Portal Overview

One important change in the SD WAN Portal is the requirement for each user: if they need to add or change a policy, they MUST lock the site by pressing the Edit Site button. This ensures that no other user can edit that site while changes are being made.

Once the Edit Site button has been selected, the user will be notified the site is locked, as shown below:

All Policy or Rule change functions, such as “Add Rule” or Edit Static Routes become available, for example.

Any Traffic management policy, IP QoS, NetFlow or Firewall rules can be copied between sites of the same WAN and LAN configuration. The feature is available from the SD WAN Network page and is located at the bottom of the main view page as shown below. The bulk copy shows a history of the bulk copies and the details of each transaction can be viewed by clicking the view details button.

Bulk copies of rules can be created by selecting “+ New Process” button, note the site edit or locking does not need to be done for adding new Bulk Copy transactions. The adding a New Process starts the creation process by opening the following screen where the source of the rules can be selected. The type of rules available at the originating site are: traffic steering, Internet steering or Optimization, NetFlow, and for firewall the basic access control or advanced firewall including NAT, DDoS and IP QoS.

Follow the process as shown on the left hand view screen, note that this will vary in the number of steps, as each site may have different combinations of Firewall, Policy and DDOS features enabled. The Originating and Terminating sites can be entered manually. The destination sites need to manually be selected by using the check box.

To edit the parameters, select an existing steering policy and the details will become visible with the options to edit or duplicate the policy. Note to enable editing of rules a user must first use the “Edit Site” button to lock the site from being changed by other users.

If you select edit, a new window will appear to allow the parameters selected for the policy to be edited.

All Source and Destination IP fields can now be entered as a list of IPs, they don’t need to be added one by one. This changes what applied to all the Source IP and Destination IP fields in through the portal

New traffic steering rules can be created by selecting the ‘Add New Policy Rule’ button on the top left of the Policy page which will open the screen as above when you edit pre-existing rules. The create policy allows the creation of traffic steering rules of type:

Traffic steering matches an IP address from a VPN to an application or IP protocol/port combination. It then allows that specific traffic to be routed in a priority interface list, overriding the default traffic load balancing behaviour of the SD WAN service. Traffic steering is applied to sites with more than one available WAN link. The metrics provide thresholds that trigger traffic to be steered to the next WAN link in the priority list. There is an option to ‘Avoid’ certain WAN links for specific traffic steering rules.

To create rules, you need as a minimum the following fields:

If Protocol ‘Any’ is selected and no IP address or port numbers specified, all traffic from that VPN will be steered using the Interface priority list and metrics

Multiple source and destination IP address can be created to match in a single steering rule by using the ‘add +’ buttons.

Local Internet Breakout (LIB) traffic is routed based on IP route options defined outside of the scope of the SD WAN Portal.

Multiple metrics can be applied to each new rule be adding a Metric using Add option underneath each metric.

The ‘Evaluate Continuously’ option will be visible for all types of devices for which policy is enabled. The option allows the SD WAN path SLA or metric to be monitored and tested periodically if Evaluate Continuously is not selected (the default setting) or continuously if it is selected. This is recommended for VoIP or applications with media codecs.

You can view and roll back past changes to policy configurations by selecting history button to view the log of policy changes. Selecting a policy log will display the list of steering policies captured before the policy as changed. These policies can be enabled by selecting the save changes button.

Optimum Path Selection is a non-chargeable feature that provides the best path selection between all available paths when a 10% variance in performance is reached. This is a variation to the standard SD WAN traffic Steering rules where the path selection for traffic is based on circuit priorities and/or SLA thresholds instead of performance. Optimum Path Selection can steer traffic automatically based one or several metric(s), for example lowest latency, lowest packet loss or lowest delay variation. Dynamic path selection can be selected from the same page in the portal as standard SD WAN steering rules.

