1. Overview

Colt’s Software Defined WAN solution (hereafter SD WAN) enables Internet to be used as a business network and an MPLS alternative for the WAN. There is a radical shift occurring in the market where customers are evolving towards a hyper-connected and digital world by adopting innovative business and operational models (Cloud, Big data, Collaborative tools, etc.). This journey is dramatically changing the requirements for bandwidth, performance, flexibility and agility in the solutions supporting the business and applications traffic.SD WAN gives Customers the ability to combine multiple access connections types (MPLS, Internet, 3G/4G) with application-based policy forwarding and advanced security functions to create a software defined network capable of delivering on changing business needs and capacity challenges.

Colt SD WAN incorporates various software images of Virtual Network Functions (VNFs) deployed on ‘commercially available off-the-shelf hardware components and systems’ for routing, security, WAN and application optimization and analytics. Colt SDWAN makes use of underlay connectivity (private MPLS and public Internet) to establish a secure, encrypted overlay virtual network. Customers can use it to quickly create and deploy a network that offers services like business- grade IP VPN, secure broadband Internet or application-aware routing with full security and QoS over WAN connections. Traffic can be automatically and dynamically (using traffic steering policies) forwarded across the most appropriate WAN path based on network conditions, quality-of-service (QoS) requirements, usage requirements and cost. This combined feature set offers higher network service availability and increased network performance.

In addition, SD WAN allows Customers to optimize the use of their bandwidth through load balancing over multiple Internet uplinks over broadband, 3G/4G (with an Ethernet handoff) in addition to traditional MPLS connections. SD WAN also allows to connect to Cloud service providers and SaaS providers to extend their WAN edge to Cloud.

Colt has upgraded its SD WAN service with the introduction of universal customer premises equipment (uCPE) at the network edge. The service now supports 3pp unmanaged VNF hosting, including CheckPoint Firewall as additional VNFs on uCPE alongside Versa SDWAN VNF. uCPE allows customers to license, manage, and monitor functions with flexible network options, bringing cloud computing benefits from data centres to edge computing at customer premises and branch sites—a new way for enterprises to use connectivity services.

Colt also offers a Wholesale SD WAN solution that offers not only an alternative to an existing vendor, but also the instant ability to a fast time to market when no SD WAN solution is in place for wholesale customer. The Wholesale solution includes Versa SD WAN solution with clear adaptation (customizable portal, branding and further hierarchy levels, systems and processes modification, etc) that allows the Wholesale partner to offer the end-customer an industry leading SD WAN service

The SD-WAN wholesale proposition is perfect for wholesalers without their own solution, seeking a partner to provide a turnkey option with no initial investment or development time. This offering, while limited by resale and vendor restrictions, covers these aspects in detail within the document.

Colt can help to engage this digital enrolment, helping to integrate our existing SD WAN service so that the Wholesale customer can resell it to their end customers, with little visibility about who is actually providing the service in backstage and with full functionality towards them.

There are specific considerations along the processes, that will be covered during the following sections.

2. Benefits

2.1 Available Anywhere

Colt SD WAN service is available to virtually any business address worldwide (basic connectivity pre requisite) in a fully meshed or hub-and-spoke network configuration options.
SD WAN allows connectivity between SD WAN and Non-SDWAN (traditional IPVPN) sites.

2.2 Quick Deployment

New locations can be turned up in as little as minutes with zero touch provisioning (“bringing” the device into the network). Customers will be able to manage their own service, add new branch sites in hours, or upgrade bandwidth in real-time. Colt uses pre-configured CPE devices which are as easy to setup like a home WiFi router.

2.3 Security

Secure end to end connectivity using IPSEC encryption, this ensures that the transit of Customer’s proprietary data is fully protected and inaccessible beyond the intended origination and destination points. Colt SD WAN provides an integrated firewall with SD WAN which provides secure local internet
breakout, provides DDoS protection and ability to create firewall policies and rules through customer portal.

2.4 Connectivity Flexibility

Colt SD WAN services can be provided over public internet – broadband Internet and business internet – dedicated internet access (DIA) connectivity (using any and all transport technologies like xDSL, wireless 3G/4G/LTE (only available in EU for Colt provided SIMs, no limitation for customer-owned), Ethernet or traditional MPLS regardless of whether Colt is providing that underlying connectivity or not. Local breakout is available, if desired, so that only certain traffic is forced through the SD WAN network.

Colt SD WAN supports Colt provided MPLS underlay connection as a standard. MPLS circuit is from Colt or from Colt’s existing MPLS NNI partners. Any new MPLS provider needs an MPLS NNI to be setup first (see connectivity constraints for Carrier’s provided MPLS legs).

2.5 Application Performance

Based on Customer requirements, Colt SD WAN service ensures that it always provides the best available connection for traffic flows based on jitter and latency requirements. In addition, Customers are in complete control of steering traffic over specific preferred links through the use of layers 3, 4 and 7 based
access control lists and policies that can be implemented via the self-service portal.

2.6 Self-Service Portal

The Colt SD WAN portal allows dynamic management of network based on Customer requirements, with policy control and visibility, traffic data reporting is also available for visibility of throughput (peak/average) and traffic volume for a selected duration.

