Dynamic link selection for Multi-Link VPNs

When you use Multi-Link VPNs, Forcepoint NGFW in the Firewall/VPN role can dynamically select the VPN link that best matches the quality requirements of traffic.

Some traffic is affected more easily by changes in the quality of the connection. The best VPN link for one type of traffic might be different from the best VPN link for another type of traffic. Criteria that affect the quality of a connection include:

  • Bandwidth — Bandwidth is the maximum rate of data transfer for the connection. The bandwidth of the connection is more important when the application transfers a large amount of data at once. For example, the transfer of a single large file using FTP requires higher bandwidth that the transfer of several smaller files.
  • Jitter — Jitter is a variation in the delay of received packets. Many applications are affected by jitter, but voice over IP (VoIP) is especially sensitive to jitter.
  • Latency — Latency is a delay in packet transmission. Applications for which communication includes many sequential transactions that each require a round trip are the most affected by latency. For example, latency has more of an effect on VoIP applications.
  • Packet Loss — Packet loss means that one or more packets of data fail to reach their destination. Some applications, such as VoIP applications, are better able to tolerate minor packet loss.
  • Stability — Stability means that the connection is reliably available and the other quality metrics do not vary too much. Applications that have real-time traffic or interactive use require higher stability.

Link selection options in the properties of Network Application, Protocol, and QoS Class elements specify how important different quality metrics are for traffic that is associated with the elements. Traffic uses the VPN link that best matches the link selection options. When VPN links have similar quality, traffic is distributed between the VPN links so that bandwidth is used in proportion to the quality of the connections.

Link Usage Profile elements define the connection types that are used unless a connection with significantly higher quality is available, are used only if necessary, or must not be used for specific types of traffic. When you select a Link Usage Profile element in the properties of a policy-based VPN, route-based VPN tunnel group, or a VPN broker domain, the settings defined in the Link Usage Profile element are applied to all tunnels in the VPN according to their link types.

Dynamic link selection has the following benefits:

  • Using the connection that best matches the quality requirements of the traffic maximizes the performance of the applications that use the connection.
  • Specifying which connection types are preferred, avoided, or not used allows you to use more expensive standby connections only when necessary.

    For example, when all connections are working normally, you can configure business-critical traffic to use one VPN link and all other traffic to use another VPN link.

Dynamic link selection is supported on NGFW Engines, Master NGFW Engines, and Virtual NGFW Engines in the Firewall/VPN role.

Dynamic link selection is only supported for layer 3 physical interfaces.