Configuring of Optimum Path Selection has a number of dependencies:

To select Optimum Path Selection, the user navigates to the Steering Policies page, found under the Policy tab as shown below:

Once the user locks the site to enable editing, then a new rule can be added by pressing the '+ Add new rule' button. The user can then select 'SDWAN' at the top of the steering window as shown below:

At the bottom of the 'Add New SDWAN Steering Rule' window the user is able to set the Best Path selection as shown below:

There are a variety of combination possibilities best path selections and using this capability with or without more deterministic steering rules. We will explain this below including the main example use cases, starting with the detail of the Dynamic Path Selection configuration parameters.

Explanation of new configuration parameters:

As mentioned, in addition to this functionality for traffic selection, existing options that we provide for SD WAN traffic Steering Rules are still available. These are:

For implementation of Optimum path selection there are 4 use cases:

USE CASE 1: Best Path Only (Simple Case)

USE CASE 2: Best Path with circuit priorities

USE CASE 3: Best Path with SLA thresholds

USE CASE 4: Best Path with circuit priorities and SLA thresholds

Traffic optimization uses FEC (Forward Error Correction) and Packet Replication combined with the option for traffic steering of specific applications with and without metrics. Below are short descriptions of FEC and Packet Replication for background information.

Traffic optimization provides an ability to enable the following services with and without traffic steering:

The basic setting allows customers to do the following:

A full list of the traffic steering and shaping combinations are shown in the Appendix under WAN Optimization rules.

Always enable FEC and Packet Replication:

Enable FEC or Packet Replication when the Packet Loss threshold has been reached:

Packet steering when FEC or Packet Replication is always on:

The Packet Loss metric allows you to set the % of packet loss by entering a specific value. This metric measures the percentage of lost packets in a network.

Traffic steering when FEC and Packet Replication is always on but no metric set:

Traffic steering also allows the option to ‘avoid’ interfaces in the priority list. This is used to ensure traffic does not utilize WAN connection that don’t have the characteristics or bandwidth to support the underlying services.

As mentioned above, local internet breakout can be specified for each VRF/VPN. The default configuration for sites with multiple internet WAN connections is load sharing, where all local interfaces are set to the same priority. The list of Local WAN interfaces is provisioned at the time the site is implemented. It is possible to disable specific interfaces or modify the priority order for outbound traffic utilization. The process for chaning can be shown below.

In addition to local Internet breakout, the Customer will have the option of selecting central internet breakout. There are 3 options for Customer dedicated Central Internet gateway:

For SDWAN sites enabled with Local Internet Breakout, Internet traffic will be routed over local Internet WAN uplink. In case of LIB failure, traffic will be routed route over central internet gateway.

In case of Internet link failure, Internet traffic from SDWAN branch sites to Customer Internet gateway will be over SDWAN overlay on MPLS from branch to gateway for hybrid sites.

For MPLS only sites, Internet will be accessible through Internet gateway sites.

A customer will have Central Internet Breakout configured at a network level as opposed to on a site level. With Central Internet Breakout the customer no longer requires any particular site to have a local Internet connection to break out to the Internet. Steering is configured on the Internet Traffic Steering tab as shown below.

Internet Break out options have been introduced to allow SDWAN Portal users to do the following on a per site bases:

Internet Breakout is provided through the Internet WAN interfaces. By default, the customer will have at least one Internet interface enabled and set with a priority of 1 for local internet services, including cloud lookup, as shown below:

By default those customers who have multiple Internet WAN connections on the same site will have all enabled for local internet in Active/Active configuration for outbound traffic. A customer can choose to change to a ordered list of breakouts by changing the priority assigned to each.

Internet Traffic Steering provides the ability to view, edit, add and delete application based traffic steering rules per site. New rules can be added as shown below:

The options allow selection of the application by VPN and the creation of a ordered priority list for internet breakout traffic only. The list of available outbound interfaces will be Central Internet Breakout Gateway or local internet interface at that site.

A list of gateways that are linked to each branch site can be viewed from the Device page.