For the Wholesale SD WAN service, both wholesale customers and end customers will benefit from a customized look and feel, setting wholesale customer’s own logo, background image, links and contact details, so that their end-customer experience doesn’t differ from the rest of their services offered.

2.7 Service Reliability

Multiple points of presence, bidirectional metro rings, and a fully redundant network core support ensures service availability and that customer data gets to where it needs to go.

2.8 Redundancy and High Availability

Colt SD WAN service can be deployed in a redundant and highly available manner, supporting link level and device level redundancy to eliminate single point of failures. In addition, the back-end control and provisioning systems are redundant as well to ensure service availability is not affected by any single point of failure.

2.9 Cost Efficiency

Colt SD WAN provides the ability to manage and optimize traffic over multiple infrastructure links and maximize the use of bandwidth thereby lowering costs. Customers can use it to top up existing IP VPN bandwidth by using the Internet in addition to existing IP VPN bandwidth; another use case would be an Internet only version which can be used where dedicated leased line cannot be justified due to cost reasons.

2.10 Control (Changing Traffic Patterns)

SD WAN gives the ability for customers to route their traffic for specific application based on a number of parameters. Traffic policies (MPLS vs internet) will be set during the initial deployment and will be based on basic business rule settings (IP address/subnet, protocol and/or port number, preloaded applications), these can be changed any time via the self-service portal.

2.11 Analytics

Near real time, interactive dashboards that enable Customers to keep view the health of a network and applications by continuously monitor traffic flows and enabling the identification of and response to business impacting events. Visualization of application performance, network security and Firewall, and
utilization – allowing organizations to analyse issues at the site level, application layer, or individual user level.

2.12 Multi-cloud

With With SD WAN Multi-Cloud, customers are able to connect their branch sites directly to all their cloud-based SaaS and IaaS workloads and manage this connectivity centrally via the Colt SD WAN portal. It brings together a single cohesive view of the enterprise network, tying together WAN sites, IaaS/Cloud sites, and traffic towards SaaS cloud – all easily viewed and managed via the Colt SD WAN portal. SD WAN Multi-Cloud extends the SD WAN benefits of security, analytics and optimization to connectivity to the Cloud Service Provider and provides an end-to-end SLA for all connectivity types (MPLS, Internet, Wireless and Cloud) for enterprise networks.

Colt SD WAN Multi-cloud services are available in Europe and Asia and supports direct connectivity towards Amazon Web Services (AWS), Microsoft Azure, and Google Cloud. The SD-WAN Multi-cloud solution uses gateways hosted in the Colt network with dedicated connectivity into the Cloud. Today, Colt is monitoring proactively our Cloud Gateway infrastructure, cloud providers at an application level. Within the direct connectivity program of the CSP, Colt supports both hosted and dedicated CSP options in the likes of AWS Direct Connect, Azure ExpressRoute and Google Cloud Interconnect (GCI).

2.13 Support for IPv6

Internet Protocol version 6, is a new addressing protocol designed to incorporate whole sort of requirement of future internet known to us as Internet version 2. This protocol as its predecessor IPv4, works on Network Layer (Layer-3). IPv6 provides larger addressing space and simplified header. Colt SD
WAN supports use of IPv6 addressing on LAN interface. Colt SD WAN supports use of IPv6 addressing on WAN interface for single CPE, single internet with IPv6 only

2.14 WAN Optimization

SD WAN with WAN optimization provides customer an enhanced user experience as it improves the network performance and reliability over multiple wan links for a site. It alleviates the effects of latency that maximize bandwidth utilization and relieves network congestion. The advantage of SD WAN with
WAN optimization is that it is aware of other network traffic on the same link and can intelligently manage all flows overcoming the problems of TCP retransmission.

We utilize following traffic optimization techniques

• Forward Error Correction (FEC): Allows missing data packets to be recreated at the destination without adding latency or jitter

• Packet Cloning (Replication): Mirrors packets between two or more paths – if one packet is lost, the mirrored packet will still be delivered

3. Service Design

3.1 Transport agnostic Application driven WAN

Colt SD WAN ensures Customer WAN network is designed to provide efficient application performance irrespective of the underlying transport (MPLS or Internet). The service enables and implements application routing policies and also allows for load balancing of default traffic in order to ensure that all
available WAN capacity is optimally utilized.

3.2 Site design types – SD WAN Service Pack (Multiple WAN Links)

Colt SD WAN supports multiple access types to suit individual site requirements; these can include dedicated Ethernet, Direct Internet Access, cost-effective broadband DSL connectivity or 3G/4G/LTE. By default 3G/4G circuits should be used as backup only if fixed Internet and MPLS circuits are available i.e. traffic should not load-share across 3G/4G and other WAN circuits. The SD WAN CPE can be attached directly to the Internet Access circuit (recommended) or behind a customer router or modem device. The handoff to the SD WAN CPE should be plain 802.3 Ethernet (no VLAN tagging) or PPPoE (with or without VLAN tagging). PPPoE handoff (with or without VLAN tagging) has been validated and enabled for France only (with Bouygues Telecom) currently.

