After creating a Profile, you can select the Segments you want to include in your profile from the Segment menu on the Device tab.

1. In the SD-WAN service of the Enterprise portal, go to Configure > Profiles to display a list of the existing Profiles.
2. Select on a Profile or select View in the Device column of the Profile to assign segments. You can also select a Profile and select Modify to configure the Profile. The configuration options for the selected Profile are displayed in the Device tab.
3. From the Segment menu, select Change Profile Segments to display Change Profile Segments.

   

4. In this dialog box, you can select the Segments to include in your profile. Segments with a lock symbol next to them indicate that the Segment is in use within a profile, and cannot be removed. Segments available for use display under All Segments.
5. Select Update Segments and then select Save Changes.

   After you have assigned a Segment to the Profile, you can configure your Segment through the Segment menu. All Segments available for configuration appear in the Segment menu. If a Segment assigned to a VLAN or interface, it displays the VLAN ID and the Edge models associated with it.

   When you choose a Segment to configure from the Segment menu, depending upon the Segment options, the settings associated that Segment display in the Segments area.

   

1. In the SD-WAN service of the Enterprise portal, go to Configure > Profiles .
2. Select on a Profile or select View in the Device column of the Profile. You can also select a Profile and select Modify to configure the Profile.
3. The configuration options for the selected Profile display in the Device tab.
4. Scroll down to the Connectivity category and select VLAN.

   

5. You can add a new VLAN by selecting + Add VLAN. You can delete a selected VLAN by selecting Delete. A VLAN already assigned to a device interface cannot be deleted.
6. Select IPv4 or IPv6 to display the respective list of VLANs.
7. Selecting + Add VLAN displays the following screen:

   

8. In the Add VLAN window, configure the following VLAN details:

   Table 5. VLAN Options

   Option	Description
   General Settings
   Segment	Select a segment from the drop-down list. The VLAN belongs to the selected segment.
   VLAN Name	Enter a unique name for the VLAN.
   VLAN ID	Enter the VLAN ID.
   Description	Enter a description (Optional).
   LAN Interfaces	You can configure the LAN Interfaces only at the Edge level.
   SSID	You can configure the Wi-Fi SSID details for the VLAN only at the Edge level.
   ICMP Echo Response	Select the check box to allow the VLAN to respond to ICMP echo messages.
   DNS Proxy	Selected by default. This option allows you to activate or deactivate a DNS Proxy regardless of the IPv4 or IPv6 DHCP Server settings.
   IPv4 and IPv6 Settings Note:You can activate either IPv4 or IPv6 or both settings.
   Assign Overlapping Subnets	Select if you want to assign the same subnet for the VLAN to every Edge in the Profile and define the subnet in the Edge LAN IP Address. If you want to assign different subnets to every Edge, do not select the check box and configure the subnets on each Edge individually. Overlapping subnets for the VLAN are supported only for SD-WAN to SD-WAN traffic (provided LAN side NAT is activated) and SD-WAN to Internet traffic.
   Edge LAN IPv4/IPv6 Address	This option is available only if Assign Overlapping Subnets is set to Yes. Enter the LAN IPv4/IPv6 address of the Edge.
   CIDR Prefix / Prefix Length	This option is available only if Assign Overlapping Subnets is set to Yes. Enter the CIDR prefix for the LAN IPv4/IPv6 address.
   Network	Enter the IPv4/IPv6 address of the Network.
   OSPF	Available only when you have configured OSPF at the Profile level for the selected Segment. Select the check box and choose an OSPF area from the drop-down list. The OSPFv2 configuration supports only IPv4. The OSPFv3 configuration supports only IPv6, which is only available in the 5.2 release. For more information on OSPF settings and OSPFv3, see Activate OSPF for Profiles.
   Multicast	This option activates only when you have configured multicast settings for the Edge. You can configure the following multicast settings for the VLAN. IGMP PIM Select advanced multicast settings to set the following timers: PIM Hello Timer IGMP Host Query Interval IGMP Max Query Response Value
   VNF Insertion	Select the check box to insert a VNF to the VLAN, which redirects traffic from the VLAN to the VNF. To activate VNF Insertion, ensure that the selected segment is mapped with a service VLAN. For more information about VNF, see Security Virtual Network Functions. This option is available only under IPv4 Settings.
   Advertise	Select the check box to advertise the VLAN to other branches in the network.
   Fixed IPs	You can configure the fixed IP only at the Edge level.

9. Select one of the available options for IPv4 DHCP Server:Activated, Relay, or Deactivated.
10. Select one of the available options for IPv6 DHCP Server: Activated or Deactivated.

    Table 6. DHCP Server Options

    Option	Description
    Activated- Activates DHCP with the Edge as the DHCP server. The following configuration options are available for this type.
    DHCP Start	Enter a valid IPv4/IPv6 address available within the subnet.
    Num. Addresses	Enter the number of IPv4/IPv6 addresses available on a subnet in the DHCP Server.
    Lease Time	Select the period of time from the list. This is the duration the VLAN is allowed to use an IPv4/IPv6 address dynamically assigned by the DHCP Server.
    Options	Select Add and select pre-defined or custom DHCP options from the drop-down list. The DHCP option is a network service passed to the clients from the DHCP server. For a custom option, enter the Code, Data Type, and Value. Select Delete to delete a selected option.
    Relay- Activates the DHCP with the DHCP Relay Agent installed at a remote location. Following configuration options are available for this type.
    Source from Secondary IP(s)	When you select this check box, the DHCP discover and request packets from the client are relayed to the DHCP Relay servers sourced from the primary IP address and all the secondary IP addresses configured for the VLAN. The reply from the DHCP Relay servers is sent back to the client after rewriting the source and destination. The DHCP server receives the request from both the primary and secondary IP addresses and the DHCP client can get multiple offers from primary subnet and secondary subnets. When this option is not selected, the DHCP discover/request packets from the client relay to the DHCP Relay servers sourced only from the primary IP address.
    Relay Agent IP(s)	Select Add to add IPv4 addresses. Select Delete to delete a selected address.
    Deactivated- Deactivates the DHCP.

    A warning message displays under the following conditions when selecting DNS proxy check box:

    • Both of the IPv4 and IPv6 DHCP Servers are Deactivated.
    • The IPv4 DHCP Server is in Relay state and the IPv6 DHCP Server is Deactivated.
11. Select Done. On the Device settings screen, select Save Changes to save the settings. The VLAN is configured for the Profile. You can edit the VLAN settings by selecting the link under the VLAN column.

    To configure VLANs for Edges, see Configure VLAN for Edges.

1. In the SD-WAN service of the Enterprise portal, go to Configure > Profiles to display Configuration Profiles.
2. Select the Profile to override ARP timeouts or select View in the Device column of the Profile. The Device tab displays the configuration options for the selected Profile.
3. Under Connectivity, select ARP Timeouts.
4. To override the default ARP timeouts, select Override default ARP Timeouts.

   

5. Configure the various ARP timeouts in hours and minutes with the ARP Stale Timeout as less than the ARP Dead Timeout. ARP Dead Timeout must be less than ARP Cleanup Timeout.

   Table 7. ARP Timeout Fields

   Field	Description
   ARP Stale Timeout	When the ARP age exceeds the Stale time, the state changes from ALIVE to REFRESH. At the REFRESH state, when a new packet tries to use this ARP entry, the packet forwards and also a new ARP request sent. If the ARP resolves, the ARP entry moves to the ALIVE state. Otherwise the entry remains in the REFRESH state and the traffic forwards in this state. The allowable value ranges from 1 minute to 23 hours and 58 minutes.
   ARP Dead Timeout	When the ARP age exceeds the Dead time, the state changes from REFRESH to DEAD. At the DEAD state, when a new packet tries to use this ARP entry, the packet drops and an ARP request sent. If the ARP gets resolved, the ARP entry moves to ALIVE state and the next data packet forwarded. If the ARP does not resolve, the ARP entry remains in the DEAD state. In the DEAD state, traffic does not forward to that port and becomes lost. The allowable value ranges from 2 minutes to 23 hours and 59 minutes.
   ARP Cleanup Timeout	When the ARP age exceeds the Cleanup time, the entry completely removes from the ARP table. The allowable value ranges from 3 minutes to 24 hours.

