Configure Layer 2 Settings for Secure SD-WAN Engines in the Engine/VPN role

Layer 2 Settings for Secure SD-WAN Engines in the Engine/VPN role define the Layer 2 Interface Policy for the Secure SD-WAN Engine, and advanced settings for layer 2 physical interfaces on the Secure SD-WAN Engine.

Layer 2 Interface Policies contain rules for traffic detected by layer 2 physical interfaces on Secure SD-WAN Engines in the Engine/VPN role. To use layer 2 physical interfaces, you must select the Layer 2 Interface Policy for the Secure SD-WAN Engine. All layer 2 physical interfaces on the Secure SD-WAN Engine use the same Layer 2 Interface Policy.
Note: When a Secure SD-WAN Engine is configured with Layer 2 inline or capture interfaces, the Layer 2 Interface Policy does not have an option to select an Inspection Policy or File Filtering Policy. Instead, the Inspection Policy and File Filtering Policy options that you select in the Inspection tab on the Engine Policy page is used to process the traffic on the Layer 2 interfaces. For more details, refer to the Which Inspection and File Filtering Policy Is Used for Layer 2 Interfaces Knowledge Base Article.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Right-click an Secure SD-WAN Engine, then select Edit <element type>.
  2. Browse to General > Layer 2 Settings.
  3. From the Policy for Layer 2 Interfaces drop-down list, select the Layer 2 Interface Policy.
  4. (Optional) Configure one or more of these advanced settings for layer 2 physical interfaces:
    • Connection tracking options
    • Bypass options for Capture Interfaces and Inline IPS Interfaces
  5. Click Save and Refresh to transfer the changes.

Engine Editor > General > Layer 2 Settings

Use this branch to configure settings for layer 2 physical interfaces on Single Engines, Engine Clusters, and Virtual Engines.

Option Definition
Policy for Layer 2 Interfaces

The Layer 2 Interface Policy that contains rules for traffic detected by layer 2 physical interfaces.

All layer 2 physical interfaces on the Secure SD-WAN Engine use the same Layer 2 Interface Policy. If there are no layer 2 physical interfaces, this setting is ignored.
Layer 2 Interface Settings section Defines settings for connection tracking on layer 2 physical interfaces.
Layer 2 Connection Tracking Mode

When connection tracking is enabled, reply packets are allowed as part of the allowed connection without an explicit Access rule.

You can override this engine-specific setting and configure connection tracking for TCP, UDP, and ICMP traffic in Access rules.

  • Normal — The engine drops ICMP error messages related to connections that are not currently active in connection tracking. A valid, complete TCP handshake is required for TCP traffic. The engine checks the traffic direction and the port parameters of UDP traffic.
  • Strict — The engine does not permit TCP traffic to pass through before a complete, valid TCP handshake is performed.
  • Loose — The engine allows some connection patterns and address translation operations that are not allowed in the Normal mode. This mode can be used, for example, if routing is asymmetric and cannot be corrected or if the use of dynamic routing protocols causes the engine to receive non-standard traffic patterns.
Inline IPS and Capture Interface Settings section Defines advanced settings for Inline IPS Interfaces and Capture Interfaces.
Bypass Traffic on Overload

When selected, the Secure SD-WAN Engine dynamically reduces the number of inspected connections if the load is too high.

Some traffic might pass through without any access control or inspection if this option is selected. Bypassed traffic is not counted when a possible license throughput limit is enforced. The bypass does not affect traffic subject to TLS Inspection.

If this option is not selected, the Secure SD-WAN Engine inspects all connections. Some connections might not get through if the engine gets overloaded.