See below the dialogue box for adding a new internet traffic steering rule:

List view of internet traffic steering rules:

IP QoS Management has two aspects to the feature:

The basic IP QoS configuration allows Colt’s traffic class (Premium, Business 1, Business 2, Business 3) to be forwarding class that matches the IP VPN QoS policy. Application QoS provides session based QoS policy that include the IP Flow policies.

The feature is part of Policy or traffic steering menu options and a sub-menu is available as shown below where IP QoS policies can be viewed, edited, duplicated and set in priority order. The SDWAN service has 4 predefined forwarding classes: Premium, Business 1, Business 2 and Business 3. IP DSCP values are mapped to each class. In addition, each class has a fixed number of queues, queue depth and guaranteed transmit which are not configurable.

There is View QoS configuration which allows the view of the forwarding class configuration, including the DSCP assignment to each class, associated queues, guaranted bandwidth allocation and guaranteed transmit. The view shows the following:

The process to add or edit a rule uses the same screens and parameters. To add a new rule, select the “Add New rule” button. The rule can be created with the following options:

The App QoS allows mapping per application session for IP QoS parameters to be applied to a specifc VPN or LAN VRF (needs high degree of expertise) or to apply to “Any” interface as that site. In the event the customer QoS profile mathes the Colt IP VPN profile no additional QoS policy are needed.

These IP QoS rules can be bulk copied using the Bulk Copy feature, see section here . In addition to Bulk copy the Command line console options now include snapshot views of the IP QoS class and queues, for more information see here.

In addition the Device page has an icon for each CPE that shows the command line output for:

Also, the analytics data has IP QoS interface Analytics, see here

Internet Egress is a new non-chargeable feature that allows the user to apply Quality of Service (QoS) on the egress (outgoing) traffic of Internet based links of the SDWAN CPE. In the past, QoS capabilities were limited to MPLS networks, providing priority queuing and traffic management exclusively for that type of connection. However, with this recent enhancement, the QoS functionality has been extended to include Internet underlays as well. This means that the user can now apply priority queuing and traffic shaping on Internet connections, allowing for control and prioritization of data traffic. In order to set up Internet Egress QoS, the user´s CPE should have at least one Internet uplink and the configurations listed below:

It is also important to note that the actual configuration impacts the SDWAN CPE and overlay only. Additionally, QoS on Internet links can be configured on the CPE for On-Net, OLO and Bring Your Own links (BYO). Internet Egress QoS, like MPLS QoS, allows traffic classes to be mapped as forwarding classes, effectively ensuring that critical applications or services receive the necessary bandwidth and priority, while less important or non-essential traffic is appropriately managed. The mapping is done as shown below:

For enabling Internet Egress QoS for the first time, the user needs to navigate to the Policy page and click on the QoS tab.

Then the user needs to activate the QoS classes they want and together with the activation of the classes, a new table will appear and the Interface QoS Status can be switched on/off.

In addition, the execution of QoS commands has now been moved from the Summary page to the Tools section under QoS.

Last, the display of Internet WAN QoS Logging will be in the Analytics tab, under Interface QoS Analytics. See picture below:

The following Use Cases, describe the scenarios where Internet Egress QoS can be applied:

Use Case 1: QoS Internet Site only Scenario 1: If at least one Internet uplink exists, the customer can configure QoS on Internet Egress. The necessary configurations/steps 1-6 are mentioned above. Scenario 2: If there are more than one Internet uplinks, the user can configure QoS on all available uplinks separately.

Use Case 2: QoS Hybrid Site Scenario 1: If there are MPLS and Internet uplinks, but no QoS enabled, the customer can configure the Internet QoS only, for MPLS configuration Colt SD need to configure. Scenario 2: If there are MPLS and Internet uplinks and QoS is enabled on MPLS, then the internet uplink will inherit the QoS attributes of the MPLS link, after enabling Internet QoS. Scenario 3: If there is a hybrid site with no QoS configured, the user will be able to configure Internet QoS only.

The Firewall Management provides users with the ability to create, view, edit and capture log files for IP and application traffic between LAN, WAN and DMZ zones. In addition, traffic rules can be created for Local Internet Breakout (LIB) or over the SD WAN overlay network. These rules can apply to traffic inbound and outbound to the LAN and DMZ.

