link for the traffic traveling from the LAN into the WAN. Configuration should match the physical capacity of the WAN Link purchased from the service provider.
Permitted Rate is the bit rate that the SD-WAN Edge is allowed to use from the physical rate. Configuration should not be more than the physical rate.
Auto Learn indicates whether the permitted rate of the WAN Link will be automatically adjusted based on bandwidth test results. Before a valid test is completed, the physical rate will be used. No matter what the bandwidth test result is, the applied permitted rate will not exceed the physical rate.

WAN Egress

Physical Rate is the bit rate limit of the WAN Link for the traffic traveling from the WAN into the LAN. The Configuration should match the physical capacity of the WAN Link purchased from the service provider.
Permitted Rate is the bit rate that the SD-WAN Edge is allowed to use from the physical rate. The Configuration should not be more than the physical rate.
Auto Learn indicates whether the permitted rate of the WAN Link will be automatically adjusted based on bandwidth test results. Before a valid test is completed, the physical rate will be used. No matter what the bandwidth test result is, the applied permitted rate will not exceed the physical rate.

Access Types:

Public Internet: A Public Internet WAN Link is one that is connected to the Internet via an ISP.
Private Intranet: A Private Intranet WAN Link is one that only connects to one or more sites within the SD-WAN Edge network and can not connect to locations outside of it.
Private MPLS: A Private MPLS WAN Link is a one that uses one or more DSCP tags to control the quality of service between two or more points on an Intranet and cannot connect to locations outside of the SD-WAN Edge network.

Autodetect Public IP: If enabled, the SD-WAN Edge will automatically detect the Public IP Address. Autodetection may not be used on SD-WAN Edge configured as an SD-WAN Controller.

Public IP Address: The IP Address of the NAT or proxy server. Public IP Address is not available when Autodetect IP Address is selected.

Tracking IP Address: A virtual IP address on the WAN Link that can be pinged to determine the state of the WAN Link.

WAN Link - MPLS Queues

The WAN Link MPLS Queues allow for the definition of service queues using standard DSCP tags. At least once Class must be defined for each MPLS link.

MPLS Queue Name: The name of the MPLS Queue.

DSCP Tag: The DSCP tag assigned to the Oracle Conduit Path packets and handled by the carrier for that Queue policy enforcement.

When creating Conduit Paths between two Private MPLS Wanlinks, paths between each MPLS queues will be automatically generated.
User traffic may be selected for any tagged Conduit Path during transmission regardless of the original packet DSCP.
Autopath Groups may be created to associate multiple paths for consolidated configuration.

Unmatched: If enabled, Ingress user traffic with DSCP tags not defined as MPLS queues will use this queue for provisioning and will be re-tagged to with this queue’s DSCP. Egress Intranet packets are not re-tagged.

WAN Ingress Permitted Rate (Kbps): The available or allowed rate, in Kbps, for WAN Ingress traffic. The sum of WAN Ingress Permitted Kbps for all queues in a Private MPLS WAN Link may not exceed the WAN Ingress Permitted Kbps for the Private MPLS WAN Link.

WAN Egress Permitted Rate (Kbps): The available or allowed rate, in Kbps, for WAN Egress traffic. The sum of WAN Egress Permitted Kbps for all queues in a Private MPLS WAN Link may not exceed the WAN Egress Permitted Kbps for the Private MPLS WAN Link.

Clicking the Expand Icon () on any row will show the following advanced options:

Tracking IP Address: A virtual IP address on the WAN Link that can be pinged to determine the state of the MPLS Queue.

Congestion Threshold: The amount of congestion (in microseconds) after which the MPLS Queue will throttle packet transmission to avoid further congestion.

Eligibility: The Eligibility settings for an MPLS Queue allow the administrator to influence the usage of the Wanlink, per direction for each Oracle Class (Realtime, Interactive, & Bulk). If Eligibility is disabled, a latency calculation penalty (150ms by default) is applied during path selection to this Wanlink for traffic in that class for the selected direction.

WAN Link - Advanced Settings

The WAN Link Advanced Settings allows the configuration of the ISP specific attributes.

Provider ID: An optional unique ID number, 1-100, to designate WAN Links connected to the same service provider. The Provider ID is used to differentiate Paths when sending duplicate packets.

Frame Cost: Additional header/trailer bytes added to every packet, such as for Ethernet IPG or AAL5 trailers.

Congestion Threshold: The amount of congestion (in microseconds) after which the WAN Link will throttle packet transmission to avoid further congestion.

MTU Size: The largest raw packet size in bytes, not including the Frame Cost.

Enable WAN Link Threshold Event Enabling this will include this WAN Link in generating threshold event.

WAN Link Mode:

Regular Active: A regular active WAN link is a primary WAN link on which user traffic is transmitted.
On-Demand Standby: An on-demand standby WAN link is a standby WAN link that may be activated to supplement conduit bandwidth when the bandwidth provided by the primay WAN links in the conduit falls below the bandwidth threshold configured in conduit QoS Policy. In addition, if all primary WAN links are dead or disabled, an on-demand standby WAN link becomes active and user traffic is transmitted on it.
Last-Resort Standby: A last-resort standby WAN link is a standby WAN link on which user traffic is transmitted only when all regular active WAN links and all on-demand standby WAN links are dead or disabled.

NOTE: Only Public and Private Intranet WAN Links can be configured in last-resort or on-demand standby mode.

Priority: The configured priority value indicates the order in which a standby WAN link is activated. A priority 1 standby WAN link is activated before a priority 2 standby WAN link. A priority 3 standby WAN link is the last to be activated.

If there are both on-demand standby WAN links and last-resort standby WAN links configured for a conduit, on-demand standby WAN links are always activated before last-resort standby WAN links. Thus, a priority 3 on-demand standby WAN link is activated before a priority 1 last-resort standby WAN link.

Heartbeat Interval: While a standby WAN link is inactive, a heartbeat message is transmitted at this configured interval. If the heartbeat interval is set to "disabled", heartbeat messages are not sent at all while the standby WAN link is inactive. Without heartbeat messages, the actual state of the link and the paths using this link is unknown. This setting is meant for links that are known to be always GOOD. As such, the state of the link is assumed and shown as GOOD in statistics monitoring reports when the link is not active. When such standby WAN link becomes active, heartbeat messages are sent at 25ms or 50ms interval when there is no other traffic.

WAN Link - Eligibility

The Eligibility settings for a WAN Link allows the user to add an extra penalty for using the WAN Link for certain Classes of traffic. When a Class of traffic is marked as not-eligible for the WAN Link, a penalty is added that makes the WAN Link unlikely to be used unless network conditions require it.

WAN Link - Cell Network

The WAN Link Cell Network settings allows for configuration of settings necessary for cell instead of packet based networks, like ATM.

WAN Link - Access Interfaces

An Access Interface defines the IP Address and Gateway IP Address for a WAN Link. At least one Access Interface is required for each WAN Link.To add an Access Interface, you must choose a Routing Domain which determines which Virtual Interfaces are available for use.

A site must have an Internet Service defined before the Default Internet Access checkbox can be enabled.

When using the Default Internet Access be certain that configured Routing Domains have non-overlapping network spaces. Any non-directly connected subnets must also have non-overlapping network spaces.

Certificates

Identity Certificates are used to sign or encrypt data to validate the contents of a message and the identity of the sender. Trusted certificates are used to verify message signatures. Oracle SD-WAN Edge accept both Identity Certificates and Trusted Certificates. Administrators can manage certificates in the Configuration Editor.

Identity Certificates

Identity Certificates require that the certificate's private key be available to the signer. Identity Certificates or their certificate chains must be trusted by a peer to validate the contents and identity of the sender. The configured Identity Certificates and their respective Fingerprints are displayed in the Configuration Editor.