Blue Wireless

Colt now offers a Fixed Wireless, 4G/ 5G cellular Internet access service to our customers. This service is a complete resell of the Wireless Internet access service provided by Blue Wireless, a Singapore-based company. Uniform service including on-site survey, installation, maintenance and operation can be provided in about 90 countries in Europe and Asia as well as in North America, South America and the Middle East. This service comes with Cradlepoint mobile router, Dual SIM and its data, installation and operation service, and SLA. This service offers managed mobile internet access service maximum up to 300Mbps/30Mbps(Down/Up) supports both unlimited data and limited data plan with flat rate pricing. This service guarantees 50% of contract speed.

The service can also be utilised for SDWAN customers as an Internet underlay, typically utilised as a backup to existing fixed WAN connections or for low priority site locations where physical connectivity is difficult to achieve. 

All countries where Supplier has the network coverage (~ 88 countries) and where Colt is authorized to sell. Not all these plans are available in all locations, for several reasons.

As part of the ‘Partner IP Access’ product, Colt has chosen Blue Wireless to provide an end-to-end managed service supplying Wireless Internet connectivity using 4G LTE/ 5G cellular technology with a managed CPE. The standard service offering delivers a Blue Wireless managed Cradlepoint CPE with dual resilient SIMs as below: 

There are 2 service offerings by Blue Wireless, Primary mode and Backup mode. Primary mode has an unlimited data plan expected to be used for most typical enterprise customer use cases and a backup mode offering that comes with a data limit. Typically, 10GB per month and over usage restriction, along with 30GB data Uplift plan for backup mode. Over usage will automatically downrate the access line to a minimal speed (1Mbps/1Mbps), which ensures the service is not completely down when the data limit has been reached but will result in a poor customer experience for normal everyday applications. Low bandwidth applications could still function such as credit card transactions as an example but would be very limited. 

Blue Wireless offers a number several bandwidth plans

Not all these plans are available in all locations, for several reasons. Some MNOs are not offering all these plans in all regions. Some (higher) speeds might not be attainable due to the local environment the Cradlepoint CPE will be in. Blue Wireless will test the speed before handing over the service to Colt / customer

The Service offer two data plan options for customer to choose from, to be Indicated in the Order.

• Unlimited Data (Primary Plan), offering unlimited data usage at the contracted Maximum Access speed at a fixed MRC. The Service is configured as an active access for the primary connection.
• Limited Data (Failover Plan), where there is predefined amount of data usage included per month indicated in the rate card to be used at the contracted Maximum Access speed at a fixed MRC.

An option may be provided to increase the predefined amount of data usage per month. Upon reaching the data limit, the maximum access speed will be throttled to 1Mbps/1Mbps speed. The blue wireless CPE can be attached to any of the current standard Versa CPEs – no new colt managed hardware is introduced for Blue Wireless connections

Based on the maximum bandwidth supported by Blue wireless i.e. 300Mbps/30Mbps(Down/Up), following T-Shirt sizes/packages are in scope of current phase:

• XS – Extra small
• S – Small
• S Plus – Small Plus

Key points

• Blue wireless connections shall be ordered as part of IP Access underlay
• Maximum 1 Blue Wireless link per site, both for single or dual CPE setups, is supported
• Internet Egress is only available for unlimited plan  
• IPv6 is not supported
• uCPE is not supported
• Blue Wireless (with limited plan) and a 4G connection at the same site is not supported
• Zscaler SSE solution has been technically validated with Blue wireless with Unlimited plan but not the Versa SASE yet.
• Customers shall ensure that the CradlePoint device Installation must be carried out at the location where Versa CPE is expected to be installed in order to achieve a direct connectivity between these two devices. In case Blue Wireless considers that coverage is not good enough and SLAs are at risk, they will evaluate the installation of a 10m indoor external antenna to get the right signal out of the rack.  Customers are always advised to increase the default coverage of the CradlePoint equipment by installing it on top of the rack where the SDWAN box is installed. If in case the indoor external antenna does not suffice to guarantee Blue Wireless Service, the CradlePoint equipment will be installed elsewhere in the building where signal is good enough and customer will be responsible to install the required internal cabling considering RJ45 demarcation towards Colt SDWAN equipment. And it is customer’s responsibility that the CradlePoint device must not be shifted from the install location as performed by Blue Wireless.
• As Blue wireless connection is a wireless connection, It should not be considered as one to one replacement of any wired internet access considering different performance matrix like latency. Blue wireless connections latency is expected to be higher then the wired internet connections, especially in case if inter-regional site to site communications.
• Blue Wireless does not offer any guarantees on the Latency, Jitter and Packet Loss but Blue Wireless will endeavour to optimise the performance.

Note: Due to some regulatory limitations, blue Wireless do not offer services in following countries: India, China, Russia, Cuba, Syria, Iran, North Korea, Venezuela

Blue Wireless – Starlink Satelite

Blue Wireless, in partnership with SpaceX, provides Starlink satellite services. Following satellite services are supported as an underlay for the Colt Versa SD WAN solution:

• Global Managed LEO Plus (GML+), based on a combined Satellite and LTE/5G connection using a performance satellite antenna and cellular antenna.
• Global Managed LEO (GML), based on a single Satellite connection using a performance satellite antenna.

