12 External Firewall Settings

In a Oracle SD-WAN WAN, a WAN Path is a logical, one-way, UDP encapsulated flow of data between two Oracle SD-WAN Appliances and a constituent part of a Conduit. Conduits use Oracle SD-WAN Reliable Protocol (TRP) on UDP Port 2156 by default, but the UDP Port number can be manually configured for each Conduit.

UDP Port Mapping and Forwarding

When a Oracle SD-WAN Appliance is installed behind a firewall or NAT device it is necessary to ensure the TRP traffic is permitted in each direction and mapped to the corresponding internal WAN Link Virtual IP Address (VIP).

Firewall Access Rules

Firewall vendors often employ associative object-based components to create service rules for access to the private network. These guidelines are listed below, however, consult your firewall vendor documentation for specific configuration instruction.

1. Service Object—By default, TRP uses UDP 2156. If the port number is changed in the configuration, the service object should match.
2. Host Object—The WAN Link VIP as it appears to the firewall from the private network.
3. NAT Policy—Apply NAT to the outbound TRP traffic referencing the Service and Host Objects.
4. Security Policy—Allow inbound TRP traffic from the remote Oracle SD-WAN Appliance. Depending on the firewall make and model this may be implicitly allowed through the NAT Policy.

Objects and Policies	Properties
Service Object	UDP Port 2156
Host Object	WAN Link VIP
NAT Policy	NAT Host and Service
Security Policy	Permit or Forward UDP 2156 to WAN Link VIP

Troubleshooting

Incorrect firewall configuration may result in a DEAD Path in one or both directions. A Path is DEAD when no TRP packets are received for 1500ms or longer.

1. Verify that the firewall configuration matches the configured WAN Link VIPs and UDP ports.
2. Are TRP packets being received on the sending firewall from the LAN?
3. Inspect packet flow on the sending firewall:
   1. Are TRP packets using the expected NAT Policy and have the correct public IP Address?
   2. Are TRP packets forwarded from the correct public facing interface?
4. 4. Inspect packet flow on the receiving firewall:
   1. Are TRP packets arriving on the public facing interface?
   2. Are TRP packets forwarded to the LAN on the correct private facing interface?
5. Inspect the packet flow on the receiving Oracle SD-WAN Appliance:
   1. Are TRP packets arriving on the associated WAN Link Interface Group?