Trusted Certificates

Trusted Certificates are self-signed, intermediate certificate authority (CA) or root CA certificates used to validate the identity of a peer. No private key is required for a Trusted Certificate. The configured Trusted Certificates and their respective Fingerprints are listed here.

DHCP

Configure DHCP Server and DHCP relay on the virtual interfaces. The DHCP Server will assign dynamic IP addresses to the connected clients, while the Relay will relay the DHCP requests to the configured DHCP servers.

Server Subnets

NOTE: It is recommended to specify ranges that do not overlap with statically configured IP Addresses or Access Interface IP Addresses for the site.

NOTE: Do not specify a subnet address or broadcast address as part of your DHCP address range.

Configure different virtual interfaces that will be used by the DHCP Server.

Routing Domain: Select a configured Routing Domain when multiple domains are present.
Virtual Interface: Select a Virtual Interface that is configured in server mode.
IP Subnet: The IP Subnet used by the DHCP server to provides addresses for.
Domain Name: Enter the Domain Name that will be sent by the DHCP Server to the clients.
Primary DNS: Enter the Primary DNS that will be sent by the DHCP Server to the clients.
Secondary DNS: Enter the Secondary DNS that will be sent by the DHCP Server to the clients.
Enable: Enable the subnet for use.

Ranges

Configure dynamic IP address pools that will be used to allocate IP addresses to clients.

Range Start IP: The first IP Address in the pool that will be allocated.
Range End IP: The last IP Address in the pool that will be allocated.
Gateway IP: Optional Gateway IP Address that will be sent to the client.
Option Set: Select an option set that will be used to assign various parameters to the server or the connected clients.

Hosts

Configure individual hosts that require a fixed IP address based on the mac address.

Fixed IP Address: Select a fixed IP Address to allocate to the Host.
MAC Address: Enter the MAC address to identify the host.
Option Set: Select a option set that will be used to assign various parameters to the connected host.

Relays

Configure DHCP Relay for individual interfaces that will communicate to remote DHCP Server(s)

Routing Domain: Select a configured Routing Domain when multiple domains are present.
Virtual Interface: Select a Virtual Interface that is configured in relay mode.
Server IP 1: Enter the first DHCP Server IP Address that the Relay will use to forward the request and response from the clients.
Server IP 2: Enter the optional second DHCP Server IP Address that the Relay will use to forward the request and response from the clients.
Server IP 3: Enter the optional third DHCP Server IP Address that the Relay will use to forward the request and response from the clients.
Server IP 4: Enter the optional fourth DHCP Server IP Address that the Relay will use to forward the request and response from the clients.

DNS Proxy

Configure DNS Proxy for each routing domain

Routing Domain: Select a configured Routing Domain when multiple domains are present.
IP Address: Specify the IP address of the primary/secondary DNS server.
Use DHCP Client DNS: Use DHCP client learned DNS server as primary/secondary DNS server.

Override Proxies

Configure DNS servers for DNS request matches certain domain name.

Domain Match: DNS request matching the configured domain will be sent to the override DNS servers.
Primary DNS Server IP: Primary override DNS server.
Secondary DNS Server IP: Secondary override DNS server.

High Availability

When using High Availability (HA), 2 SD-WAN Edge are deployed as a pair with one designated as the Primary and the other as the Secondary. Data traffic is routed through the Primary SD-WAN Edge while the Secondary remains passive. The Secondary SD-WAN Edge monitors the health of the Primary SD-WAN Edge and if any failures occur takes over full support of the network services after the designated Failover Time.

HA SD-WAN Edge may be deployed one-arm, or fully-inline in a parallel or serial configuration. When deployed serially, Use Serial Configuration should be checked.

By default, the SD-WAN Edge specified in the Site's Basic Settings will be considered the Primary SD-WAN Edge and the HA SD-WAN Edge, the Secondary. If Swap Primary/Secondary is checked, this designation is flipped and any configuration parameters that apply to the Primary SD-WAN Edge will instead apply to the Secondary.

NOTE: When HA is enabled, all of the Primary SD-WAN Edge's IP addresses are virtualized so that they may be shared with the Secondary SD-WAN Edge.

HA IP Interfaces designate a Virtual Interface and a pair of Virtual IP Addresses over which the two SD-WAN Edge in the HA pair will communicate with one another. Each interface may optionally reference one or more L2 External Trackers—such as a router—that can be used to determine the health of the Primary SD-WAN Edge. Each External Tracking IP Address must reside on the subnet associated with the given Virtual Interface.

Conduits

The Dynamic or Static Conduit Services can be defined in the Service section.

Dynamic Conduits

Dynamic Conduits allows for the enabling and disabling of Dynamic Conduits on the Site. Dynamic Conduits are Conduits that are established directly between sites based on a configured threshold. They are only operational when the defined threshold is reached. The threshold is typically based on traffic. They are not required for normal operation.

Conduit name (static Conduits)

The Conduit Service between two sites that can be configured in this section. The system will add a static Conduit between a client site and the SD-WAN Controller as this Conduit is required. Any additional static Conduit will have to be added manually by the user.

Click the () option to add a static Conduit. Click the () option next to the Conduit name to delete the Conduit.

Local Site

Local Site allows the user to view and configure the Conduit settings from local Site's perspective. This includes any additional Class or Rules changes the user required for this specific Conduit. The user can also add paths if required.

Remote Site

Remote Site allows the user to view and configure the Conduit settings from remote Site's perspective.

Basic Settings

Disable Reverse Also: Click this button to disable the mirroring of Rules and Classes to both ends of the Conduit. This action can not be undone and the Conduit must be recreated to re-enable Reverse Also.

Tracking IP Address: A virtual IP address on the Path that can be pinged to determine the state of the Path:

GOOD: Reply immediately
BAD: Reply in >100ms (milliseconds)
DEAD: No reply

QoS Policy: Name of the Conduit QoS Policy that will be used to populate Rules and Classes for the Conduit on the Site. This setting will be mirrored when Reverse Also is enabled. When a Conduit QoS Policy is applied to Conduit Service the Classes can only be edited at the Conduit QoS Policy level.

Unlink Classes from QoS Policy: When Conduit QoS Policy is set for Conduit Service and this button is checked and Apply button is clicked, then the Conduit QoS Policy Classes will be copied to the Conduit Service scope where they can be locally edited without affecting the Conduit QoS Policy. This button will not have any effect on the Rules. This button will only be enabled when a Conduit QoS Policy name is set for the Conduit Service. After this if the button is unchecke and Apply button is clicked, then the Classes at the local scope will be removed and only the Classes defined at the Conduit QoS Policy will be applied to this service. Also the Classes can only be edited at the Conduit QoS Policy. This setting will be mirrored when Reverse Also is enabled.

WAN Links

WAN Link: Name of the WAN Link

Use: Allow the Conduit Service to use the WAN Link. When Use is not enabled, all other options will be unavailable.

Tunnel Header Size (bytes): The size of the tunnel header, in bytes, if applicable.

Active MTU Detect: If enabled, all WAN Ingress Paths for Dynamic Conduits will be actively probed for MTU.

UDP Port: The specified port will be used for WAN Ingress packets and required for WAN Egress packets.

UDP Hole Punching: If enabled, the SD-WAN Controller will assist UDP connectivity between compatible NAT-protected client sites.

UDP Port Switching:

Enable: If enabled, the WAN Link will alternate its UDP port at the specified interval. When UDP Port Switching is not enabled, Alt Port and Interval will be unavailable.
Alt Port: The alternate UDP Port to be used when UDP Port Switching is enabled and active.
Interval (min): The interval, in minutes, that the WAN Link will alternate its UDP Port.

Auto-Path Group: The group used to determine what Paths may be automatically generated between the WAN Link and remote WAN Links and what default Path settings to use.

<None> indicates that no group is desired and will prevent Paths from being automatically generated to or from the WAN Link.
<Default> uses the group currently marked as default and is automatically updated when the default group changes.