   The ARP timeout values can only be in increasing order of minutes.

6. Select Save Changes.

   At the Edge-level, you can override the inherited ARP Timeouts for specific edges. For more information, see Configure Address Resolution Protocol Timeouts for Edges.

1. In the SD-WAN service of the Enterprise portal, go to Configure > Profiles .
   The Profiles page displays the existing Profiles.
2. Select the link to a Profile or select the View link in the Device column of the Profile. You can also select a Profile and select Modify to configure the Profile.
3. The Device tab displays the configuration options for the selected Profile.

   

4. In the Connectivity category, select Wireless Link Management.
5. Turn on Link control traffic frequency toggle button. Activating the Link control traffic frequency feature via the Profile reduces data usage across all wireless links between Edge devices and its peers for each Edge device utilizing the Profile. However, it impacts the application performance.
   When the Link control traffic frequency option is set to On, the following warning message appears: Activating this option will reduce data consumption on wireless WAN links by reducing monitoring intervals and other control traffic. This causes degradation of sub-second detection of link errors and failures, which may affect the application performance.
   The Wireless Link Management settings are applied to all the Edges associated with the Profile. You can choose to override the Wireless Link Management settings for an Edge. For steps, see Configure Wireless Link Management for Edges.
6. Select Save Changes.

1. In the SD-WAN service of the Enterprise portal, select Configure > Profiles .
   The Configuration Profiles page appears.
2. Select a profile for which you wish to configure Wi-Fi Radio settings, and then select the View link in the Device column of the Profile.
   The Device Settings page for the selected profile appears.
3. Under the Connectivity category, select Wi-Fi Radio.

   

4. The Wi-Fi Radio area expands and by default, the Channel is set to Automatic.
5. Select any one or both of the radio bands.
   Note: In case of Edge 710 and Edge 710 5G, you can select both 2.4 GHz and 5 GHz radio bands.
6. Select Save Changes.
   At the Edge level, you can override the Wi-Fi Radio settings specified in the Profile, by selecting the Override check box. For more information, see Configure Wi-Fi Radio Overrides.

1. In the SD-WAN service of the Enterprise portal, go to Configure > Profiles .
   The Profiles page displays the existing Profiles.
2. Select the link to a Profile or select the View link in the Device column of the Profile. You can also select a Profile and select Modify to configure the Profile.
3. The Device tab displays the configuration options for the selected Profile.

   

4. In the Connectivity category, select Common Criteria Firewall.
5. Turn on Enable Common Criteria Firewall toggle button. When the Enable Common Criteria Firewall option is set to On, the following packets are automatically dropped, counted, or logged:
   • Packets with invalid fragments or fragments which cannot be completely re-assembled that are destined to the Edge.
   • Packets where the source address is defined as being on either broadcast network, multicast network, or loopback address.
   • Packets with the IP options: Loose Source Routing, Strict Source Routing, or Record Route specified.
   • Packets which have the source or destination address as unspecified or reserved for future.
   • Packets where the source address does not belong to the networks reachable via the network interface where the network packet was received.
   • Packets where the source or destination address of the network packet is defined as being unspecified (i.e. 0.0.0.0) or an address “reserved for future use” (i.e. 240.0.0.0/4) as specified in RFC 5735 for IPv4.
   • Packets where the source or destination address of the network packet is defined as an “unspecified address” or an address “reserved for future definition and use” (i.e. unicast addresses not in this address range: 2000::/3) as specified in RFC 3513 for IPv6.
   The CC Firewall settings are applied to all the Edges associated with the Profile. You can choose to override the CC Firewall settings for an Edge. For steps, see Configure Common Criteria Firewall Settings for Edges.

1. In the SD-WAN service of the Enterprise portal, go to Configure > Profile/Edges
2. Select a profile to configure with Gateway Handoff Assignmentsettings and select View in the Device column of the Profile. The Device page for the selected profile appears.
3. Navigate to VPN Services and expand Gateway Handoff Assignment.

   

4. Select + Select Gateways to display Select Partner Gateways for Global Segment. By default, Global Segment is selected in Segment. You can also select any other segment based on your requirements.

   

5. The Partner Gateways section lists the Gateways in the Gateway Pool configured as a Partner Handoff Gateway. If there are other Gateways not configured as a Partner Handoff Gateway, a following sample message appears in the dialog box: There is one other Gateway in the Gateway Pool not configured as a Partner Handoff Gateway. If you want to see only the list of selected Partner Gateways then select Show only selected.
6. Select the Partner Gateways from the list that you want to assign to the Profile and select Update.
7. The Partner Gateway assignments configured at the Profile level applies to all the Edges within the Profile. You can override the settings at the Edge level by selecting Override.

   

   Select CDE Gateways

   In normal scenarios, the PCI traffic runs between the customer branch and Data Center where the PCI traffic is handoff to the PCI network and the Gateways are out of PCI scope. (The Operator can configure the Gateway to exclude PCI Segment by unchecking the CDE role).

   In certain scenarios where Gateways can have a handoff to the PCI network and in the PCI scope, the Operator can activate CDE role for the Partner Gateways and these Gateways (CDE Gateways) become available for the user to assign in the PCI Segments (CDE Type).

   Assign a CDE Gateway

   By default global segment is selected in Segment. You can also choose any other segment (CDE Type) based on your requirements.

8. In the SD-WAN service of the Enterprise portal, go to Configure > Profiles .
9. Select a profile to configure Gateway Handoff Assignment settings and select View in the Device column of the Profile. The Device page for the selected profile displays.
10. Navigate to VPN Services and expand Gateway Handoff Assignment.
11. Select + Select Gateways to display Select Partner Gateways for Global Segment.

    

12. In the Select Partner Gateways for Global Segment, in the Partner Gateways section, select a Partner Gateway marked with the CDE to assign to the Profile and select Update.

1. In the Enterprise portal, select Configure > Profiles .
2. Select the Device icon next to a profile, or select the link to the profile, and then select the Device tab.
3. In the Cloud Security area, switch the dial from Off to On.
4. Configure the following settings:

   

   Table 13. Cloud Security Options

   Option	Description
   Cloud Security Service	Select a Cloud Security Service from the menu to associate with the profile. You can also select New Cloud Security Service from the list to create a new service type. For more information about how to create a new CSS, see Configure a Cloud Security Service. Note: For Cloud Security Services with Zscaler login URL configured, Login to Zscaler appears in the Cloud Security Service area. Select Login to Zscaler to be redirected to the Zscaler Admin portal of the selected Zscaler cloud.
   Tunneling Protocol	This option is available only for Zscaler Cloud Security Service provider. If you select a manual Zscaler service provider then select either IPsec or GRE as the tunneling protocol. By default, IPsec is selected. Note: If you select an automated Zscaler service provider then the Tunneling Protocol field cannot be configured but displays the protocol name used by the service provider.
   Hash	Select the Hash function as SHA 1 or SHA 256 from the drop-down. By default, SHA 1 is selected.
   Encryption	Select the Encryption algorithm as AES 128 or AES 256 from the menu. None appears selected by default.
   Key Exchange Protocol	Select the key exchange method as IKEv1 or IKEv2. By default, IKEv2 is selected.
   Login to Zscaler	Select Login to Zscaler to login to the Zscaler Admin portal of the selected Zscaler cloud.

5. Select Save Changes.

   When you enable Cloud Security Services and configure the settings in a profile, the setting automatically applies to the Edges associated with the profile. If required, you can override the configuration for a specific Edge. See Configure Cloud Security Services for Edges.

   For the profiles created with Cloud Security Services enabled and configured prior to 3.3.1 release, you can redirect the traffic as follows:

   • Redirect only web traffic to Cloud Security Services.
   • Redirect all Internet bound traffic to Cloud Security Services.
   • Redirect traffic based on Business Policy Settings – This option is available only from release 3.3.1. If you choose this option, then the other two options are no longer available.