These plans are supported as an underlay for the Colt Versa SD WAN with the following guidelines:

• Leo, Leo+ with limited data plan only
• Leo, Leo+ available as backup/secondary connection only
• Only Public IP Supported
• Supported with SD WAN XS, S and S Plus Packages
• Supported with SD WAN CPE Models: v120, v210, v220
• Supported with Following SD WAN site topologies:

Limited Data Plan	Connection Supported
Single CPE LTE Only	Primary LTE or Leo/Leo+
Single CPE Hybrid [LTE]	MPLS + LTE or Leo/Leo+
Single CPE Dual Internet LTE	IPA (wired, not Leo) + LTE or Leo/Leo+
Dual CPE Hybrid LTE	MPLS (wired) + LTE or Leo/Leo+
Dual CPE Dual Internet LTE	IPA (wired, not Leo) + LTE or Leo/Leo+

Below is a table summarising the standardised packages that are available for customer to order per site.
Each size package varies in the type and number of WAN uplinks, number of CPEs, bandwidth, diversity, and service assurance.
To build a new SD WAN solution, simply work with customer to mix and match these ‘sizes’ to meet the requirements for each site.

Note: Blue wireless connections are supported for XS, S & S Plus packages only currently.

• Any combination of Internet and MPLS uplinks up to the max supported and not
  exceeding maximum for each type.
• LTE as substitute or in addition to any fixed Internet connections.
• LTE substitutes the fixed WAN Uplink
• Dual LTE not supported in combination with Fixed MPLS or Internet uplinks. Single
  LTE uplink is on primary CPE when combined with 2 fixed uplinks.
• Max 1 MPLS per CPE. Single MPLS is always on primary CPE.
• For 2 Internet uplinks LTE substitutes the second Internet uplink

To illustrate these site size packages further, see the example use cases below:

The CPE model used in M & M Plus package will be the V220, offering a maximum BW of up to 1 Gbps.

The CPE model used in M & M Plus package will be the V810, offering a maximum BW of up to 2 Gbps.

The CPE model used in M & M Plus package will be the V850, offering a maximum BW of up to 3 Gbps.

The CPE model used in L & L Plus package will be the V1800, offering a maximum BW of up to 10Gbps.

Both support fibre handoff option.

3.3 Traffic flows

The customer may have a mix of sites – IP VPN on-net sites (connected directly to Cisco based MPLS network) or SD WAN hybrid sites (OLO MPLS and Internet lines, Versa based) or SD WAN Internet only (Versa based) or SD WAN MPLS-only site.

The table below provides the overview of the traffic flows with regards to how SD WAN gateways and Encrypted tunnels are used (Versa uses IPSec but combined with other protocols)

SD WAN Gateways provide the following functions 1) they act as a transit gateway between the encrypted SD WAN VPN and a normal IP-VPN and 2) They act as a hub for connecting SD WAN sites on disjoint networks e.g. a site connected to MPLS only and a site connected to Internet only. SD WAN Gateways are implemented on a region by region basis to reduce the latency caused by backhauling tunnels

3.4 Application aware connectivity

Colt SD WAN service delivers path control for application-aware routing and forwarding across the WAN. It supports, dynamic selection of the best path for application-based business policies and application-based load balancing across paths for full utilization of bandwidth with improved network availability.

3.5 Encryption

• Encryption method: Advanced Encryption Standard AES-128 and AES-256 supported.
• Authentication Method: Secure Hash Algorithm SHA2.
• Internet Key Exchange (IKE): IKEv2.
• PSK: As standard, pre-shared keys will be used to authenticate between IPSec peers.

(For Colt SD WAN, Colt owns & manages the keys).

4. Features

Colt SD WAN is an evolving product line, this is primarily because the industry is still evolving with ongoing developments (Colt product offering is mature as committed). Colt will continue to improve and add new product features and they will be added in this guide as they are released (please refer to roadmap for details).

4.1 Customer Portal

Colt SD WAN Portal is a self-service portal available for both Carrier and end customer. It enables network services to be used, modified and orchestrated on real-time and on-demand basis – as is typical for cloud services. As it is ‘software defined/controlled’, the WAN transforms into an agile, flexible network enabling a customer to be in control of its network.

In summary, the portal gives the Customer the ability:

• To map applications to specific WAN uplink (eg., MPLS and/or Internet)
• To choose when an application needs to switch to the secondary path

                   The SD WAN portal is intuitive and easy to navigate with below features:

Portal Pages	Page Details
Dashboard	Gives an overview of all provisioned sites on a geographically accurate map Dashboard allows regularly used graphs or reports to be pinned to the Dashboard view. Status of Pending orders are listed
Policy Management	per site traffic steering policy rules per site add, delete, edit and back-up traffic policies map traffic to WAN uplinks on multiple parameters like source and destination IP Address, source and destination port/socket, protocol and applications (more than 2,500 applications supported) define policy to switch between WAN links based on latency, jitter, packet loss, traffic Rx/Tx thresholds Multiple metrics per policy can be added Bulk copy pushes policies to multiple sites by single button click
Firewall Management	per site firewall rules overview per site add, delete, edit and back-up firewall policies Policies applied to Internet and SDWAN for both inbound and outbound traffic Create firewall rules based on multiple parameters like source and destination IP Address, source and destination port/socket Create Application layer inbound and outbound Firewall policies with source/destination IP addressing Create DNAT for LAN and DMZ zone rules by IP address and port number Bulk copy pushes policies to multiple sites by single button click default policy deny all
Firewall analytics	lists all active firewall rules top 10 (or more) applications with sessions, traffic Tx/Rx and bandwidth used historical view by day, week, month or custom time frame
Interface Analytics	delay, jitter, loss ratio, traffic in/out and number of sessions on per interface basis historical view by day, week, month or custom time frame
Application Analytics	application bi-directional bandwidth utilization top application information pertaining to sessions, and traffic utilization (Rx/Tx) Application view can be filtered or selected per application historical view by day, week, month or custom time frame
DDOS	create DDOS attack profiles and suspend actions historical view by day, week, month or custom time frame of DDOS attack analytics associated with attack profiles.
Device	detailed CPE hardware information self CPE diagnostics, including ping and traceroute Data synchronization icon to re-synchronize the Portal and SDWAN bases. WAN interface details including MAC, status, IP address, speed, traffic Rx/Tx and QoS policies LAN interface details including MAC, ARP information, IP address, speed, and routing policies

4.2 SD WAN wholesale customer portal specifics

Colt SD WAN Portal for the Wholesale segment can have a personalized branding and domain, and therefore there are some requisites the wholesale customer needs to fulfil.

All the required information needs to be captured by Sales teams and shared to Portal team to set up Reseller’s SD WAN portal.

At the same time, special flag within the order form will remind the user that this requirement needs to be taken care of prior to service delivery.

Main requirements:

• Select a domain name for the branded version of the portal (e.g. sdwan. reseller.com)
• Update the Carrier’s own DNS records to associate this domain name with the Colt production portal, either:
  • as a CNAME record pointing to sd-wan.colt.net or
  • as an A record pointing to the colt-owned IP address: 217.111.165.33

• Obtain an SSL certificate to secure web traffic to this domain.
• The associated private key for this SSL certificate should be a minimum of 2048 bits long.
  • The certificate should be signed by a widely trusted Certificate Authority – e.g. Verisign
  • The certificate expiry date should be a minimum of 365 days from the date of issue
  • Neither the key nor the certificate should be password protected

• Using the following pages as a starting point, collect content that the Carrier wants to be shown on the branded portal.
  • Not all content is mandatory (e.g. a login logo), but if it is not supplied, then the corresponding area of the screen will default to blank
  • Image sizes and other constraints apply

• Send the certificate, the private key and the branding information to the SDWAN Portal team.
• For testing purposes, a Colt Demo portal can be set up as well with the customized look and feel
• Carrier is responsible for end-customer credentials and password management, that would be created within their user access to the portal (tenant management). End-customer will not be able to manage his credentials, only to ask for a reset to Carrier.

4.2.1 SD WAN wholesale customer portal branding

In order to customize the specific branding for each wholesale customer, Following information essential to be captured from wholesale customer:

• Splash screen background image
  • Min 1920px wide, 1440px high, PNG or JPG format
• Login dialog logo
  • Max 250px wide, 200px high, PNG or JPG format
• Forgot password link (required)
  • URL only (text will be unaltered)
• Footer HTML (required)
  • HTML inside a DIV element, maximum 2 lines high. <ul><li> elements will be separated by vertical bars

Once in the SD WAN Network Dashboard, there are some other items that can be customized as well:

• Application logo
  • Max 250px wide, 32px high, PNG or JPG
• Help link (required)
  • URL only (text will be unaltered)
• NOT SHOWN:
  • Web page title (text only)
  • FAVICON.ICO icon to show in the address bar (48×48 px or 24×24 px, icon format)

In case the customer doesn’t want to customise the landing page or the SD WAN dashboard logos, Colt can also offer the possibility of not showing any logo instead.

Technical details as registered domain, SSL certificate or even the Help and support & Forgot password links are mandatory.

API integration with SDWAN Portal is possible but not as a standard switch on/off capability. API integration with SDWAN portal will require some efforts to understand customer requirements and development. Based on the initial analysis, SDWAN portal integration cost could be provided.

Note: Pease refer to Portal Guide document for further details

4.3 Dynamic traffic steering

Dynamic multi-path traffic steering is a real-time portal driven feature that helps Customers utilize both MPLS and Internet uplinks in a redundant or load sharing configuration. In addition to detecting pre-configured applications, traffic can be routed through IP address, protocol and/or port (socket) numbers.

Customers can choose to do (add/edit/ delete) all their policy configurations anytime via the secure Colt SD WAN portal.

Colt SD WAN platform measures jitter, packet-loss, round-trip delay, traffic utilization TX/RX in all the paths between branches or between branch-to-hub. Please see portal appendix for policy configuration details.