If the WAN Link is a Private MPLS, then enabling the WAN Link for a service will also allow the row to expand and show options for the individual MPLS Queues. When enabled, clicking the Expand Icon () will show the following options:

Use: Allow the Conduit Service to use the MPLS Queue. When Use is not enabled, all other options will be unavailable. An MPLS Queue may not be used for a service unless the service is first enabled for the Private MPLS WAN Link.
DSCP Tag: The DSCP Tag applied to the Oracle Conduit Path.
Auto-Path Group: The group used to determine what Paths may be automatically generated between the MPLS Queue and remote MPLS Queues and what default Path settings to use. For MPLS Queues, an additional option of <Inherit> is present and will use the following rules to generate paths:
<None>: no Paths will be created.
<Inherit>: the Private MPLS' Auto-Path Group setting will be used to create Paths. This MPLS Queue will generate Paths to remote MPLS Queues if the remote Auto-Path Group setting, even if inherited, matches the local setting. If a remote MPLS Queue' Auto-Path Group setting is also <Inherit>, a Path will only be generated if the local and remote DSCP tags are the same.
<Default> or a specific group: This MPLS Queue will generate Paths to remote MPLS Queues if the remote Auto-Path Group setting, even if inherited, matches the local setting, regardless of DSCP tag.

Classes

Any Class specific changes to this Conduit can be entered here and only impact this Conduit. Class options are consistent with a previous description.

Rules

Any rule specific changes to this Conduit can be entered here and only impact this Conduit. Rule options are consistent with a previous description.

Remote Site: typically unused but available if any change is required. This option is consistent with the option available at the local site.

Local Site: allows the user to view and configure the Conduit settings from remote Site's perspective. This includes any additional Class or Rules changes the user requires for this specific Conduit.

Paths

A Path can be created by clicking the Add button next to the Paths category. By default the system will generate paths between WAN Links defined as access type Public Internet. The user would be required to use the auto-path group function or enable paths manually for WAN Links with an access type of Private Intranet.

Convert to Static Path: Convert Path, and all other Paths associated by WAN Link, generated by an Autopath Group, to a Static Path. This action cannot be undone.

From Site: Source Site for the Path (Read Only).

From WAN Link: Originating WAN Link for the Path (Read Only).

From DSCP Tag: If the From WAN Link is an MPLS Queue, the DSCP Tag associated with the Class (Read Only).

To Site: Destination Site for the Path (Read Only).

To WAN Link: Terminating WAN Link for the path (Read Only).

To DSCP Tag: If the To WAN Link is an MPLS Queue, the DSCP Tag associated with the Class (Read Only).

Reverse Also: If enabled, a Path with the same WAN Links will be built in the opposite direction.

IP DSCP Tagging: DSCP Tag to set in the IP header for Path traffic.

Enable Encryption: If enabled, packets sent in this Path will be encrypted.

Bad Loss Sensitive: If enabled, packet loss will cause the Path to transition to the BAD state and will incur a latency penalty in Path scoring. Disabling this option may be useful when the loss of bandwidth is intolerable.

Percent Loss (%) (default:DEFAULT): This can only be set when Bad Loss Sensitive is set to Custom. If packet loss exceeds the set percentage over the configured time, path state will transit from "GOOD" to "BAD". Default is to use Oracle hard coded algorithm.

Over Time (ms) (default:1000): This can only be set when Bad Loss Sensitive is set to Custom and Percent Loss is set to value other than DEFAULT. If packet loss exceeds the set percentage over this configured time, path state will transit from "GOOD" to "BAD".

Silence Period (ms) (default:DEFAULT): Path state transitions from "GOOD" to "BAD" when no packets have been received for the specified amount of time. When not specified, the silence period will be automatically calculated according to ongoing network measurements and will transition to BAD after the receiving appliance sends 3 unanswered keepalive requests.

Path Probation Period (ms) (default:10000): Probation period to wait before moving path state from "BAD" to "GOOD". Default is 10000 ms.

Instability Sensitive: If enabled, Latency penalties due to "BAD" state and other spikes in latency are considered in the Path scoring algorithm. Disabling this option may be useful when the loss of bandwidth (if Bad Loss Sensitive enabled) or latency spikes are intolerable.

There are 4 combinations for the bad loss sensitive and instability sensitive settings:

Option 1: When Bad Loss Sensitive is set to Enable or Custom and Instability Sensitive is enabled, a Path may be marked as BAD and incur a latency penalty so it is only used as a last resort. In the event multiple Paths are marked BAD, there is still competition among them based on regular Path scoring.
Option 2: When Bad Loss Sensitive is set to Enable or Custom and Instability Sensitive is disabled, a Path may be marked as BAD and only used as a last resort, however the latency spikes are not considered. In the event multiple paths are marked BAD, the ones with Instability Sensitive disabled will likely be used first.
Option 3: When Bad Loss Sensitive is set to Disable and Instability Sensitive is enabled, a Path remains GOOD in spite of loss, however latency spikes are considered, so that Path is only likely to be used after Paths without latency spikes are exhausted.
Option 4: When Bad Loss Sensitive is set to Disable and Instability Sensitive is disabled, a Path remains GOOD and latency spikes are not considered, therefore the Path will likely remain in constant use.

Tracking IP Address: A virtual IP address on the Path that can be pinged to determine the state of the Path:

GOOD: Reply immediately.
BAD: Reply in >100ms (milliseconds)
DEAD: No reply.

Reverse Tracking IP Address: If Reverse Also in enabled, a virtual IP address on the reverse Path that can be pinged to determine the state of the reverse Path.

GOOD: Reply immediately.
BAD: Reply in >100ms (milliseconds)
DEAD: No reply.

Cloud ServicesCloud Service name

The Cloud Service between the SD-WAN Edge network and the Cloud Gateway that can be configured in this section.

Click the () option to add a Cloud Service. Click the () option next to the Cloud Service name to delete the Cloud Service.

Cloud Service: Select from the list of the Cloud Services that were configured in the Global section.
Cloud Service QoS Policy: One and only one Cloud Service QoS Policy is created automatically by the system.

Internet Services

An Internet Service can be created by clicking the Add button next to the Internet Services category. Note, only one Internet Service may exist on a Site.

Internet

An Internet Service can be deleted by clicking the Delete button next to the Internet Service name.

Basic Settings

NOTE: Firewall Zone is not configurable for an Internet Service. If the Service is trusted, it will be assigned to the Internet_Zone. If the Service is untrusted, it will be assigned to the Untrusted)Internet_Zone.

Enable Primary Reclaim: If enabled, the (use = primary) Internet Usage associated with this service on a WAN Link will forcefully reclaim status as the active service on that WAN Link.

Cost of Default Route: If needed the user can change the cost of the default Internet Route 0.0.0.0/0 to a valid value other than the default cost.

QoS Policy: Name of the Internet QoS Policy that will be used to populate Rules for the Internet Service on the Site.

Ignore WAN Link Status: If enabled, packets destined for this service will still choose this service even if all WAN Links for this service are unavailable.

Export Default Route: If enabled, the default route for the Internet Service, 0.0.0.0/0, will be exported to other Sites if WAN-to-WAN Forwarding has been enabled.

WAN Links

Use: Allow the Service to use this WAN Link. When Use is not enabled, all other options will be unavailable.

NOTE: If a last-resort standby WAN link is configured for Internet Service and it is configured with disabled heartbeats (in the Site/WAN Link/Settings/Advanced Settings section), its configured priority value must be the highest among all last-resort standby WAN links that are used by Internet Service. On-demand standby WAN links cannot be configured for Internet Service.

Mode: The Service's mode for traffic redundancy or load balancing

Tunnel Header Size (bytes): The size of the tunnel header, in bytes, if applicable.

Access Interface Failover: If enabled, Internet/Intranet packets with mismatched VLAN can still use the service.