   Note: For the new profiles that you create for release 3.3.1 or later, by default, the traffic redirects as per the Business Policy settings. See

   • Configure Business Policies with Cloud Security Services
   • Cloud Security Services
   • Configure a Profile Device

1. In the SD-WAN service of the Enterprise portal, go to Configure > Profiles .
   The Profiles page displays the existing Profiles.
2. Select the link to a Profile or select the View link in the Device column of the Profile. The Device tab displays the configuration options for the selected Profile.

   

3. Under the VPN Services category, select Zscaler and activate Zscaler by turning the toggle button to On.
4. From the Cloud Subscription drop-down menu, select your Zscaler subscription.
   The Zscaler Cloud associated with the selected subscription automatically appears in the Cloud Name Field.
5. To edit location Gateway options. select the Edit button. The Edit Location Gateway Options dialog box appears.

   

6. Configure the Gateway options and Bandwidth control settings for Location and select Done. For more information about Zscaler Gateway Options and Bandwidth Control parameters, see https://help.zscaler.com/zia/configuring-locations.
7. Select Reset to reset Zscaler Location gateway options to default.
8. Select Save Changes.
   For more information, see:

   • Configure Cloud Security Services for Profiles
   • Configure Cloud Security Services for Edges

Multicast provides an efficient way to send data to an interested set of receivers to only one copy of data from the source, by letting the intermediate multicast-routers in the network replicate packets to reach multiple receivers based on a group subscription.

Multicast clients use the Internet Group Management Protocol (IGMP) to propagate membership information from hosts to Multicast activated routers and PIM to propagate group membership information to Multicast servers via Multicast routers.

Multicast support includes:

• Multicast support on both overlay and underlay
• Protocol-Independent Multicast- Sparse Mode (PIM-SM) on Edge
• Internet Group Management Protocol (IGMP) version 2 on Edge
• Static Rendezvous Point (RP) configuration, where RP is activated on a 3rd party router.

You can activate and configure Multicast globally and at the interface-level. If required, you can override the Multicast configurations at the Edge-level.

To configure Multicast globally:

1. In the SD-WAN service of the Enterprise portal, go to Configure > Profiles to display the Profiles page.
2. Select a Profile or select View in the Device column of the Profile. You can also select a Profile and select Modify to configure the Profile. The configuration options for the selected Profile are displayed in the Device tab.
3. Navigate to the Routing & NAT category and expand the Multicast area. Turn on the toggle button to activate the Multicast feature. There must be at least one RP group when enabling Multicast. The RP Selection is set to Static by default.

   

4. Configure the following Multicast settings:

   Table 14. Multicast Settings Descriptions

   Multicast Setting	Description
   RP Selection	Static is the default and supported mechanism.
   RP Address	Enter the IP address of the device, which is the route processor for a multicast group.
   Multicast Group	Enter a range of IP addresses and port numbers that define a Multicast group. Once the host device has membership to the Multicast group, it can receive any data packets that are sent to the group defined by the IP address and port number.
   Enable PIM on Overlay	Activate PIM peering on SD-WAN Overlay. For example when activated on both branch Edge and hub Edge, they form a PIM peer. By default, the source IP address for the overlays derives from any Switched interfaces (if present), or a Routed interface of type Static with a deactivated WAN Overlay. You can choose to change the source IP by specifying Source IP Address, which will be a virtual address and will be advertised over the overlay automatically.
   PIM Timers	Under Advanced Settings, configure the PIM timers details, if needed: Join Prune Send Interval- The Join Prune Interval Timer. Default value is 60 seconds. The allowable range is 60 through 600. Keep Alive Timer- PIM keep alive timer. Default value is 60 seconds. The allowable range is 31 through 60000.

   To configure the multicast settings at the Interface level, see: Configure Interface Settings for Profile and Configure a Profile Device.

1. In the SD-WAN service of the Enterprise portal, go to Configure > Profiles .
2. The Profiles page displays the existing Profiles.
3. Select the link to a Profile or select the View link in the Device column of the Profile. You can also select a Profile and select Modify to configure the Profile.
4. The configuration options for the selected Profile are displayed in the Device tab.
5. Scroll down to the Routing & NAT category and select DNS.

   

6. In the Conditional DNS Forwarding (Private DNS) section, select Private DNS to forward the DNS requests related to the domain name. Select Add to add existing private DNS servers to the drop-down menu. Select Delete to remove the selected private DNS server from the list.
7. To add a new private DNS, select New Private DNS.

   

   Following are the available options:

   Table 15. Private DNS Options

   Option	Description
   DNS Type	Displays Private by default. You cannot edit this option.
   Service Name	Type the name of the DNS service.
   IPv4 Server	Type the IPv4 address for IPv4 Server. Select the plus (+) icon to add more addresses.
   IPv6 Server	Type the IPv6 address for IPv6 Server. Select the plus (+) icon to add more addresses.
   Private Domains	Select Add, and then type the private domain name and description.

8. Select Save Changes.
9. In the Public DNS section, select a public DNS service from the drop-down menu to be used for querying domain names. By default, Google and OpenDNS servers are pre-configured as public DNS.
10. To add a new public DNS, select New Public DNS.
    Note: The public DNS service is activated on a VLAN or a routed interface if DNS Proxy is activated on the same VLAN or routed interface.

    

    Following are the available options:

    Table 16. New Public DNS Options

    Option	Description
    DNS Type	Displays Public by default. You cannot edit this option.
    Service Name	Enter the name of the DNS service.
    IPv4 Server	Enter the IPv4 address for the IPv4 server. Select the plus (+) icon to add more addresses.
    IPv6 Server	Enter the IPv6 address for the IPv6 server. Select the plus (+) icon to add more addresses.

11. Select Save Changes.
12. In the Local DNS Entries section, select Edit to edit an existing local DNS entry. Select Delete to remove the selected local DNS entry from the list.
13. To add a new local DNS entry, select New Local DNS Entry.

    

    Following are the available options:

    Table 17. New Local DNS Entry Options

    Option	Description
    Domain Name	Enter the device domain name.
    IP Addresses	Enter either an IPv4 or an IPv6 address.
    Add	Select to add multiple IP addresses. Note: A maximum of 10 IP addresses can be added for each domain name.
    Delete	Select to delete the selected IP addresses.

14. After configuring the private DNS, public DNS, and local DNS entries, select Save Changes in the Device page.

1. In the SD-WAN service of the Enterprise Portal, select Configure. Depending upon your login permissions, you might need to select a Customer or Partner first, then select Configure to display the Profile.
2. Select a Profile from the list of available Profiles or Add a Profile if necessary.
3. Go to the Routing & NAT section and select the arrow next to OSPF.
4. In the OSPF Areas section, configure the Redistribution Settings for OSPFv2/v3, BGP Settings, and if applicable, Route Summarization.
   Note: OSPFv2 supports only IPv4. OSPFv3 supports only IPv6 and only available in the 5.2 release.

   

   Table 18. OSPF Area Option Descriptions

   Option	Description
   Redistribution Settings
   Default Route	Select an OSPF route type (O1 or O2) to be used for default route. Default selection for this configuration is None.
   Advertise	Select either Always or Conditional. Selecting Always indicates advertising the default route always. Selecting Conditional means to redistribute default route only when Edge learns via overlay or underlay). The Overlay Prefixes option must be checked to use the Conditional default route.
   Overlay Prefixes	If applicable, select Overlay Prefixes.
   BGP Settings
   BGP	To enable injection of BGP routes into OSPF, select BGP. BGP routes can be redistributed into OSPF, so if this is applicable, enter or select the configuration options as follows:
   Set Metric	In Set Metric, enter the metric. This is the metric that OSPF adds to its external LSAs that it generates from the redistributed routes. The default metric is 20.
   Set Metric Type	From the Set Metric Type menu, choose a metric type. This is either type E1 or E2 (OSPF External-LSA type with the default type of E2.

5. In OSPF Areas, select +Add and configure the options. Add additional areas, if necessary, by selecting +Add. The fields in the table cannot be overridden at the Edge level.