4.4 Optimum path selection

Optimum Path Selection is a default SD WAN portal feature for all customers that provides the best path selection between all possible paths when a 10 % variance of performance is reached. The standard SDWAN traffic Steering rules through SD WAN portal provides path selection based on circuit priorities and/or SLA thresholds instead of performance. Optimum path selection can steer traffic based on one or combination of several metrics, For example lowest latency, lowest packet loss or lowest delay variation. Besides traffic selection, our existing SD WAN traffic steering options remain available.

These include:

• Configuration of different circuit priorities
• Configuration of SLA thresholds for several metrics: Latency (ms), Jitter (ms), Packet loss (%), Transmit/Receive Bandwidth utilization (%)
• Continuous evaluation of the traffic sessions that provides the traffic switching between difference paths, when the used path is no longer SLA compliant or there is a better option with <10% of difference

4.5 Analytics

Supported for interface, firewall and applications. These are on near real-time basis with based on logs sent from branch sites and stored in the analytics database . Historical views are also supported along with deeper granularity. Please see portal appendix for details.

4.6 Routing between Colt managed CPE and customer LAN

Both static and dynamic routing supported. Static, BGPv4 and OSPFv2 routes are all supported on SD WAN CPE for routing towards the customer LAN.

4.7 DHCP

DHCP requests from local clients are forwarded to Customer owned/managed central DHCP server (applies for IP addressing on the Customer LAN, not static or DHCP config in the WAN if customer is providing own Internet). Colt SD WAN CPE adds its own information to the request to identify the site (to enable the central server to allocate address from appropriate pool). DHCP server can be delivered as a bespoke on customer special request.

4.8 IP address management

Customer IP addresses may be private or public as the service treats the addresses relevant only to the particular customer VPN.

As per DHCP, it applies for IP addressing on the Customer LAN, it does not refers to the WAN if customer is providing own Internet.

• IPv4 & IPv6 are supported
• By default static routes shall be used for all the addresses for each site. As an option, routing protocols may be enabled as well at the time of ordering the service.

4.9 Local internet breakout

The Local Internet breakout feature allows ‘to/from’ internet traffic to utilize an SD WAN site’s local internet connection rather than going through the central network gateway. Any traffic other than which is destined for SD WAN sites (e.g. to access legacy applications residing at an enterprise location) will access the internet using  the local internet connection.

A key benefit of local breakout is the user experience when accessing trusted applications as these can be accessed locally and hence avoids unnecessary latency. In addition local breakout helps reduce the customer’s bandwidth needs across Colt SD WAN platform.

By default a Deny-All rule is applied for traffic between the LAN and Internet in both directions. The customer can then add rules to selectively allow traffic towards and from the Internet e.g for trusted applications such as Office 365.

Local Internet breakout is a default Colt SD WAN service feature, if an Customer, for any specific reasons, wants central internet breakout (central gateway) then it will be handled as a bespoke request and would need a modification order.

Highlights:

• Default option
• Will be on the first internet connection (more than one internet connections possible)
• Available on all site types that have an internet connection
• With dual internet, the local internet breakout will be on an active/standby basis (could be load balancing if requested by customer)
• With dual CPE, internet breakout will only be on the internet attached CPE
• With MPLS/internet, breakout will only be available on internet connection at that site

Multiple Internet – LIB

A local internet breakout is an access point to the internet located as close to the user as possible. Local breakouts enable organizations to offload internet-bound traffic from local branches and remote offices, and route it directly to the internet via a local internet service provider (ISP).

• Customers will be able to select the Internet links and resiliency mode (load-sharing or active/standby) through SDWAN Portal.

Our solution Multiple LIB customers can benefit from the below,

• With the introduction of multiple WAN Uplinks, the customer can have up to 4 Internet uplinks.
• Through SD WAN portal customers can select the Internet links and resiliency mode (load-sharing or active/standby)
• By default, for all sites enabled for LIB in order system will have the internet wired uplink enabled in Active/Active mode.
• The Customer will have the option to change the default mode to Active/Standby based on the defined priority of Internet links via portal.
• Customers can now selectively enable or disable specific Internet links for Internet access from SDWAN portal.

LIB can be configured in two modes as per below picture.

4.10 Standard firewall

Colt SD WAN platform comes equipped with an L4 Stateful firewall (Versa FlexVNF Stateful FW feature on CPE). It supports rules around source and destination IP addresses, source and destination port and/or protocol numbers. When a customer site is first activated, the default firewall policy is to allow all traffic between SD WAN sites and “deny all” in both directions between the customer LAN and Internet. As an additional option, SD WAN firewall can be enabled which extends the default “deny all rule” to traffic between SD WAN sites. Firewall policy rules can be modified using the SD WAN portal.

Firewall rules are standard and based on simple allow, deny or reject commands on any of the defined parameters. Rule can be applied to a single or multiple CPEs.

The firewall feature is integrated with the Colt SD WAN solution and makes use of the stateful firewall feature embedded in the Versa FlexVNF software. This avoids the need for a separate firewall solution.

Highlights:

• Control – add, delete, modify and prioritize rules
• Back up – switch to any previous (saved) configuration version
• Analytics – there will be user friendly graphical analytics allowing users to view the number of allow and deny logs per rule.