WAN Ingress:

Tagging: The DSCP tag to apply to WAN Ingress packets on the Service.
Max Delay (ms): The maximum time, in milliseconds, to buffer packets when the WAN Links bandwidth is exceeded.

WAN Egress:

Tagging: The DSCP tag to apply to WAN Egress packets on the Service.
Matching: Internet WAN Egress packets matching this tag will be assigned to the Service.
Grooming: If enabled, packets will be randomly discarded to prevent WAN Egress traffic from exceeded the Service's provisioned bandwidth.

Rules

The ability to identify traffic based on a rule is the same as previously described. The rule definition will be used to match a specific traffic flow. Once matched the user must define the action to take for the traffic flow. The available actions are described below.

WAN Link: assign the WAN Link that has Internet Service enabled

Override Service:

Intranet Service: override to a defined Intranet service;
Discard: drop the traffic.

Pass-through: map the flow to pass-through and allow the traffic to flow through SD-WAN Edge unchanged.

Intranet Services

An Intranet Service can be created by clicking the () button next to the Intranet Services category.

Intranet

An Intranet Service can be deleted by clicking the () button next to the Intranet Service name.

Basic Settings

Routing Domain: The Routing Domain chosen for the Intranet Service.

Firewall Zone: The Firewall Zone chosen for the Intranet Service. By default, the Service is placed into the Default_LAN_Zone.

Enable Primary Reclaim: If enabled, the (use = primary) Internet Usage associated with this service on a WAN Link will forcefully reclaim status as the active service on that WAN Link.

QoS Policy: Name of the Internet QoS Policy that will be used to populate Rules for the Internet Service on the Site.

Ignore WAN Link Status: If enabled, packets destined for this service will still choose this service even if all WAN Links for this service are unavailable.

WAN Links

Use: Allow the Service to use the WAN Link. When Use is not enabled, all other options will be unavailable.

NOTE: On-demand standby WAN links cannot be configured for Intranet Service.

Mode: The Service's mode for traffic redundancy or load balancing

Tunnel Header Size (bytes): The size of the tunnel header, in bytes, if applicable.

Access Interface Failover: If enabled, Internet/Intranet packets with mismatched VLAN can still use the service.

WAN Ingress:

Tagging: The DSCP tag to apply to WAN Ingress packets on the Service.
Max Delay (ms): The maximum time, in milliseconds, to buffer packets when the WAN Links bandwidth is exceeded.

WAN Egress:

Tagging: The DSCP tag to apply to WAN Egress packets on the Service.
Matching: Internet WAN Egress packets matching this tag will be assigned to the Service.
Grooming: If enabled, packets will be randomly discarded to prevent WAN Egress traffic from exceeding the Service's provisioned bandwidth.

If the WAN Link is a Private MPLS, then enabling the WAN Link for a service will also allow the row to expand and show options for the individual MPLS Queues. When enabled, clicking the Expand Icon () will show the following options:

Use: Allow the Service to use this MPLS Queue. When Use is not enabled, all other options will be unavailable. An MPLS Queue may not be used for a service unless the service is first enabled for the Private MPLS WAN Link. Classes marked for unmatched tags must be enabled for Intranet Services.

Unmatched: If enabled, DCSP tags not matched by other MPLS Queues will use this Class. This field is for information purposes only and must be edited in WAN Link -> Settings.

WAN Ingress:

Tagging: The DSCP tag to apply to WAN Ingress packets on the Service. This field is not editable for MPLS Queues.
Max Delay (ms): The maximum time, in milliseconds, to buffer packets when the WAN Links bandwidth is exceeded.

WAN Egress:

Tagging: The DSCP tag to apply to WAN Egress packets on the Service.
Matching: Internet WAN Egress packets matching this tag will be assigned to the Service. This field is not editable for MPLS Queues.
Grooming: If enabled, packets will be randomly discarded to prevent WAN Egress traffic from exceeded the Service's provisioned bandwidth.

Rules

The ability to identify traffic based on a rule is the same as previously describe. The rule definition will be used to match a specific traffic flow. Once matched the user must define the action to take for the traffic flow. The available actions are described below.

WAN Link: assign the WAN Link that has Internet service enabled

Override Service:

Intranet Service: override to a defined Intranet service;
Discard: drop the traffic.

Pass-through: map the flow to pass-through and allow the traffic to flow through SD-WAN Edge unchanged.

LAN GRE Tunnel

The LAN GRE Tunnel feature allows you to configure Oracle SD-WAN Edge to terminate GRE tunnels on the LAN.

Routing Domain: The Routing Domain chosen for the LAN GRE Tunnel.
Firewall Zone: The Firewall Zone chosen for the Tunnel. By default, the Tunnel is placed into the Default_LAN_Zone.
Source IP: The source IP address of the tunnel. This is one of the Virtual Interfaces configured at this site. The available Source IP addresses are determined by the Routing Domain selected.
Destination IP: The destination IP address of the tunnel.
Tunnel IP/Prefix: The tunnel IP address and prefix.
Checksum: Enable or disable Checksum for the tunnel's GRE header.
Keepalive Period (s): The period of time between sending keepalive messages. If configured to 0, no keepalive packets will be sent, but the tunnel will stay up.
Keepalive Retries: The number of times that the Oracle SD-WAN Edge sends keepalive packets without a response before it brings the tunnel down.

IPsec Tunnels

An IPsec Tunnel secures both user data and header information. Oracle SD-WAN Edge can negotiate fixed IPsec Tunnels on the LAN or WAN side with non-Oracle peers. For IPsec Tunnels over LAN, a Routing Domain must be selected. If the IPsec Tunnel uses an Intranet Service, the Routing Domain is pre-determined by the chosen Intranet Service.

Service Type: Choose either Intranet, LAN, Palo Alto or Zscaler.
Firewall Zone: The Firewall Zone chosen for the Tunnel. By default, for Service Type Palo Alto or Zscaler the Tunnel is placed into Internet Zone otherwise the Default_LAN_Zone.
Name: When Service Type is Intranet, choose and Intranet Service the tunnel will protect. Otherwise, enter a name for the service.
Local IP: Choose a local Virtual IP Address to use as the local tunnel end point.
Peer IP: Enter the remote peer's IP address.
MTU: Enter the maximum IKE or IPsec packet size between 576 and 1500.
Keepalive: Click the checkbox to keep the tunnel active and enable route eligibility for routes to the Intranet Service or LAN IPsec tunnel.

IKE Settings

Internet Key Exchange (IKE) is an IPsec protocol used to create a security association (SA). Oracle SD-WAN Edge support both the IKEv1 and IKEv2 protocols. The Configuration Editor allows you to modify the following IKE settings:

Version: Choose either the IKEv1 or IKEv2 protocol.
Mode: Choose either Main Mode or Aggressive Mode.
Identity: Choose Auto to automatically identify the peer, or choose IP Address to specify the peer's IP.
Authentication: Choose either Pre-Shared Key or Certificate as the method of authentication.
Pre-Shared Key: If you choose Pre-Shared Key authentication, enter the key into this required field. To reveal the text you entered into the Pre-Shared Key field, click the Eye icon (). To hide the text, click the Eye icon () again.
Certificate: If you choose Certificate authentication, you can choose from the existing, configured certificates. The default is None.
Validate Peer Identity: Enable or disable validation of the IKE's Peer Identity if the peer's ID type is supported, otherwise do not enable this feature.
DH Group: The following Diffie-Hellman groups are available for IKE key generation:
Group 1: 768-bit group
Group 2: 1024-bit group
Group 5: 1536-bit group
Hash Algorithm: The MD5, SHA1, and SHA-256 Hash Algorithms are available for IKE messages.
Encryption Mode: AES-128, AES-192,, AES-256, and GCMAES 256 Bit Encryption Modes are available for IKE messages.
Lifetime (s): Your preferred duration, in seconds, for an IKE security association to exist. Enter 0 for unlimited.
Lifetime Max (s): Your maximum preferred duration, in seconds, to allow an IKE security association to exist. Enter 0 for unlimited.
DPD Timeout (s): The time, in seconds, after receiving no packets or DPD replies to an IKE peer is considered DEAD. Enter 0 to disabled Dead Peer Detection.
IKEv2 Settings
Peer Authentication: Mirrored, Pre-Shared Key, and Certificate modes are available for Peer Authentication.
Peer Pre-Shared Key: If you choose Pre-Shared Key authentication, enter the key into this required field.
Integrity Algorithm: The MD5, SHA1, and SHA-256 hashing algorithms are available for HMAC verification.