   Table 19. OSPF Area Add Option Descriptions

   Option	Description
   Area ID	Select inside the Area ID text box, enter an OSPF area ID.
   Name	Select inside the Name text box, enter a descriptive name for your area.
   Type	By default, the Normal type is selected. Only Normal type is supported at this time.

6. Next, configure the Interface Settings for OSPF. For configuration details, see either Configure Interface Settings for Profiles with New Orchestrator UI or Configure Interface Settings for Edges with New Orchestrator UI.
   Note: OSPF has to be activated at the Profile level first before you can configure it on Edge interfaces.
7. If applicable, configure Route Summarization.
   Note: The Route Summarization feature is available starting with the 5.2 release, for an overview and use case for this feature, see Route Summarization.
8. Navigate to Route Summarization.
9. Select +Add in the Route Summarization area. A new row is added to the Route Summarization area. Configure Route Summarization, as described in the table.

   

   Table 20. Route Summarization Option Descriptions

   Option	Description
   Subnet	Enter the IP subnet.
   No Advertise	When No Advertise is set, all the external routes (Type-5) under this supernet are summarized and have chosen not to advertise it. This means it effectively blocks the whole supernet from advertising to its peer.
   Tag	Enter the router Tag value (1-4294967295).
   Metric Type	Enter the Metric Type (E1 or E2).
   Metric	Enter the advertised metric for this route ((0-16777215).

10. Add additional routes, if necessary, by selecting +Add. Route Summarization Clone or Delete to copy or delete a Route Summarization.
11. Select Save Changes.
     

1. In the SD-WAN service of the Enterprise portal, select Configure > Profiles .
2. Select Device for a profile, or select a profile and select the Device tab.
3. In the Device tab, scroll down to the Routing & NAT section and select the arrow next to the BDF area to open it.
4. Move the BDF slider to ON position.
5. Configure the following settings, as described in the table.

   Table 21. BFD for Profile Field Descriptions

   Field	Description
   Peer Address	Enter the IPv4 address of the remote peer to initiate a BFD session.
   Local Address	Enter a locally configured IPv4 address for the peer listener. This address is used to send the packets. You can select the IPv6 tab to configure IPv6 addresses for the remote peer and the peer listener. For IPv6, the local and peer addresses support only the following format: IPv6 global unicast address (2001:CAFE:0:2::1) IPv6 unique local address (FD00::1234:BEFF:ACE:E0A4)
   Multihop	Select the check box to enable multi-hop for the BFD session. While BFD on Edge and Gateway supports directly connected BFD Sessions, you need to configure BFD peers in conjunction with multi-hop BGP neighbors. The multi-hop BFD option supports this requirement. Multihop must be enabled for the BFD sessions for NSD-BGP-Neighbors.
   Detect Multiplier	Enter the detection time multiplier. The remote transmission interval is multiplied by this value to determine the detection timer for connection loss. The range is from 3 to 50 and the default value is 3.
   Receive Interval	Enter the minimum time interval, in milliseconds, at which the system can receive the control packets from the BFD peer. The range is from 300 to 60000 milliseconds and the default value is 300 milliseconds.
   Transmit Interval	Enter the minimum time interval, in milliseconds, at which the local system can send the BFD control packets. The range is from 300 to 60000 milliseconds and the default value is 300 milliseconds.

6. Select the + Icon to add details of more peers.
7. Select Save Changes.

   

   When you configure BFD rules for a profile, the rules automatically apply to the Edges associated with the profile. If required, you can override the configuration for a specific Edge. See Configure BDF for Edges for additional information.

   VeloCloud SD-WAN supports configuring BFD for BGP and OSPF.

   • To enable BFD for BGP, see Configure BFD for BGP for Profiles.
   • To enable BFD for OSPF, see Configure BFD for OSPF.
   • To view the BFD sessions, see Monitor BFD Sessions.
   • To view the BFD events, see Monitor BFD Events.
   • For troubleshooting and debugging BFD, see Troubleshooting BFD.

1. In the SD-WAN Service of the Enterprise Portal, go to Configure > Profiles e.
   The Profiles page displays the existing Profiles.
2. Select the link to a Profile or select the View link in the Device column of the Profile that you want to configure.
   The Device tab displays the configuration options for the selected Profile.
3. Scroll down to the Routing & NAT category, select LAN-Side NAT Rules.
4. To configure LAN-Side NAT Rules, select +ADD and enter the details as described in the following table to add a NAT Source or Destination.

   

   Table 22. LAN-Side NAT Rules Options

   Option	Description
   Type	Determine whether the NAT rule should be applied on the source or destination IP address of user traffic, and accordingly select either Source or Destination as the type from the drop-down menu.
   Inside Address	Enter the "inside" or "before NAT" IPv4 address (if prefix is 32), or subnet (if prefix is less than 32).
   Outside Address	Enter the "outside" or "after NAT" IPv4 address (if prefix is 32), or subnet (if prefix is less than 32).
   Source Route	Optionally, for destination NAT, specify source IPv4 address/subnet as match criteria. Only valid if the type is “Destination”. Ensure the prefix is a value from 1 through 32 and the default value is any.
   Destination Route	Optionally, for source NAT, specify destination IPv4 address/subnet as match criteria. Only valid if the type is “Source”. Ensure the prefix is a value from 1 through 32 and the default value is any.
   Description	Enter a description for the NAT rule.

    

5. Select Save Changes in the Device page. The configured NAT Source and Destination appears as shown in the following screenshot.

   

   Important:If the Inside Prefix has a lesser value than the Outside Prefix, the feature supports Many:1 NAT in the LAN to WAN direction and 1:1 NAT in the WAN to LAN direction. For example, if the Source Type has an Inside Address with a value of 10.0.5.0/24, and an Outside Address with the value, 192.168.1.25/32, sessions from the LAN to the WAN with the Source IP address matching the Inside Address 10.0.5.1 translate to 192.168.1.25. For sessions from the WAN to the LAN with a Destination IP address matching the Outside Address, 192.168.1.25 translate to 10.0.5.25. Similarly, if the Inside Prefix has a value greater than the Outside Prefix, the feature supports Many:1 NAT in the WAN to LAN direction and 1:1 NAT in the LAN to WAN direction. The NAT IP address does not automatically advertise, and you must ensure that a static route for the NAT IP address should be configured and the next hop should be the LAN next hop IP address of the source subnet.

1. In the SD-WAN service of the Enterprise Portal, select the Configure tab.
2. From the left menu, select Profiles to display the Profile page.
3. Select a Profile from the list of available Profiles or add a Profile if necessary.
4. Go to the Routing & NAT section and select the arrow next to BGP to expand.
5. In the BGP area, toggle the radio button from Off to On.

   

6. In the BGP area, enter the local Autonomous System Number (ASN) in the appropriate field.
7. Configure the BGP Settings.

   Table 23. BGP Settings Options

   Option	Description
   Router ID	Enter the global BGP router ID. If you do not specify any value, the ID is automatically assigned. If you have configured a loopback Interface for the Edge, the IP address of the loopback Interface will be assigned as the router ID.
   Keep Alive	Enter the keep alive timer in seconds, which is the duration between the keep alive messages that are sent to the peer. The range is from 0 to 65535 seconds. The default value is 60 seconds.
   Hold Timer	Enter the hold timer in seconds. When the keep alive message is not received for the specified time, the peer is considered as down. The range is from 0 to 65535 seconds. The default value is 180 seconds.
   Uplink Community	Enter the community string to be treated as uplink routes. Uplink refers to link connected to the Provider Edge(PE). Inbound routes towards the Edge matching the specified community value will be treated as Uplink routes. The Hub/Edge is not considered as the owner for these routes. Enter the value in number format ranging from 1 to 4294967295 or in AA:NN format.
   Enable Graceful Restart check box	Please note when selecting this check box: The local router does not support forwarding during the routing plane restart. This feature supports preserving forwarding and routing in case of peer restart.

8. Select +Add in the Filter List area to create one or more filters. These filters are applied to the neighbor to deny or change the attributes of the route. The same filter can be used for multiple neighbors.