Management of Firewall rules via the SD WAN Portal is dependent on user role and if the site has a Firewall enabled.

Not all rules are visible. Bespoke rules can be provisioned directly into the Versa Director due to specific customer requirements outside the current SD WAN product description. Bespoke rules can be made visible, but editing those roles isn’t possible by using the rule naming convention ‘COLT-’.

Not all sites will have the LIB and SD WAN Firewall enabled and will depend on the configuration and service requirements at each site.

On delivery there is a single unchangeable rule that denies all traffic from the LAN to the Internet. Rules can be added above it to allow or deny access to the internet, based on application, protocol, addresses and port numbers.

Pre-created, or existing rules can be enabled, disabled or deleted. Likewise logging can be enabled or disabled by slide buttons associated with each rule. Log files can be viewed as text or downloaded in CSV format files.

Existing rules can also be edited by selecting them and using the edit button.

After this first step you can add source and destination ports, as well as the IP addresses which the rule applies to, and then specify the action you would like to take upon that, either allowing, denying or rejecting traffic. If no addresses or ports are added the rule will apply to all for that protocol. Where addresses are added they must specify a subnet, e.g. 10.1.1.0/24. For a single rule multiple address ranges/subnet can be added with the ‘ADD +’ button. Ports can be added as a single port, e.g. 45000, or a range, e.g. 45000-50000.

Rules are applied after the “Add” button is clicked. There is a short period of time (a few seconds) before the rule is submitted and it take effect at the site.

You can always add new rules to apply by clicking on the ‘Add New Firewall Rule’ button or delete them by clicking on the trash bin.

You can change the priority of rules by dragging them holding the mouse left button and dropping them where required in the list off rules.

Rules can be duplicated using the duplicate icon as shown below.

You can revert to an older rule set by clicking the drop down in the top centre of page title ‘Current’ and select a version and click revert.

IPv6: There is the chance to verify IPv6 is present in Summary page under LAN and VRF’s section. User can enter an IPv6 address wherever IP address is allowed, except under Internet Traffic.

Click on ‘Add new Firewall (for SD WAN traffic only)’ / ‘Add new Policy’ to create a rule with IPv6 addresses.

Firewall rules can be created using the ‘Add new Firewall rule’ button. New rules can be created for Internet Inbound and Outbound traffic or SD WAN Inbound and Outbound traffic. Mandatory options for new Firewall rules require the following fields to be completed:

Specific match criteria for the rule can be added, otherwise the default behaviour will allow or deny any traffic from the selected VPN depending on the direction of the traffic. In general, the match traffic can be:

Once created, submitted, and committed, the Firewall rule logging is disabled by default. Firewall log rules can be enabled using the slide button option. Firewall log files can be viewed by selecting the “View Logs” icon for each rule, which displays a tabular view that can be downloaded as a CSV file.

Static/DNAT is available for Advanced Firewall services and for Internet inbound and outbound traffic. The NAT rules are viewed and configured through a separate menu of options as shown below. The NAT rules are for DNAT and Static NAT. Each option provides the ability to view, edit and add.

The decryption option allows rules for when decryption is and isn’t applied. This is only possible once a certificate has been created or uploaded. Users will be prompted to create a certificate if none are present.

It is worth noting that the following behaviours, that are outside the Colt´s control, might occur. Therefore please note the following:

There are two types of certificates which are supported in the SDWAN portal.

SSL decryption profile required certificate which can be generated in the customer CPE(FlexVNF) itself as self-signed certificate in SDWAN portal. Customer signed certificate has to be uploaded to the SD WAN portal to proceed with configuring SSL decryption policy in SDWAN portal.

Once certificates have been created decryption rules appear as for Local Internet and SDWAN as shown below. Rules can be enabled or disabled by slider as well as edited, duplicated and deleted once the site enabled for editing.

If a certificate is created, but no rules are added the default behaviour is that no decryption is performed.