IPsec Settings

The Configuration Editor allows you to modify the following IPsec settings:

Tunnel Type: Choose ESP, ESP+Auth, AH or ESP-NULL as the Tunnel Encapsulation Type.
ESP: Encrypts the user data only
ESP+Auth: Encrypts the user data and includes an HMAC
AH: Only includes an HMAC
ESP-NULL: This is the default setting for Zscaler Internet Service connecting to Cloud Security Provider
ESP+Auth: This is the default setting for Palo Alto Internet Service connecting to Cloud Security Provider
PFS Group: The following Diffie-Hellman groups are available for perfect forward secrecy key generation:
None
Group 1: 768-bit group
Group 2: 1024-bit group
Group 5: 1536-bit group
Encryption Mode: AES-128, AES-192,AES-256, and GCMAES 256 Bit Encryption Modes are available for IPsec messages. Not applicable for Internet service with Tunnel Type ESP-NULL.
Hash Algorithm: The MD5, SHA1, and SHA-256 hashing algorithms are available for HMAC verification. Applicable for Tunnel Type ESP+Auth.
Lifetime (s): Your preferred duration, in seconds, for an IPsec security association to exist. Enter 0 for unlimited.
Lifetime Max (s): Your maximum preferred duration, in seconds, to allow an IPsec security association to exist. Enter 0 for unlimited.
Lifetime (KB): The amount of data, in kilobytes, for an IPsec security association to exist. Enter 0 for unlimited.
Lifetime Max (KB): The maximum amount of data, in kilobytes, to allow an IPsec security association to exist. Enter 0 for unlimited.
Network Mismatch Behavior: The action for the Oracle WAN to take if a packet does not match the IPsec Tunnel's Protected Networks from the drop-down menu.
LAN Tunnels can Drop the packets or Use Non-IPsec Routes to transmit them.
Intranet Tunnels can Drop the packets or Send Unencrypted packets.
Palo Alto or Zscaler Internet Tunnels can Drop the packets or Use Non-IPsec Routes to transmit them.

IPsec Protected Networks

Source IP/Prefix: The Source IP and Prefix of the network traffic the IPsec Tunnel will protect.
Destination IP/Prefix: The Destination IP and Prefix of the network traffic the IPsec Tunnel will protect.

Firewall

Firewall allows for the filtering and translation of traffic in the the SD-WAN Edge network.

Settings

Settings allows for the configuration of Policy Templates for the Site and other settings that apply to only an individual SD-WAN Edge.

Policy Templates

Policy Templates allows users to deploy Firewall Policy Templates to a Site.

Click the () option to add a Template.

The Template consists of the following options:

Priority: The order/precedence in which templates will be applied.

Name: The name of the Policy Template to use at the Site.

Advanced

Advanced allows users to modify certain behaviors for the site. The following options can be changed:

Default Firewall Action:

Use Global Setting: Use the Global setting configured in SD-WAN Edge Network Settings
Allow: Packets not matching any filter policy is permitted.
Drop: Packets not matching any filter policy is dropped.

Default Connection State Tracking:

Use Global Setting: Use the Global setting configured in SD-WAN Edge Network Settings
No Tracking: Bidirectional connection state tracking will not be performed on packets not matching any filter policy.
Track: Bidirectional connection state tracking will be performed on TCP, UDP and ICMP packets not matching any filter policy or NAT rule. This feature will block flows which appear illegitimate, due to asymmetric routing or failure of checksum, protocol specific validation -- proceed with caution if the Oracle SD-WAN Edge is not fully inline. For conduit to conduit TCP flows, sequence window check is ignored. The recommendation is to enable this at both end sites.

Untracked and Denied Timeout (s): The time, in seconds, to wait for new packets before closing Untracked or Denied Connections.

TCP Initial Timeout (s): The time, in seconds, to wait for new packets before closing a TCP session that has not completed a handshake.

TCP Idle Timeout (s): The time, in seconds, to wait for new packets before closing an active TCP session.

TCP Closing Timeout: The time, in seconds, to wait for new packets before closing a TCP session after a request to terminate.

TCP Time Wait Timeout (s): The time, in seconds, to wait for new packets before closing a terminated TCP session.

UDP Initial Timeout (s): The time, in seconds, to wait for new packets before closing a UDP session that has not seen traffic in both directions.

UDP Idle Timeout (s): The time, in seconds, to wait for new packets before closing an active UDP session.

ICMP Initial Timeout (s): The time, in seconds, to wait for new packets before closing an ICMP session that has not seen traffic in both directions.

ICMP Idle Timeout (s): The time, in seconds, to wait for new packets before closing an active ICMP session.

Generic Initial Timeout (s): The time, in seconds, to wait for new packets before closing a generic session that has not seen traffic in both directions.

Generic Idle Timeout (s): The time, in seconds, to wait for new packets before closing an active generic session.

Policies

Policies allows for the configuration of Filtering policies on the local SD-WAN Edge as well as the display of policies as they apply from the Global or Site Policy Templates. Policies for an SD-WAN Edge will be applied in the following order:

Pre-Policies from Templates configured in Firewall Settings according to the order of the templates.
Pre-Policies from the Global Template configured in SD-WAN Edge Network Settings.
Policies configured locally.
Policies automatically created to support NAT or Port Forwarding policies.
Post-Policies from Templates configured in Firewall Settings according to the order of the templates.
Post-Policies from the Global Template configured in SD-WAN Edge Network Settings.

Pre Template Policies

The Pre Template Policies are policies from the Templates configured in Firewall Settings or the Global Policy Template configured in SD-WAN Edge Network Settings. These policies will apply before policies statically configured for the Site in the order dictated by the Firewall Settings followed by the policies from the Global Policy Template.

Filter Policies

Filter Policies allows for the configuration of packet filtering for the Site.

NOTE: When filtering using Zones, traffic using a Conduit Route manually configured in the Routes section does not know the To Zone until the traffic arrives at the remote Site. Filter Policies for this traffic must be configured at the remote Site.

NOTE: When filtering using Zones, traffic using a Conduit Route generated by a Discard Route from a remote Site does not know the To Zone until the traffic arrives at the remote Site. Filter Policies for this traffic must be configured at the Site where the Discard Route is configured.

NOTE: When filtering using Zones, traffic from a private VIP may only be filtered at the local Site using the Zone for the Private VIP. Similarly, if the Source IP address for a packet is translated using NAT, the original Inside Zone can only be filtered locally. All remote SD-WAN Edge must use the Outside Zone.

Select the () option to add a Policy. The Policy consists of the following options:

Priority: The order/precedence in which Filters are applied (automatically redistributed on Apply).

Routing Domain: If selected, the Routing Domain this Filter will apply to.

From Zones: The Zone(s) a packet originates from that the Filter will match.

To Zones: The Zone(s) a packet is destined to that the Filter will match.

Action:

Allow: Traffic matching this rule is permitted.
Drop: Traffic matching this rule is dropped.
Reject: Traffic matching this rule is rejected. For TCP, a reset message is sent; For UDP, an ICMP port unreachable message is sent; For other traffic, an ICMP protocol unreachable message is sent.
Count and Continue: Traffic matching this rule is counted on the rule but no action is taken.