   

9. In the appropriate text fields, set the rules for the filter, as described in the table below.

   Table 24. Filter Option Descriptions

   Option	Description
   Filter Name	Enter a descriptive name for the BGP filter.
   Match Type and Value	Choose the type of the routes to be matched with the filter: Prefix for IPv4 or IPv6- Choose to match with a prefix for IPv4 or IPv6 address and enter the corresponding prefix IP address in the Value field. Community- Choose to match with a community and enter the community string in the Value field.
   Exact Match	The filter action is performed only when the Prosecutes match exactly with the specified prefix or community string. By default, this option is enabled.
   Action Type	Select the action to be performed when the routes match with the specified prefix or the community string. You can either permit or deny the traffic.
   Action Set	When the BGP routes match the specified criteria, you can set to route the traffic to a network based on the attributes of the path. Select one of the following options from the drop-down list: None- The attributes of the matching routes remain the same. Local Preference- The matching traffic is routed to the path with the specified local preference. Community- The matching routes are filtered by the specified community string. You can also select Community Additive to enable the additive option, which appends the community value to existing communities. Metric - The matching traffic is routed to the path with the specified metric value.

10. Select the + icon to add more matching rules for the filter. Repeat the procedure to create more BGP filters. The configured filters are displayed in the Filter List area.
    Note: The maximum number of supported BGPv4 Match/Set rules is 512 (256 inbound, 256 outbound). Exceeding 512 total Match/Set rules is not supported and may cause performance issues, resulting in disruptions to the enterprise network.
11. Scroll down to Neighbors and select +Add.

    

12. Configure the following settings for the IPv4 addressing type:

    Table 25. Neighbours Option Descriptions

    Option	Description
    Neighbor IP	Enter the IPv4 address of the BGP neighbor
    ASN	Enter the ASN of the neighbor
    Inbound Filter	Select an Inbound filer from the drop-down list
    Outbound Filter	Select an Outbound filer from the drop-down list

    Note:

    When overriding and configuring BGP neighbors at the Edge level, any Profile-level filters associated with the neighbors will be removed when you switch the Edge from one profile to another. So at the Edge level, you must make sure to re-associate the filters with the BGP neighbors after switching the Edge profile.

    Additional Options – Select the View all to configure the following additional settings:

    Table 26. Additional Options

    Option	Description
    Max-hop	Enter the number of maximum hops to enable multi-hop for the BGP peers. The range is from 1 to 255 and the default value is 1. This field is available only for eBGP neighbors, when the local ASN and the neighboring ASN are different. With iBGP, when both ASNs are the same, multi-hop is inherent by default and this field is not configurable.
    Local IP	Local IP address is the equivalent of a loopback IP address. Enter an IP address that the BGP neighborships can use as the source IP address forth outgoing packets. If you do not enter any value, the IP address of the physical Interface is used as the source IP address. For eBGP, this field is available only when Max- hop count is more than 1. For iBGP, it is always available as iBGP is inherently multi-hop.
    Uplink	Used to flag the neighbor type to Uplink. Select this flag option if it is used as the WAN overlay towards MPLS. It will be used as the flag to determine whether the site will become a transit site (e.g. SD-WAN Hub), by propagating routes leant over a SD-WAN overlay to a WAN link toward MPLS. If you need to make it a transit site, also check "Overlay Prefix Over Uplink" in the Advanced Settings area.
    Allow AS	Select the check box to allow the BGP routes to be received and processed even if the Edge detects its own ASN in the AS-Path.
    Default Route	The Default Route adds a network statement in the BGP configuration to advertise the default route to the neighbor.
    Enable BFD	Enables subscription to existing BFD session for the BGP neighbor.
    Keep Alive	Enter the keep alive timer in seconds, which is the duration between the keep alive messages that are sent to the peer. The range is from 0 to 65535 seconds. The default value is 60 seconds.
    Hold Timer	Enter the hold timer in seconds. When the keep alive message is not received for the specified time, the peer is considered as down. The range is from 0 to 65535 seconds. The default value is 180 seconds.
    Connect	Enter the time interval to try a new TCP connection with the peer if it detects the TCP session is not passive. The default value is 120 seconds.
    MD5 Auth	Select the check box to enable BGP MD5 authentication. This option is used in a legacy network or federal network, and it is common that BGP MD5 is used as a security guard for BGP peering.
    MD5 Password	Enter a password for MD5 authentication. Note: Starting from the 4.5 release, the use of the special character "<" in the password is no longer supported. In cases where users have already used "<" in their passwords in previous releases, they must remove it to save any changes on the page.

13. Select the + to add more BGP neighbors. Over Multi-hop BGP, the system might learn routes that require recursive lookup. These routes have a next-hop IP which is not in a connected subnet, and do not have a valid exit Interface. In this case, the routes must have the next-hop IP resolved using another route in the routing table that has an exit Interface. When there is traffic for destination that needs these routes to be looked up, routes requiring recursive lookup resolves to a connected Next Hop IP address and Interface. Until the recursive resolution happens, the recursive routes point to an intermediate Interface.
    For more information about Multi-hop BGP Routes, see the Remote Diagnostic Tests on Edges section in the VeloCloud SD-WAN Troubleshooting Guide.
14. Navigate to Advanced Settings and select the down arrow to open the Advanced Settings section.

    

15. Configure the following advanced settings and globally apply them to all the BGP neighbors with IPv4 addresses.

    Table 27. Advanced Settings Option Descriptions

    Option	Description
    Overlay Prefix	Select the check box to redistribute the prefixes learned from the overlay. For example, when a Spoke is connected to primary and secondary Hub or Hub Cluster, the Spoke's subnets are redistributed by primary and secondary Hub or Hub Cluster to their neighbor with metric (MED) 33 and 34 respectively. You must configure "bgp always-compare-med" in the neighbor router for symmetric routing.
    Turn off AS-Path carry over	By default, this should be left unchecked. Select the check box to deactivate AS-PATH Carry Over. In certain topologies, deactivating AS-PATH Carry Over will influence the outbound AS-PATH to make the L3 routers prefer a path towards an Edge or a Hub. Warning:When the AS-PATH Carry Over is deactivated, tune your network to avoid routing loops.
    Connected Routes	Select the check box to redistribute all the connected Interface subnets.
    OSPF	Select the check box to enable OSPF redistribute into BGP.
    Set Metric	When you enable OSPF, enter the BGP metric for the redistributed OSPF routes. The default value is 20.
    Default Route	Select the check box to redistribute the default route only when Edge learns the BGP routes through overlay or underlay. When you select the Default Route option, the Advertise option is available as Conditional.
    Overlay Prefixes over Uplink	Select the check box to propagate routes learned from overlay to the neighbor with uplink flag.
    Networks	Enter the network address in IPv4 format that BGP will be advertising to the peers. Select the plus + icon to add more network addresses.

    When you enable the Default Route option, the BGP routes are advertised based on the Default Route selection globally and per BGP neighbor.

    Table 28. Default Route Advertising Options

    Default Route Selection		Advertising Options
    Global	Per BGP Neighbor
    Yes	Yes	The per BGP neighbor configuration overrides the global configuration and hence default route is always advertised to the BGP peer.
    Yes	No	BGP redistributes the default route to its neighbor only when the Edge learns an explicit default route through the overlay or underlay network.
    No	Yes	Default route is always advertised to the BGP peer.
    No	No	The default route is not advertised to the BGP peer.

16. Select the IPv6 tab to configure the BGP settings for IPv6 addresses. Enter a valid IPv6 address of the BGP neighbor in the Neighbor IP field.
    The BGP peer for IPv6 supports the following address format:

    • Global unicast address (2001:CAFE:0:2::1)
    • Unique Local address (FD00::1234:BEFF:ACE:E0A4)
17. Configure the other settings as required.
    Note: The Local IP address configuration is not available for IPv6 address type.
18. Select Advanced to configure the following advanced settings, which are globally applied to all the BGP neighbors with IPv6 addresses.