Rules can be added to match source and Source/Destination IP addresses and Services and to Decrypt or No-Decrypt. These rules can be applied to Self-Signed or Customer Managed SSL certificates. In addition the rule can be for outbound or inbound and applied to a specific protocol.

On top of this, Predfined and User Defined URL Categories are available for the Decryption rule that applies a "No-Decrypt" action.

In addition, to control and filtering of valid certificates, those that are invalid can be managed by selecting an action: Allow, Alert or Block. These actions are by default disabled as shown in the screenshot below.

A customer can choose to generate self-signed certificates or upload their own CA certificates using the SSL Certificate menu option. Once selected the user will be able to see a list of current certificates and their status.

Self-signed certificates, which are time limited, will be displayed as a red cross under availability to indicate tha the certificate is either invalid or expired.

A new self-signed certificate can be generated by clicking on the icon on the far right of the “Self-Signed Certificate” line. This will reveal all the fields and conditions needed to generate a certificate, as shown below, including expiry conditions and key length.

Likewise, customer managed certificates can be uploaded by file or string and pasted into the certificate window as well as the Private key. Note that for SSL rules, these can’t be bulk copied between sites.

After upgrading VD to version 22, CA Chain certificates will also need to be uploaded as an extra security step that comes with this upgrade.

DDoS profiles can be created, edited and deleted. Logging can be enabled independently on each rule.

DDoS policies may be added by using the "+ Add new rule" button and the fields can be populated as shown below, with threshold value for activation, alarm and drop periods being defined by Portal users. The key fields are:

For an aggregate DDoS protection profile, this limit applies to all the traffic processed by the DDoS protection rule with which this DDoS protection profile is associated.

For a classified DDoS protection profile, this limit applies to the traffic on a classified basis (based on the source IP address, destination IP address, or both), for the traffic processed by the DDoS protection rule with which this DDoS protection profile is associated.

The “Add” button creates a rule which can be edited, and logging enabled.

DDoS logging can be enabled by slide button as shown below:

DDOS Log files can be searched for, by selecting the “Show DDOS logs” button to show a search by Day, Week, Month or Custom date range.

If log files are available they can be viewed in tabular form or downloaded as a CSV file. The tabular view shows the site name, date type of attack/protocol, attacked IP address and action.

The Log files can also be viewed in Chart form by selecting the Chart View option.

There is a growing demand for streaming logs to third party collectors in many products. For SD WAN, customers subscribing to firewall features may require firewall service logs for audit and compliance perspective. As such, this feature allows CPE firewall log delivery to a Third Party collector for a branch site.

The rule should be established as below:

To configure CPE log forwarding for a specific site, first the customer needs to select the ‘Security’ tab in the main menu and then underneath this, the ‘Secure Log Forwarding’ tab as shown below.

The customer will need to take the following steps to configure CPE log forwarding:

Input the various attributes associated:
Firstly click ‘Add new collector’ – the following input dialogue opens:

The following data needs then to be inputted by the user:

After this then the logging event settings can be defined: Start / End / Both. Once this is selected then the ‘Enable Secure Log Forwarding’ needs to be pressed and the settings saved to enable the feature.

By default this profile is then applied to all firewall rules and security features that have logging enabled. Additional firewall rules and security features can be added and will have the Secure Log Forwarding profile added by default if the user selects logging when the rule is established.

We are introducing Versa SASE - Secure Access Service Edge (SASE) integration into the SDWAN Portal. This integration standardizes the connectivity between Colt Versa SDWAN sites and the SASE services offered by Versa. SASE is a network security feature, that has cloud-based security appliances and streamlined traffic routing to SASE Gateways through the public Internet. This feature ensures a safe and secure online experience, by offering:

With the growing importance of SASE as a service choice for our customers, it’s important that your SDWAN Portal reflects the SASE characteristics.

The SDWAN Portal has been updated to support this integration. It can now offer the capability to:

The user must navigate to the Versa SASE button from the ribbon, which takes them to the Concerto portal, in order to configure the desired policies.