Log Interval (s): The time, in seconds, between logging the number of packets matching the filter (0 = disabled, valid settings are 60-600).

Log Start: Click the checkbox to generate a log when a new Connection is created by a packet matching this Filter.

Log End: Click the checkbox to generate a log when a Connection matching this Filter is deleted.

Connection State Tracking:

Use Site Setting: Use the Site setting configured in Firewall -> Settings
No Tracking: Bidirectional connection state tracking will not be performed on packets matching the filter policy.
Track: Bidirectional connection state tracking will be performed on TCP, UDP and ICMP packets matching the filter policy. This feature will block flows which appear illegitimate, due to asymmetric routing or failure of checksum, protocol specific validation -- proceed with caution if the Oracle SD-WAN Edge is not fully inline.

IP Protocol: The IP Protocol that the Filter will match.

DSCP: The DSCP tag that the Filter will match.

Allow Fragments: Click the checkbox to allow fragmented packets matching the Filter.

Reverse Also: Click the checkbox to automatically add a copy of this Filter with the Source (including From Zones) and Destination (including To Zones) settings reversed. The new policy will be created immediately after the original policy in the SD-WAN Edge's filter table.

Source Service Type: The Service Type that the Filter will match.

Source Service Name: The Service that the Filter will match.

Source IP: The Source IP Address and Subnet Mask that the Filter will match.

Source Port: The Source Port or Port Range that the Filter will match.

Dest Service Type: The Destination Type that the Filter will match.

Dest Service Name: The Destination that the Filter will match.

Dest IP: The Destination IP Address and Subnet Mask that the Filter will match.

Dest Port: The Destination Port or Port Range that the Filter will match.

Post Template Policies

The Post Template Policies are policies from the Templates configured in Firewall Settings or the Global Policy Template configured in SD-WAN Edge Network Settings. These policies will apply after policies statically configured for the Site in the order dictated by the Firewall Settings followed by the policies from the Global Policy Template.

Static NAT Policies

Static NAT Policies allows for the configuration of Network Address Translation policies between individual hosts or subnets.

NOTE: NAT translations are not permitted if the Inside and Outside Zones are the same.

NOTE: While both Inbound and Outbound translations can be configured simultaneously for a Service, only the first to match will be used. Multiple translations may occur if a rule exists on the Service a packet is received on and the Service a packet is sent on.

Select the () option to add a Policy. The Policy consists of the following options:

Priority: The order/precedence in which translations are applied (automatically redistributed on Apply).

Routing Domain: If selected, the Routing Domain this translation will apply to.

Allow Return Flow: If enabled, this policy would allow return flow traffic also.

Direction:

Inbound: The source address for a packet will be translated for packets received on the Service. The destination address will be translated for packets transmitted on the Service.
Outbound: The destination address for a packet will be translated for packets received on the Service. The source address will be translated for packets transmitted on the Service.

Service Type: The Service Type that the translation applies to.

Service Name: The Service Name that the translation applies to.

Inside Zone: The Zone a packet must be from to allow translation. The Inside Zone is inferred from the configured Service for inbound rules.

Inside IP Address: The Inside IP Address and Prefix to translate (Source IP Address in the direction selected).

Outside Zone: The Zone a packet must be destined for to allow translation. The Outside Zone is inferred from the configured Service for outbound rules.

Outside IP Address: The Outside IP Address and Subnet Mask packets will be translated to (Source IP Address in the direction selected).

Dynamic NAT Policies

Dyanmic NAT Policies allows for the configuration of Network Address Port Translation policies between an inside network and an outside IP address.

NOTE: Dynamic NAT translations allow all reciprocal traffic for session initiated from the Inside Network. To filter these connections, add filter Policies for the outbound traffic.

NOTE: NAT translations are not permitted if the Inside and Outside Zones are the same.

NOTE: While both Inbound and Outbound translations can be configured simultaneously for a Service, only the first to match will be used. Multiple translations may occur if a rule exists on the Service a packet is received on and the Service a packet is sent on.

Select the () option to add a Policy. The Policy consists of the following options:

Priority: The order/precedence in which translations are applied (automatically redistributed on Apply).

Direction:

Inbound: The source address for a packet will be translated for packets received on the Service. The destination address will be translated for packets transmitted on the Service.
Outbound: The destination address for a packet will be translated for packets received on the Service. The source address will be translated for packets transmitted on the Service.

Type:

Port Restricted: Port Restricted NAT uses the same outside port for all translations related to an Inside IP Address and Port pair. This mode is typically used to allow Internet P2P applications (hole punching).
Symmetric: Symmetric NAT uses the same outside port for all translations related to an Inside IP Address, Inside Port, Outside IP Address and Outside Port tuple. This mode is typically used to enhance security or expand the maximum number of NAT sessions.

Service Type: The Service Type that the translation applies to.

Service Name: The Service Name that the translation applies to.

Inside Zone: The Zone a packet must be from to allow translation. The Inside Zone is inferred from the configured Service for inbound rules.

Inside IP Address: The Inside IP Address and Prefix to translate (Source IP Address in the direction selected).

Outside Zone: The Zone a packet must be destined for to allow translation. The Outside Zone is inferred from the configured Service for outbound rules or the Outside IP Address for inbound rules.

Outside IP Address: The Outside IP Address packets will be translated to (Source IP Address in the direction selected).

Allow Related: Click the checkbox allow packets related to a Connection (ICMP error packets).

IPsec Passthrough: Click the checkbox to allow an IPsec (AH/ESP) session to be translated. Only a single session from the inside network will be permitted.

GRE/PPTP Passthrough: Click the checkbox to allow a GRE/PPTP session to be translated. Only a single session from the inside network will be permitted.

Note: When the Internet Service is added with an untrusted WAN Link (WANLink usage that have Untrusted Ports in the Interface Group), the system by default adds a Dynamic NAT Policy for Outbound Direction and Service Type Internet (unless the user has already created one). This Dynamic NAT policy is editable by the user. Also if the user deletes this policy the system will add one back. The Dynamic NAT policy that is created by the system will be removed when the Internet Service is trusted or removed.

Port Forwarding Rules

Port Forwarding Rules allow traffic from an Outside network to access specific hosts and ports on the Inside network without the session being initiated from the inside.

Select the () option to add a Rule. The Rule consists of the following options:

Routing Domain: The Routing Domain this Rule will match. For Port Forwarding Rules on Local and Intranet Services, the Routing Domain is inferred from the Service.

Protocol:

Both: Both TCP and UDP ports will be forwarded.
TCP: Only TCP ports will be forwarded.
UDP: Only UDP ports will be forwarded.

Outside Port: The Outside port or port range to forward.

Inside IP Address: The Inside IP Address to forward to.

Inside Port: The Inside port or port range to foward to. If a range is configured, it must define the name number of ports as the Outside Port.

Fragments: Click the checkbox to enable forwarding of packet fragments.

Log Interval (s): The time, in seconds, between logging the number of packets matching the rule (0 = disabled, valid settings are 60-600).

Log Start: Click the checkbox to generate a log when a new Connection is created by a packet matching this Rule.

Log End: Click the checkbox to generate a log when a Connection matching this Rule is deleted.

Connection State Tracking:

Use Site Setting: Use the Site setting configured in Firewall -> Settings
No Tracking: Bidirectional connection state tracking will not be performed on packets matching the Rule.
Track: Bidirectional connection state tracking will be performed on TCP, UDP and ICMP packets matching the Rule. This feature will block flows which appear illegitimate, due to asymmetric routing or failure of checksum, protocol specific validation -- proceed with caution if the Oracle SD-WAN Edge is not fully inline.

WAN Link

Based on the site the configured WAN Links will be displayed. The Configuration options include:

Dynamic Conduit Thresholds

The Dynamic Conduit Thresholds describe conditions for which an Intermediate Site will trigger the creation or destruction of a Dynamic Conduit between two adjacent sites. Creating a Dynamic Conduit may be triggered by exceeding either packets per second or throughput. Deleting a Dynamic Conduit is triggered when both thresholds are no longer met.