Please refer portal guide here for details.

4.11 Advanced firewall

The Colt SD WAN Advanced Firewall feature set is ideal for Customers needing protection against modern web-based security threats like malware attacks, targeted attacks, application-layer attacks; these attacks exploit weaknesses in applications, rather than weaknesses in networking components and services which are the targets of traditional attacks and can be prevented by a stateful firewalls.

The Colt SD WAN platform uses an integrated Next Generation firewall that offers advanced firewall capabilities integrated with the SDWAN router, the functionality can be configured via the Colt SDWAN portal. The Advanced Firewall allows customers to connect separate LAN and DMZ networks to the SD WAN CPE and is used in combination with the local Internet breakout feature.

Colt also offers the Denial of Service (DoS) protection feature with Versa SDWAN. It is used to protect services on the customer LAN or DMZ that are exposed to the Internet e.g. web servers, mail servers. It is only supported in combination with the DMZ / destination NAT feature for the traffic from the Internet towards the LAN/DMZ.

4.12 Dual CPE (High Availability Site)

To enhance resiliency, two SD WAN CPEs are provided in high availability mode, using VRRP to ensure traffic will be routed to the other if either SD WAN CPE fails. By default, not all traffic is rerouted; there may be application exception policies in place for specific applications to avoid Internet or MPLS networks. The dual CPEs form a high availability site with shared aggregated total site throughput.

Dual CPEs can be situated in the same location or different locations, but they require an additional interconnect besides being connected via LAN for VRRP. This additional interconnect is necessary for proper WAN routing.

For the back to back connectivity between the two SD WAN CPEs, the customer can decide whether they need an electrical or optical port

In standard delivery internal cabling can include up to 5 metres, above that needs to be quoted in a case by case scenario.

Dual CPE is available in three combinations:

• Dual CPE (Hybrid): Primary CPE with MPLS + Secondary CPE with Internet
• Dual CPE (Dual Internet): Primary CPE with Internet + Secondary CPE with Internet
• Dual CPE (Dual MPLS): Primary CPE with MPLS+ Secondary CPE with MPLS

4.13 CPEs

Versa FlexVNF can be deployed on either a Colt uCPE (not available yet for Wholesale customers) or a Versa Certified Whitebox appliance (Baremetal), both installedon the customer premise. The following appliance types are used based on bandwidth and feature requirements:

Versa – Certified Whitebox Appliances

Model	Description	Throughput	Uplink	Deployment
Versa 510 (EoS)	Advantech FWA- 2320 Intel Atom C2558, 4 core, 8GB RAM	Up to 150Mbps	GbE (Cu)	Small Branch
Versa 120  LTE only	EAdvantech FWA- 1010, Intel Atom C2758, 8 Core, 16GB RAM	Up to 500Mbps	GbE (Cu/ SFP) + LTE	Small Branch (with LTE)
Versa 210	Advantech FWA-1012VC-4C, Intel Atom C3000, 4 Core, 8GB RAM	Up to 300Mbps	GbE (Cu/ SFP)	Small Branch
Versa 220	Advantech FWA1012VC. FWA-1012VC- 8CA1V (Versa 220 without LTE) FWA-1012VC- 8CA1VR (Versa 220 with LTE modem for EMEA) WA1012VC2006-T (Versa 220 with LTE modem for APAC)	Up to 1Gbps	GbE (Cu/ SFP) + LTE	Small Branch (with LTE)
Versa 810	Advantech FWA- 3260, Intel Xeon D-1548, 8 core, 64GB RAM	Up to 2Gbps	GbE (Cu/ SFP)	Medium Branch
Versa 850	Advantech FWA-5070L2205-T, Intel(R) Xeon(R) Silver 4210R, 10 core, 64GB RAM	Up to 3Gbps	GbE Cu    10G Fibre	Medium Branch
Versa 1800*	Advantech FWA- 5070 Intel Xeon Gold 6212U, 24Core, 96GB RAM	Up to 10Gbps	10GbE (SFP+)	Hub / Data Centre

Mentioned throughput are the highest throughput achievable under favourable circumstances. It is the throughput ceiling. The actual throughput & CPE Performance will degrade depending on network and security policies/features applied. CPE performance can be down to 30% on certain CPEs.

Versa 510

Versa 510 Specifications

Vendor Model	Advantech FWA-2320-01E
Processor	Intel C2558 4 Core CPU
Memory	4GB
Disk	64 GB SSD
Interfaces	4 x GbE Cu (WAN/LAN), 2 x GbE Cu Mgmt
Power	100W AC internal PSU
Cooling	1 x smart FAN maximum 37.5dB(A). Front to Back air- flow
Physical Format	1RU rackmount device
Dimensions	426 x 44 x 318mm
Weight	4.5Kg