    Table 29. Advanced Option Descriptions

    Option	Description
    Connected Routes	Select the check box to redistribute all the connected Interface subnets.
    Default Route	Select the check box to redistribute the default route only when Edge learns the BGP routes through overlay or underlay. When you select the Default Route option, the Advertise option is available as Conditional.
    Networks	Enter the network address in IPv6 format that BGP will be advertising to the peers. Select the Plus (+) Icon to add more network addresses.

    The Route Summarization feature is available in the 5.2 release, for an overview and use case of this functionality, see Route Summarization. For configuration details, follow the steps 19 to 24.
19. Select +Add in the Route Summarization area. A new row is added to the Route Summarization area.

    

20. Under the Subnet column, enter the network range that you want to summarize in the A.B.C.D/M format and the IP subnet.
21. Under the AS Set column, select Yes if applicable.
22. Under the Summary Only column, select the Yes check box to allow only the summarized route to be sent.
23. Add additional routes, if necessary, by selecting +Add. To Clone or Delete a Route Summarization, use the appropriate buttons, located next to +Add. The BGP Settings section displays the BGP configuration settings.
24. Select Save Changes when complete to save the configuration.
    Note: When you configure BGP settings for a profile, the configuration settings are automatically applied to the SD-WAN Edges associated with the profile.

Equal Cost Multi Path (ECMP) allows traffic with the same source and destination across multiple paths of Equal cost.

In large branches, connections with high throughput often requires supporting multiple 1G and 10G interfaces. Customers can use multiple interfaces for their LAN network to maximize throughput and resilience. These paths can be routed using BGP, OSPF, or static routing.

Note: All the paths would be utilized with scale number of flows.

Before you begin, ensure that you enable DCC at the enterprise level before configuring ECMP.

To configure ECMP for Profiles, perform the following steps:

1. In the SD-WAN service of the Enterprise portal, go to Configure > Profiles .
2. Select a Profile to configure the ECMP.
3. Configure the following settings in the ECMP section:

   Table 30. ECMP Options

   Option	Description
   Connectivity	In Connectivity, you can either choose Interface or NSD or both parameters. If the interface option is selected, ECMP will be enabled for LAN interfaces. Upon selecting NSD, the ECMP functionality will be activated on the NSD side.
   Maximum Paths	Maximum number of paths used for load balancing. Paths must be in the range of 2 to 4 All the paths would be utilized with scale number of flows
   Load Balancing	Hash Load Based Load Sharing Parameters takes input parameters from 5-tuple (Source IP, Destination IP, Source Port, Destination Port and Protocol). These inputs can be any or all or any subset of this tuple based on user configuration. Flow is mapped to the path based on hash value with selected inputs. By default, 5-tuple parameters are selected, but you can choose any number of parameters based on your requirement. Effectiveness of load balancing increases with increased number of flows. All the configured static routes install in FIB, but only first n (based on ECMP max path) routes will be selected for load balancing.

   ECMP is supported in all the modes Active/Active, Active/Hotstandby, Active/Standby with only the Active tunnels used for load balancing.

1. In the SD-WAN service of the Enterprise portal, go to Configure > Profiles .
   The Profiles page displays the existing Profiles.
2. Select the link to a Profile or select the View link in the Device column of the Profile.
   The Device tab displays the configuration options for the selected Profile.
3. Under Telemetry, go to the Visibility Mode area and select one of the following:
   • Visibility by MAC address
   • Visibility by IP address

   

   Note the following when choosing a Visibility mode:

   • If Visibility by MAC address is selected:
     • Clients are behind L2 SW
     • Client MAC, IP and Hostname (if applicable) will appear
     • Stats are collected based on MAC
   • If Visibility by IP address is selected:
     • Clients are behind L3 SW
     • SW MAC, Client IP and Hostname (if applicable) will appear
     • Stats are collected based on IP

   Note: Changes to Visibility mode are non-disruptive.
4. Select Save Changes.

1. In the SD-WAN service of the Enterprise portal, go to Configure > Profiles .
2. Select a profile for which you want to configure the SNMP settings, and then select the View link under the Device column.
3. Scroll down to the Telemetry area, and then expand SNMP.
4. You can select either Enable Version 2c or Enable Version 3, or both SNMP version check boxes.

   

5. Select Enable Version 2c check box to configure the following fields:

   Table 31. Enable Version 2c Options

   Option	Description
   Port	Type the port number in the textbox. The default value is 161.
   Community	Select Add to add any number of communities. Type a word or sequence of numbers as a password, to allow you to access the SNMP agent. The password may include alphabet A-Z, a-z, numbers 0-9, and special characters (e.g. &, $, #, %). Note: Starting from the 4.5 release, the use of the special character "<" in the password is no longer supported. In cases where users have already used "<" in their passwords in previous releases, they must remove it to save any changes on the page. You can delete or clone a selected community.
   Allow Any IPs	Select this check box to allow any IP address to access the SNMP agent. To restrict access to the SNMP agent, deselect the check box, and then add the IP address(es) that must have access to the SNMP agent. You can delete or clone a selected IP address.

6. Selecting the Enable Version 3 check box provides additional security. Select Add to configure the following fields:

   Table 32. Enable Version 3 Options

   Option	Description
   Name	Type an appropriate username.
   Enable Authentication	Select this check box to add extra security to the packet transfer.
   Authentication Algorithm	Select an algorithm from the drop-down menu: MD5 SHA1 SHA2 Note: This option is available only for the SNMP version 5.8 or above. Note: This field is available only when the Enable Authentication check box is selected.
   Password	Type an appropriate password. Ensure that the Privacy Password is same as the Authentication Password configured on the Edge. Note: This field is available only when the Enable Authentication check box is selected. Starting from the 4.5 release, the use of the special character "<" in the password is no longer supported. In cases where users have already used "<" in their passwords in previous releases, they must remove it to save any changes on the page.
   Enable Privacy	Select this check box to encrypt the packet transfer.
   Algorithm	Choose a privacy algorithm from the drop-down menu: DES AES Note: Algorithm AES indicates AES-128. Note: This field is available only when the Enable Privacy check box is selected.

   Note: You can delete or clone the selected entry.

1. In the SD-WAN service of the Enterprise portal, select Configure > Profiles .
   The Profiles page displays the existing Profiles.
2. To configure a Profile, select the link to the Profile or select the View link in the Device column of the Profile.
   The configuration options are displayed in the Device tab.
3. From the Configure Segment drop-down menu, select a profile segment to configure Syslog settings. By default, Global Segment [Regular] is selected.
4. Under Telemetry, go to the Syslog area and configure the following details:

   

   1. From the Facility drop-down menu, select a Syslog standard value that maps to how your Syslog server uses the facility field to manage messages for all the events from Edge. The allowed values are from local0 through local7.
      Note: The Facility field is configurable only for the Global Segment, irrespective of the Syslog settings for the Profile. The other segments inherit the facility code value from the Global segment.
   2. Select the Enable Syslog check box.
   3. Select the + ADD button and configure the following details:

      Table 33. Syslog Settings Options

      Option	Description
      IP	Enter the destination IP address of the Syslog collector.
      Protocol	Select either TCP or UDP as the Syslog protocol from the drop-down menu.
      Port	Enter the port number of the Syslog collector. The default value is 514.
      Source Interface	As Edge interfaces are not available at the Profile level, the Source Interface field is set to Auto. The Edge automatically selects an interface with 'Advertise' field set as the source interface.
      Roles	Select one of the following: EDGE EVENT FIREWALL EVENT EDGE AND FIREWALL EVENT
      Syslog Level	Select the Syslog severity level that needs to be configured. For example, If CRITICAL is configured, the Edge sends all the events which are set as either critical or alert or emergency. The allowed Syslog severity levels are: EMERGENCY ALERT CRITICAL ERROR WARNING NOTICE INFO DEBUG Note: By default, firewall event logs are forwarded with Syslog severity level INFO.
      Tag	Optionally, enter a tag for the syslog. The Syslog tag can be used to differentiate the various types of events at the Syslog Collector. The maximum allowed character length is 32, delimited by period.
      All Segments	When configuring a Syslog collector with FIREWALL EVENT or EDGE AND FIREWALL EVENT role, select the All Segments check box if you want the Syslog collector to receive firewall logs from all the segments. If the check box is not selected, the Syslog collector receives firewall logs only from that particular Segment in which the collector is configured. Note: When the role is EDGE EVENT, the Syslog collector configured in any segment receives Edge event logs by default.