NOTE: Additional thresholds are defined in the Dynamic Conduit QoS Policy. A Dynamic Conduit will be created when the thresholds are met for either the WAN Link thresholds defined here or the thresholds defined in the Dynamic Conduit QoS Policy.

Ability to configure thresholds for Dynamic Conduits. The options allow the user to configure a threshold based on packets per second or bytes per second. Once the threshold is reached the Dynamic Conduit will be created between the appropriate sites.

WAN Ingress
Enable Kbps Threshold: If enabled, allows setting of Throughput (Kbps) threshold trigger
Throughput (Kbps): The threshold, in Kbps, on the intermediate site at which Dynamic Conduits will be triggered on WAN Ingress.
Enable pps threshold: If enabled, allows setting of Throughput (pps) threshold trigger
Throughput (pps): The threshold, in packets per second, on the intermediate site at which Dynamic Conduits will be triggered on WAN Ingress.
WAN Egress
Enable Kbps Threshold: If enabled, allows setting of Throughput (Kbps) threshold trigger
Throughput (Kbps): The threshold, in Kbps, on the intermediate site at which Dynamic Conduits will be triggered on WAN Ingress.
Enable pps threshold: If enabled, allows setting of Throughput (pps) threshold trigger
Throughput (pps): The threshold, in packets per second, on the intermediate site at which Dynamic Conduits will be triggered on WAN Egress.

Conduit Services

Conduit Service: Name of the Conduit Service

Use: Allow the Conduit Service to use this WAN Link. When Use is not enabled, all other options will be unavailable.

Tunnel Header Size (bytes): The size of the tunnel header, in bytes, if applicable.

Active MTU Detect: If enabled, all WAN Ingress Paths for Dynamic Conduits will be actively probed for MTU.

UDP Port: The specified port will be used for WAN Ingress packets and required for WAN Egress packets.

UDP Hole Punching: If enabled, the SD-WAN Controller will assist UDP connectivity between compatible NAT-protected client sites.

UDP Port Switching:

Enable: If enabled, the WAN Link will alternate its UDP port at the specified interval. When UDP Port Switching is not enabled, Alt Port and Interval will be unavailable.
Alt Port: The alternate UDP Port to be used when UDP Port Switching is enabled and active.
Interval (min): The interval, in minutes, that the WAN Link will alternate its UDP Port.

Auto-Path Group: The group used to determine what Paths may be automatically generated between the WAN Link and remote WAN Links and what default Path settings to use.

<None> indicates that no group is desired and will prevent Paths from being automatically generated to or from the WAN Link.
<Default> uses the group currently marked as default and is automatically updated when the default group changes.

If the current WAN Link is a Private MPLS, then enabling the WAN Link for a service will also allow the row to expand and show options for the individual MPLS Queues. When enabled, clicking the Expand Icon () will show the following options:

Use: Allow the Conduit Service to use the MPLS Queue. When Use is not enabled, all other options will be unavailable. An MPLS Queue may not be used for a service unless the service is first enabled for the Private MPLS WAN Link.
DSCP Tag: The DSCP Tag applied to the Oracle Conduit Path..
Auto-Path Group: The group used to determine what Paths may be automatically generated between the MPLS Queue and remote MPLS Queues and what default Path settings to use. For MPLS Queues, an additional option of <Inherit> is present and will use the following rules to generate paths:
<None>: no Paths will be created.
<Inherit>: the Private MPLS' Auto-Path Group setting will be used to create Paths. This MPLS Queue will generate Paths to remote MPLS Queues if the remote Auto-Path Group setting, even if inherited, matches the local setting. If a remote MPLS Queue' Auto-Path Group setting is also <Inherit>, a Path will only be generated if the local and remote DSCP tags are the same.
<Default> or a specific group: This MPLS Queue will generate Paths to remote MPLS Queues if the remote Auto-Path Group setting, even if inherited, matches the local setting, regardless of DSCP tag.

Cloud Services

Cloud Service: Name of the Cloud Service

Use: Allow the Cloud Service to use this WAN Link. When Use is not enabled, all other options will be unavailable.

Tunnel Header Size (bytes): The size of the tunnel header, in bytes, if applicable.

Active MTU Detect: If enabled, all WAN Ingress Paths for Cloud Conduits will be actively probed for MTU.

UDP Port: The specified port will be used for WAN Ingress packets and required for WAN Egress packets.

UDP Hole Punching: If enabled, the SD-WAN Controller will assist UDP connectivity between compatible NAT-protected client sites.

UDP Port Switching:

Enable: If enabled, the WAN Link will alternate its UDP port at the specified interval. When UDP Port Switching is not enabled, Alt Port and Interval will be unavailable.
Alt Port: The alternate UDP Port to be used when UDP Port Switching is enabled and active.
Interval (min): The interval, in minutes, that the WAN Link will alternate its UDP Port.

Auto-Path Group: The group used to determine what Paths may be automatically generated between the WAN Link and remote WAN Links and what default Path settings to use.

<None> indicates that no group is desired and will prevent Paths from being automatically generated to or from the WAN Link.
<Default> uses the group currently marked as default and is automatically updated when the default group changes.

Internet/Intranet Service Usage

Use: Allow the Service to use this WAN Link. When Use is not enabled, all other options will be unavailable.

Mode: The Service's mode for traffic redundancy or load balancing

Tunnel Header Size (bytes): The size of the tunnel header, in bytes, if applicable.

Access Interface Failover: If enabled, the Service will fail over to the secondary Access Interface when the primary is unavailable.

WAN Ingress:

Tagging: The DSCP tag to apply to WAN Ingress packets on the Service.
Max Delay (ms): The maximum time, in milliseconds, to buffer packets when the WAN Links bandwidth is exceeded.

WAN Egress:

Tagging: The DSCP tag to apply to WAN Egress packets on the Service.
Matching: Internet WAN Egress packets matching this tag will be assigned to the Service.
Grooming: If enabled, packets will be randomly discarded to prevent WAN Egress traffic from exceeded the Service's provisioned bandwidth.

If the current WAN Link is a Private MPLS, then enabling the WAN Link for a service will also allow the row to expand and show options for the individual MPLS Queues. When enabled, clicking the Expand Icon () will show the following options:

Use: Allow the Service to use this MPLS Queue. When Use is not enabled, all other options will be unavailable. An MPLS Queue may not be used for a service unless the service is first enabled for the Private MPLS WAN Link. Classes marked for unmatched tags must be enabled for Intranet Services.

Unmatched: If enabled, DCSP tags not matched by other MPLS Queues will use this Class. This field is for information purposes only and must be edited in WAN Link -> Settings.

WAN Ingress:

Tagging: The DSCP tag to apply to WAN Ingress packets on the Service. This field is not editable for MPLS Queues.
Max Delay (ms): The maximum time, in milliseconds, to buffer packets when the WAN Links bandwidth is exceeded.

WAN Egress:

Tagging: The DSCP tag to apply to WAN Egress packets on the Service.
Matching: Internet WAN Egress packets matching this tag will be assigned to the Service. This field is not editable for MPLS Queues.
Grooming: If enabled, packets will be randomly discarded to prevent WAN Egress traffic from exceeded the Service's provisioned bandwidth.

Routes

Ability to add or remove Oracle routes from a site. Once expanded the user can view the configured routes for the site.

Select the () option to add a route. The route consists of the following option:

Network IP Address: Route to be added. Requires the network address and mask.

Routing Domain: The Routing Domain chosen for the Route. New Routes are automatically associated with the default Routing Domain.