For the configuration the following principles apply:

After Colt configures the tunnels for SASE in the SD WAN portal, the user can refresh the page in order to see the updated status of the tunnels and also use the Versa SASE breakout button to activate/deactivate SASE.

In addition, it’s essential to understand how traffic behaves when LIB or CIB is activated in the context of Versa SASE, specifically LIB, CIB and Versa SASE: When LIB is enabled for a site along with SASE, traffic by default will always be sent over the preferred SASE GW. In the event that the routes from SASE GW are not available, traffic will be sent over LIB. If CIB is also enabled for customers, there will be an additional backup default route. However, for the traffic to reach the Internet via LIB or CIB, the users need to configure the appropriate firewall and Internet traffic steering rules via the SD WAN portal. Last, if the user wishes to remove SASE, it´s recommendable that LIB or CIB are active with the appropriate Firewall rules in order to avoid potential issues on the traffic.

We are introducing Zscaler SSE integration into the SDWAN portal that brings in a significant enhancement, enabling the integration of SDWAN with Zscaler’s Security Service Edge solution. SSE, is a set of comprehensive security features designed to safeguard your access to the internet, cloud services, and private applications. These features ensure a safe and secure online experience, by offering:

Zscaler, a cloud-based security-as-a-service offering requires the establishment of GRE tunnels between Versa CPE and Zscaler (Zen) Nodes to efficiently route customer traffic through its cloud-based security appliances. To meet this demand and reflect the crucial tunnel details on the SDWAN Portal, we’ve introduced several key capabilities:

The user must navigate to the ZScaler SSE button from the ribbon, which takes them to the ZScaler portal, in order to configure the desired policies.

For the configuration the following principles apply:

After Colt configures the tunnel for SSE in the SD WAN portal, the customer can use the Zscaler SSE breakout button to activate/deactivate SSE.

In addition, it’s essential to understand how traffic behaves when LIB or CIB is activated in the context of Zscaler SSE, specifically LIB, CIB and Zscaler SSE: When LIB is enabled for a site along with SSE, traffic by default will always be sent over the preferred SSE GW. In the event that the routes from SSE GW are not available, traffic will be sent over LIB. If CIB is also enabled for customers, there will be an additional backup default route. However, for the traffic to reach the Internet via LIB or CIB, the users need to configure the appropriate firewall and internet traffic steering rules via the SD WAN portal.

Provides a statistical view of the customer’s network via a measurement of networking metrics for SD WAN (aggregate of all SD WAN Paths from that site) traffic and DIA or Internet breakout traffic.

The analytics of each node in that network can be viewed by selecting the ranges in Days, Weeks and Months plus a custom date range. After selecting the date and time ranges, pressing the ‘Refresh’ option will show the section detailing graphs that show the network services for each node being measured against the metrics within the selected timeframes.

The metrics being measured in this section are:

The metric to be viewed can be selected by clicking on the down arrow at the top left corner of each graph.

Hovering the mouse cursor over the graph lines shows the exact value of these metrics; while the user can zoom in and out of these charts to expand and reduce the date range to view the data trend of the analytics more clearly.

In this section you can see the performance of your applications. Select the interface, the number of applications you want to be shown and the time period you are interested in. In addition you can search and report on specific applications:

The data will be displayed in selected timeframe showing the following metrics which can be viewed graphically or in a tabular format:

In addition reports can be downloaded in CSV format or pinned to the dashboard view.

Portal users will be able to view usage metrics of most frequently hit firewall rules as shown below. The view can be changed by data and depth of most frequently used rules.

Graphical and tabular view of the data showing usage by: session, Bandwidth, Volume in both Transmit and Receive directions are available.

The Firewall Logfiles can be viewed and downloaded as a tabular format or downloaded as a CSV file.

Log files include date/timestamp, IP address, protocol, action, device and type i.e. session start or end logging

The interface QoS analytics shows usage by COS, please note that not all CoS or DSCP values are shown separately, but some are grouped as follows:

As with all other metrics this data can be viewed per interface, with standard and custom time ranges.