5. Select the + ADD button to add another Syslog collector or else select Save Changes. The remote syslog collector is configured in the Orchestrator.
   Note:

   • You can configure a maximum of two Syslog collectors per segment and 10 Syslog collectors per Edge. When the number of configured collectors reaches the maximum allowable limit, the + button is deactivated.
   • Based on the selected role, the Edge exports the corresponding logs in the specified severity level to the remote syslog collector. If you want the Orchestrator auto-generated local events to be received at the Syslog collector, you must configure Syslog at the Orchestrator level by using log.syslog.backend and log.syslog.upload system properties.

   To understand the format of a Syslog message for Firewall logs, see Syslog Message Format for Firewall Logs.

Orchestrator allows you to activate Syslog Forwarding feature at the Profile and the Edge level. On the Firewall page of the Profile configuration, activate the Syslog Forwarding button if you want to forward firewall logs originating from the Enterprise Edge to configured Syslog collectors.

Note: By default, the Syslog Forwarding button is available on the Firewall page of the Profile or Edge configuration, but is deactivated.

For more information about Firewall settings at the Profile level, see Configure Profile Firewall.

Secure Syslog Forwarding Support

The 5.0 release supports secure syslog forwarding capability. Ensuring security of syslog forwarding is required for federal certifications and is necessary to meet the Edge hardening requirements of large Enterprises. The secure syslog forwarding process begins with having a TLS capable syslog server. Currently, the Orchestrator allows forwarding logs to a syslog server that has TLS support. The 5.0 release allows the Orchestrator to control the syslog forwarding and conducts default security checking such as hierarchical PKI verification, CRL validation, etc. Moreover, it also allows customizing the security of forwarding by defining supported cipher suites, not allowing self-signed certificates, etc.

Another aspect of secure syslog forwarding is how revocation information is collected or integrated. The Orchestrator can now allow revocation information input from an Operator that can be fetched manually or through an external process. The Orchestrator picks up that CRL information and uses it to verify the security of forwarding before all connections are established. In addition, the Orchestrator fetches that CRL information regularly and uses it when validating the connection.

System Properties

Secure syslog forwarding begins with configuring the Orchestrator syslog forwarding parameters to allow it to connect with a syslog server. To do so, the Orchestrator accepts a JSON formatted string to accomplish the following configuration parameters, which is configured in System Properties.

The following system properties can be configured, as shown in the list below and the image below:

• log.syslog.backend: Backend service syslog integration configuration
• log.syslog.portal: Portal service syslog integration configuration
• log.syslog.upload: Upload service syslog integration configuration

When configuring system properties, the following Secure Syslog Configuration JSON string can be used.

• config <Object>
  • enable: <true> <false> Activate or Deactivate Syslog forwarding. Please note that this parameter controls overall syslog forwarding even if secure forwarding is activated.
  • options <Object>
    • host: <string> The host running syslog, defaults to localhost.
    • port: <number> The port on the host that syslog is running on, defaults to syslogd's default port.
    • protocol: <string> tcp4, udp4, tls4. Note: (tls4 allows secure syslog forwarding with default settings. To configure it please see the following secure Options object
    • pid: <number> PID of the process that log messages are coming from (Default process.pid).
    • localhost: <string> Host to indicate that log messages are coming from (Default: localhost).
    • app_name: <string> The name of the application (node-portal, node-backend, etc) (Default: process.title).
  • secureOptions <Object>
    • disableServerIdentityCheck: <boolean> Optionally skipping SAN check while validating, i.e. can be used if the server's certification does not have a SAN for self-signed certificates. Default false.
    • fetchCRLEnabled: <boolean> If not false,Orchestrator fetches CRL information which is embedded into provided CAs. Default: true
    • rejectUnauthorized: <boolean> If not false, the Orchestrator applies hierarchical PKI validation against the list of supplied CAs. Default: true. (This is mostly required for testing purposes. Please do not use it in production.)
    • caCertificate: <string>Orchestrator can accept a string that contain PEM formatted certificates to optionally override the trusted CA certificates (can contain multiple CRLs in openssl friendly concatenated form). Default is to trust the well-known CAs curated by Mozilla. This option can be used for allowing to accept a local CA that is governed by the entity. For instance, for On-prem customers who have their own CAs and PKIs.
    • crlPem:<string>Orchestrator can accept a string that contain PEM formatted CRLs (can contain multiple CRLs in openssl friendly concatenated form). This option can be used for allowing to accept a local kept CRLs. If fetchCRLEnabled is set true, the Orchestrator combines this information with fetched CRLs. This is mostly required for a specific scenario where certificates do not have CRLDistribution point information in it.
    • crlDistributionPoints: <Array> The Orchestrator can optionally accept an array CRL distribution points URI in "http" protocol. The Orchestrator does not accept any "https" URI
    • crlPollIntervalMinutes: <number> if fetchCRLEnabled is not set false, the Orchestrator polls CRLs every 12 hours. However, this parameter can optionally override this default behavior and update CRL according to provided number.

Configuring Secure Syslog Forwarding Example

The Orchestrator has the following system property options to arrange described parameters to allow secure syslog forwarding.

Note: The example below should be modified according to the trust of chain structure.

{"enable": true,"options": {"appName": "node-portal","protocol":
"tls","port": 8000,"host": "host.docker.internal","localhost":
"localhost"},"secureOptions": {"caCertificate": "-----BEGIN
CERTIFICATE-----MIID6TCCAtGgAwIBAgIUaauyk0AJ1ZK/U10OXl0GPGXxahQwDQYJKoZIhvcNAQELBQAwYDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQ8wDQYDVQQHDAZ2bXdhcmUxDzANBgNVBAoMBnZtd2FyZTEPMA0GA1UECwwGdm13YXJlMREwDwYDVQQDDAhyb290Q2VydDAgFw0yMTA5MjgxOTMzMjVaGA8yMDczMTAwNTE5MzMyNVowYDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQ8wDQYDVQQHDAZ2bXdhcmUxDzANBgNVBAoMBnZtd2FyZTEPMA0GA1UECwwGdm13YXJlMREwDwYDVQQDDAhyb290Q2VydDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMwG+Xyp5wnoTDxpRRUmE63DUnaJcAIMVABm0xKoBEbOKoW0rnl3nFu3l0u6FZzfq+HBJwnOtrBO0lf/sges2/QeUduCeBC/bqs5VzIRQdNaFXVtundWU+7Tn0ZDKXv4aRC0vsvjejU0H7DCXLg4yGF4KbM6f0gVBgj4iFyIjcy4+aMsvYufDV518RRB3MIHuLdyQXIe253fVSBHA5NCn9NGEF1e6Nxt3hbzy3Xe4TwGDQfpXx7sRt9tNbnxemJ8A2ou8XzxHPc44G4O0eN/DGIwkP1GZpKcihFFMMxMlzAvotNqE25gxN/O04/JP7jfQDhqKrLKwmnAmgH9SqvV0F8CAwEAAaOBmDCBlTAdBgNVHQ4EFgQUSpavxf80w/I3bdLzubsFZnwzpcMwHwYDVR0jBBgwFoAUSpavxf80w/I3bdLzubsFZnwzpcMwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2xvY2FsaG9zdDo1NDgzL2NybFJvb3QucGVtMA0GCSqGSIb3DQEBCwUAA4IBAQBrYkmg+4x2FrC4W8eU0S62DVrsCtA26wKTVDtor8QAvi2sPGKNlv1nu3F2AOTBXIY+9QV/Zvg9oKunRy917BEVx8sBuwrHW9IvbThVk+NtT/5fxFQwCjO9l7/DiEkCRTsrY4WEy8AW1CcaBwEscFXXgliwWLYMpkFxsNBTrUIUfpIR0Wiogdtc+ccYWDSSPomWZHUmgumWIikLue9/sOvV9eWy56fZnQNBrOf5wUs0suJyLhi0hhFOAMdEJuL4WnYthX5d+ifNon8ylXGO6cOzXoA0DlvSmAS+NOEekFo6R1Arrws0/nk6otGH/Be5+/WXFmp0nzT5cwnspbpA1seO-----END
CERTIFICATE-----","disableServerIdentityCheck":
true,"fetchCRLEnabled":true,"rejectUnauthorized":
true,"crlDistributionPoints":
http://cacerts.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crt