Cost: Oracle cost for the route

Service types:

Conduit: Identifies IP traffic as Conduit traffic and matches a Conduit based on Conduit Rules.
Internet: Identifies IP traffic as Internet traffic and matches the Internet Service.
Intranet: Identifies IP traffic as Intranet traffic and matches an Intranet Service based on the Intranet Rules.
Cloud: Identifies IP traffic to a Cloud Service.
Pass-through: Identifies IP traffic as Pass-through and matches the Pass-through Service.
Local: Identifies IP traffic as local to the site and matches no service. Traffic sourced and destined to a local route will be ignored.
LAN GRE Tunnel: Identifies IP traffic as local to the site and matches LAN-side GRE tunnel service.
LAN IPsec Tunnel: Identifies IP traffic as local to the site and matches an LAN IPsec Tunnel.
Discard: Identifies IP traffic as local to the site and should be discarded. Discard routes are exported to remote Sites as Conduit Routes and can be used to facilitate routing of NAT traffic to specific Sites.

Gateway IP address: define the gateway/router to reach this route. Certain routes require a gateway.

Delete: ability to delete a route.

Route Learning

Oracle SD-WAN Edge have the ability to learn routes, gather link state information, construct a map of the network, and implement changes dynamically.

Open Shortest Path First (OSPF)

A routing protocol, supported by Oracle SD-WAN Edge, that uses a link state routing algorithm to detect changes in the network topology and re-route packets by computing the shortest path free for each route.

Basic Settings

Enable: Enable or disable OSPF with this checkbox.
Advertise SD-WAN Edge Routes: Enable advertisement of SD-WAN Edge routes via OSPF.
Router ID: A Router ID, in IPv4 Format, used for OSPF advertisements.
Export OSPF Route Type: Advertise the SD-WAN Edge route to OSPF neighbors as type 1 Intra-area route or type 5 External route.
Export OSPF Route Weight: The cost advertised to OSPF neighbors is the original SD-WAN Edge cost plus the weight configured here.

OSPF Areas

ID: The IP Address or Area ID of the network that OSFP will learn routes from and advertise routes to.
Stub Area: Enabling the Stub Area feature ensures that this Area will not receive route advertisements from outside of the designated Autonomous System.
Virtual Interfaces
Routing Domain: A configured Routing Domain.
Name: A configured Virtual Interface.
Source IP Address: The IP address used to send OSPF messages for this interface.
Interface Cost: The base cost for routes learned on the interface.
Authentication Type: None, Plain Text, and MD5 are supported.
Hello Interval: The amount of time to wait between sending Hello protocol packets to directly connected neighbors (10 seconds is the default).
Dead Interval: The amount of time to wait to receive a Hello protocol packet before marking a router as dead (40 seconds is the default).

Internal Border Gateway Protocol (BGP)

A routing protocol, supported by Oracle SD-WAN Edge, that is capable of making routing decisions based on Paths determined by ISPs.

Basic Settings

Enable: Enable or disable BGP with this checkbox.
Advertise SD-WAN Edge Routes: Enable advertisement of SD-WAN Edge routes via BGP.
Router ID: A Router ID, in IPv4 Format, used for BGP advertisements.
Local Autonomous System: The Local Autonomous System number.

BGP Neighbors

All of the configured BGP peer routers that are scrutinized to find the shortest paths for data. All of the neighbors must be part of the same Autonomous System.

Routing Domain: A configured Routing Domain.
Virtual Interface: A configured Virtual Interface.
Source IP: The Source IP address for the BGP session.
Neighbor IP: The IP address of the BGP Neighbor router.
Hold Time(s): The Hold Time, in seconds, that elapses before a route is declared dead (the default is 180).
Local Preference: The Local Preference value used for selecting from multiple BGP routes (the default is 100).
IGP Metric: The IGP Metric checkbox enables the comparison of internal distances to calculate the best route.
Route Reflector: The Route Reflctor checkbox enables local site to be a route reflector and treat the neighbor as a route reflection client.
Next Hop Self: The Next Hop Self checkbox allows local site to advertise own address as route's next hop.
Disable Local AS Loop Protection: BGP prevents routing loops by rejecting received routes with the local AS number in the AS path. The checkbox disables the check.
Password: The password for MD5 authentication of BGP sessions which is not required.

Import Filters

Network administrators can configure Filters to fine tune how route learning determines the shortest Path for data.

Order: The Order in which filters are applied. Once a filter is applied, the Order is automatically sorted.
Source Router: The IP address of the Source Router.
Destination: The IP Address and Netmask or Network Objects that describe the route's destination.
Prefix: The method (predicate) and prefix length. The predicates are:
eq: Equal to
lt: Less than
le: Less than or equal to
gt: Greater than
ge: Greater than or equal to
Next Hop: The IP address of the Next Hop.
Protocol: The protocol to learn routes from (Any, OSPF, or BGP).
Route Tag: The 32-bit value attached to routes for redistribution.
Cost: The method (predicate) and route cost. The predicates are:
eq: Equal to
lt: Less than
le: Less than or equal to
gt: Greater than
ge: Greater than or equal to
Include: If you do not Include routes that match a filter, those routes are ignored.
Enabled: A filter that is not Enabled has no effect.
Delete: Delete a filter from the configuration.
Clone: Administrators can Clone existing filters to work more efficiently.
Export Route to Oracle SD-WAN Edge: If the Export Route to Oracle SD-WAN Edge function is not enabled, the Oracle SD-WAN Edge will not communicate route data to Oracle SD-WAN Edge at other Sites. This functionality is enabled by default and only applies for the following Service Types: Local, and LAN GRE Tunnel.
Eligibility Based On Gateway: If a Gateway is unreachable, this feature will ensure that traffic is not sent to matching routes.
SD-WAN Edge Cost: The cost will be applied to the matched routes when importing into Oracle SD-WAN Edge route table(the default is 6).
Service Type: Choose a Service Type from all of the existing, supported Oracle SD-WAN Edge Services.
Recursive Route: When service type is conduit, check this to allow SD-WAN Edge to find conduit name from imported route's source router automatically.
Use Next Hop: When recursive route is checked, check this to allow SD-WAN Edge to find conduit name from imported routes's next hop instead of source router.
Service Name: The name of the service that matching routes will use.
Eligibility Based on Path: If enabled, Paths become criteria for filters.

Export Filters

Network administrators can configure up to 32 Route Export Filters to narrow the selection of routes to export for advertisement to neighboring routers.

Order: The Order in which filters are exported. Once a filter is applied, the Order is automatically sorted.
Routing Domain: If multiple Routing Domains are configured, choose a Routing Domain from the drop-down menu to narrow the available results or choose Any to include results from all Routing Domains.
Network Address: The IP Address and Netmask or configured Network Object that describes the route's network.
Prefix: The method (predicate) and prefix length. The predicates are:
eq: Equal to
lt: Less than
le: Less than or equal to
gt: Greater than
ge: Greater than or equal to
SD-WAN Edge Cost: The method (predicate) and SD-WAN Edge Route Cost that are used to narrow the selection of routes exported. The predicates are:
eq: Equal to
lt: Less than
le: Less than or equal to
gt: Greater than
ge: Greater than or equal to
Service Type: The Service Type to export from a list of the existing, supported Oracle Services. Choose Any and all matching Service Types are exported.
Site/Service Name: The Site or Service name to export that is determined by the Service Type. Choose Any and all available instances of the chosen Service Type are exported.
Gateway IP Address: If you chose LAN GRE Tunnel or Local as the Service Type, enter the Gateway IP for the tunnel.
Include: Include routes that match the filter for advertisement. If this box is not checked, matching routes are ignored.
Enable: Enable or disable the filter.
Clone: Administrators can Clone existing filters to work more efficiently.
Export OSPF Route Type: Advertise the SD-WAN Edge route to OSPF neighbors as type 1 Intra-area route or type 5 External route.
Export OSPF Route Weight: The cost advertised to OSPF neighbors is the original SD-WAN Edge cost plus the weight configured here.