Usage data on the by these forwarding classes are shown in graphical form

The packet drop per drop profile associated with forwarding class egress profile can be viewed as shown below.

The SLA Metrics analytics provide a view of the specific SLA values per path, where a path can be between the site and one or all the termination CPE. This is selectable as follows:

SLA metrics can be viewed are as follows:

The user analytics provide usage date IP addresses on the LAN or DMZ which are consuming the WAN bandwidth. Reports can be generated by:

The reports can be shown as tabular or graphical views by source IP address in the following metrics: sessions, average session duration, data volume, Volume and Bandwidth by total or in the transmit/receive directions.

Similarly to SLA Metrics the Path Analytics menu option allows usage data per path to be displayed. The options are: by interface, top users, predefined or custom date range.

The metrics can be viewed in tabular or graphical form as follows:

The Portal allows users to create, manage custom URL Categories as Objects or view existing Predefined Categories. User Defined URL Categories can be associated with URL Filtering profiles, and have decryption bypass rules configured based on them.

Users can define custom URL Categories by specifying patterns or strings, assigning a Trustworthy reputation by default, and incorporating them into URL Filtering profiles. Users can also define decryption policy rules with No Decrypt action.

String is a specific URL and pattern is a template that can match multiple URLs with similar structures.

Below you can see where to create and configure User Defined URL Categories,

and where to check the list of available Predefined URL Categories.

The created Custom URL Categories appear in the User Defined category list for URL filtering with possible actions of Allow and Alert.

Additionally, customers can configure decryption rules to exclude specific URL Categories from decryption, ensuring seamless traffic handling. These rules have to be always set to No-Decrypt and take precedence in rule order. This feature is available when the Network Destination is towards the Internet. The new functionality enhances flexibility while maintaining existing security and network policies.

This newly introduced tab is designed to host future developments that are site affecting. For the moment it hosts the activation/deactivation button for Versa SASE and Zscaler SSE (if contracted) and allows for the option to rename VRF interfaces in a personalised way with an alias that makes them easy to recognise. The alias change is then visible in the Summary page.

This features provides the ability to provision an IP address for a TCP/UDP connection for a flow log collector. The service allows Netflow log files using the IPFix protocol to be transferred to a type approved server that can be hosted on an the Colt SD WAN or any reachable IP network.

Note that if a customer’s NetFlow server requires SNMP Read Only access to the CPE, then SNMP Read Only access must be enabled using the SD WAN portal for the respective NetFlow collector. Please see section 16.

The Netflow/IPfix configuration is a site level main menu option as shown below. Multiple TCP log collectors can be created per site or VPN up to a maximum of 4, but only one UDP collector. The order of precedence is based on the order the rules are created.

See the portal screenshots below:

The rule should be established as below:

There are two steps to provision a 3^rd party log collector, the first is to configure the destination IP, port and protocol type per VPN or VLAN. This means multiple collectors can be provisioned. Note for IPFix the following collectors have been type approved by Versa:

Note that when customer selects the relevant VPN, the related LAN interface is displayed on the portal – see above.

Forwarding of flow log files to a 3^rd party collector can be filtered by creating rules with the following match criteria:

Log collector rules are applied to all Log collectors that have been created and the order of precedence can be set by the user I the same way as Policy or Firewall, by dragging the rule to the required position.

Bulk copy of Collector rules is also possible.

Start and end refers to logging at start and end of session. Interim means times when the flow is active for a long period of time there will be multiple log file. The default interim time is 1 minute - this time is not configurable.

This feature allows access from a customer’s SNMP server allowing it to query specific MIBs on the SD WAN CPE device.

To add an SNMP server, the user should select Site Settings>SNMP, at which point the screenshot below will be visible. The user needs to input the device interface and the SNMP server IP. Below it, the user needs to set the SNMP authentication credentials – in this example a server with IP 1.1.1.1 is added to the LAN2 interface.

Once this has been actioned, the portal will display the following confirming that the server has been added correctly.