To configure syslog forwarding, see the following JSON object as an example image:

If the configuration is successful, the Orchestrator produces the following log and begins forwarding:

[portal:watch] 2021-10-19T20:08:47.150Z - info: [process.logger.163467409.0] [660] Remote Log has been successfully configured for the following options {"appName":"node-portal","protocol":"tls","port":8000,"host":"host.docker.internal","localhost":"localhost"}

Secure Syslog Forwarding in FIPS Mode

When FIPS mode is activated for secure syslog forwarding, the connection is rejected if the syslog server does not offer the following cipher suites: "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256." Also, independent from the FIPS mode, if the syslog server certificate does not have an extended key usage field that sets "ServerAuth" attribute, the connection is rejected.

Constant CRL Information Fetching

If fetchCRLEnabled is not set to false, the Orchestrator regularly updates the CRL information every 12 hours via the backend job mechanism. The fetched CRL information is stored in the corresponding system property titled, log.syslog.lastFetchedCRL.{serverName}. This CRL information is checked in every connection attempt to the syslog server. If an error occurs during the fetching, the Orchestrator generates an Operator event.

If the fetchCRLEnabled is set to true, there are three additional system properties to follow the status of the CRL, as follows: log.syslog.lastFetchedCRL.backend, log.syslog.lastFetchedCRL.portal, log.syslog.lastFetchedCRL.upload, as shown in the image below. This information displays the last update time of the CRL and CRL information.

Logging

If the option fetchCRLEnabled is set true, the Orchestrator tries to fetch the CRLs. If an error occurs, the Orchestrator raises an event and displays on the Operator Events page.

1. In the SD-WAN service of the Enterprise portal, go to Configure > Profiles .
   The Profiles page displays the existing Profiles.
2. Select the link to a Profile or select the View link in the Device column of the Profile. You can also select a Profile and select Modify to configure the Profile.
   The Device tab displays the configuration options for the selected Profile.
3. From the Segment drop-down menu, select a profile segment to configure NetFlow settings.
4. Scroll down to the Telemetry category and select the NetFlow Settings area to configure NetFlow details.

   

   1. Select the Activate NetFlow check box.
      Note: The Orchestrator supports IP Flow Information Export (IPFIX) protocol version 10.
   2. From the Collector drop-down menu, select an existing NetFlow collector to export IPFIX information directly from Edge, or select + New Collector to configure a new NetFlow collector. For more information about how to add a new collector, see Configure Netflow Settings.
      Note: You can configure a maximum of two collectors per segment and eight collectors per profile by selecting the + ADD button. When the number of configured collectors reaches the maximum allowable limit, the + ADD button will be deactivated.
      Note: NetFlow version 10 is the only supported version.
   3. From the Filter drop-down menu, select an existing NetFlow filter for the traffic flows from Edge, or select + New Filter to configure a new NetFlow filter. For more information about how to add a new filter, see Configure Netflow Settings.
      Note: You can configure a maximum of 16 filters per collector by selecting the + button. However, the 'Allow All' filtering rule is added implicitly at the end of the defined filter list, per collector.
   4. Select the Allow All check box corresponding to a collector to allow all segment flows to that collector.
5. Under Intervals, configure the following NetFlow export intervals:
   • Flow Stats - Export interval for flow stats template, which exports flow statistics to the collector. By default, NetFlow records of this template are exported every 60 seconds. The allowable export interval range is from 60 seconds to 300 seconds.
   • FlowLink Stats - Export interval for flow link stats template, which exports flow statistics per link to the collector. By default, NetFlow records of this template are exported every 60 seconds. The allowable export interval range is from 60 seconds to 300 seconds.
   • Segment Table - Export interval for Segment option template, which exports segment related information to collector. The default export interval is 300 seconds. The allowable export interval range is from 60 seconds to 300 seconds.
   • Application Table - Export interval for Application option template, which exports application information to the collector. The default export interval is 300 seconds. The allowable export interval range is from 60 seconds to 300 seconds.
   • Interface Table - Export interval for Interface option template, which exports interface information to collector. The default export interval is 300 seconds. The allowable export interval range is from 60 seconds to 300 seconds.
   • Link Table - Export interval for Link option template, which exports link information to the collector. The default export interval is 300 seconds. The allowable export interval range is from 60 seconds to 300 seconds.
   • Tunnel Stats - Export interval for tunnel stats template. By default, the statistics of the active tunnels in the edge are exported every 60 seconds. The allowable export interval range is from 60 seconds to 300 seconds.
   In an Enterprise, you can configure the NetFlow intervals for each template only on the Global segment. The configured NetFlow export interval is applicable for all collectors of all segments on an Edge. For more information on IPFIX templates, see IPFIX Templates.
6. Select Save Changes.

1. In the SD-WAN service of the Enterprise portal, go to Configure > Profiles .
   The Profiles page displays the existing Profiles.
2. Select the link to a Profile or select the View link in the Device column of the Profile for which you want to configure the Authentication Settings.
   The Device tab displays the configuration options for the selected Profile.
3. Scroll down to the Edge Services category and select Authentication.

   

4. From the RADIUS Server drop-down menu, select the Radius server that you want to use for authentication.
   Note: All the Radius servers that are already configured using the Authentication Services feature in the Network Services page appears in the RADIUS Server drop-down menu. Alternatively, you can configure a new authentication service by selecting the New Radius Service button. For instructions about how to configure Authentication Services, see Configuring Authentication Services.
5. Select Save Changes.

The Network Time Protocol (NTP) provides the mechanisms to synchronize time and coordinate time distribution in a large, diverse network. Arista VeloCloud recommends using NTP to synchronize the system clocks of Edges and other network devices.

1. In the SD-WAN service of the Enterprise portal, go to Configure > Profiles .
   The Profiles page displays the existing Profiles.
2. Select the link to a Profile or click the View link in the Device column of the Profile for which you want to configure the NTP Settings.
   The Device tab displays the configuration options for the selected Profile.
3. Configure the Edge's own time sources by defining Private NTP Servers. These servers could be either known time sources within your own network, or well-known time servers on the Public Internet, if they are reachable from the Edge. To define Private NTP Servers:
   1. Scroll down to the Edge Services category and go to the NTP area.

      

   2. Select the Private NTP Servers check box.
   3. In the Servers area, click +Add and enter the IP address of your Private NTP Server. If DNS is configured, you can use a domain name instead of an IP address. To configure another NTP Server, click the +Add button again.
      It is strongly recommended to add two or three servers to increase availability and accuracy of time setting. If you do not set Private NTP Servers, the Edge attempts to set its time from a default set of public NTP Servers, but that is not guaranteed to work, especially if the Edge cannot communicate to servers on the public Internet.
      Note: Orchestrator allows you to activate the Edge to act as an NTP Server to its clients, only if you have defined Private NTP Servers.
      As Edge interfaces are not available at the Profile level, the Source Interface field is set to Auto. The Edge automatically selects an interface with 'Advertise' field set as the source interface.
4. Once you have defined Private NTP Servers, Orchestrator allows you to configure the Edge to act as an NTP Server for its clients:
   1. Select the Edge as NTP Server check box. You can select the check box only if you have activated at least one Private NTP Server.
   2. Choose the type of NTP Authentication as either None or MD5.
   3. If you choose MD5, then you must configure the NTP authentication key value pair details by clicking the +Add button under the Keys area.
5. Select Save Changes. The NTP configuration settings are applied to the selected profile.

   At the Edge-level, you can override the NTP settings for specific Edges. For more information, see Configure NTP Settings for Edges.