Versa 120

Versa 120 Specifications

Vendor Model	Advantech FWA1010VC. Versa Builds: Versa V120-NW-EX (non LTE) Versa V120-EX-L455-W178 (LTE US/EMEA) Versa V120-EX-L7430-W178 (LTE APAC)
Processor	Intel Atom C2758 (8 core), 2.4 Ghz
Memory	16GB
Disk	128 GB SSD
Interfaces	2xGbE Cu/SFP WAN ports, 4x switched GbE Cu LAN ports, 1x GbE Cu as DMZ port
LTE/WiFi	WWAN module (Sierra MC7455, MC7430) with antennas WLAN module (Advantech/EWM-W162M) with antenna (not used)
TPM	TPM1.2 Module
Power	12V 5A, 60W external adaptor
Cooling	1 x smart FAN with maximum 37.5dB(A). Side-to-side air flow
Physical Format	Tabletop device (optional rackmount kit FWA-1010VC- RMT)
Dimensions	250 x 44 x 190.4 mm
Weight	2.3 Kg

Versa 120 – LTE Modem Specification

Modem Name	AMER, EMEA: Sierra Wireless MC7455 APAC: Sierra Wireless MC7430
Performance	Cat-6 (peak down-link: 200 Mbps, up-link: 50 Mbps)
Wireless Standards	4G-LTE, 3G (WCDMA) Frequency Bands: MC7455: B1, B2, B3, B4, B5, B8 Frequency Bands: MC7430: B1, B5, B6, B8, B9, B19
FRU	No
Geo-Location	GPS, Glonass, Beidou, Galileo
SIM Card Access	Externally accessible
Antenna	External Antennas that attach to the device are included. Antenna extension (wall mount/roofmount) is also possible. The antenna must have dual SMA male connectors and max 5dbm insertion loss. Example parts include Poynting 4G-XPOL-A0001 (Omni-directional) and 4G-XPOL-A0002 (Directional)

Versa 220

Versa 220 – LTE Modem Specification

Vendor Model	Advantech FWA1012VC. Versa Builds: FWA-1012VC-8CA1V (Versa 220 without LTE) FWA-1012VC-8CA1VR (Versa 220 with LTE modem for EMEA) FWA1012VC2006-T (Versa 220 with LTE modem for APAC)
Processor	Intel Atom C3758 (8 core), 2.2 Ghz
Memory	16GB
Disk	128 GB SSD
Interfaces	4x copper GbE via Marvell 88E1543, 2xSFP & 2x copper GbE via I350
LTE	Sierra/EM7455(EMEA) / MC7430 (APAC) Advanced-LTE module(Cat.6) with related antenna , SMA, screws
TPM	TPM1.2 Module
Power	12V 5A, 60W external adaptor
Cooling	2x system FAN with smart FAN
Physical Format	Tabletop device (optional rackmount kit FWA-1012VC- RMK)
Dimensions	250 x 44 x 193.04 mm (9.8” x 1.7” x 7.5”)
Weight	2.4 Kg

Versa 810

Versa 810 Specifications

Vendor Model	Advantech FWA-3260
Processor	Intel Xeon D-1548(8 core), 2 GHz
Memory	64GB
Disk	256 GB SSD
Interfaces	6 x 1GbE, 2 x 10GbE SFP+, Optional expansion module NMC-1004-10E with 2 x 10G SFP+ with Intel 82599ESx
LTE/WiFi	N/A
TPM	TPM1.2 Module
Power	Redundant 1+Dummy 300W AC PSU. Optional DC PSU
Cooling	4x system FAN with smart FAN. Front-to-back airflow
Physical Format	1 RU Rackmount Device
Dimensions	430 x 44.2 x 500 mm
Weight	15 Kg

Versa 1800

Versa 1800 Specifications

Vendor Model	Advantech FWA-5070
Processor	Intel Xeon Gold 6212U, 24C, 2.4GHz
Memory	96GB
Disk	2 x 512GB SSD
Interfaces	9 x 1GbE, 8x10GbE SFP+, Optional expansion module NMC-1004-10E with 2 x 10G SFP+ with Intel 82599ESx
LTE/WiFi	N/A
TPM	TPM1.2 Module
Power	Redund 650W AC PSU
Cooling	3x smart FAN. Front-to-back air flow
Physical Format	1 RU Rackmount Device
Dimensions	41 RU (438 x 44 x 550 mm) (W x H x D)
Weight	20 Kg

4.14 Universal CPE (only for Enterprise segment)

FlexVNF can also be deployed on the ADVA Ensemble Connector OS and certified uCPE appliances. See the Universal CPE solution guide for further details

Colt uCPE consists of following components

Component	Details
Hardware	Advantech FWA-3260 Advantech FWA-2012
Virtualization Layer	ADVA Ensemble Cloud Suite
VNF	Versa SD WAN Checkpoint Unmanaged Firewall

4.15 Multi-VPN (Multi-VRF)

Multi-VPN feature allows a single SD WAN CPE to be used to deliver up to 9 sub-VPNs (10th is used for uCPE inbound management). On the LAN side, either a separate physical interface or 802.1q logical sub-interface is configured per service instance, and it is placed in the corresponding VRF. On the WAN interface, it’s segregated using VPNv4 addresses. Unlike traditional MPLS VPN- based solutions, multi-VPN does NOT require separate logical circuits on the WAN for each sub-VPN. The SD WAN overlay provides the separation between each VPN

4.16 SNMP RO

SNMP Read-only access allows the customer to poll the MIBS on the Colt SD WAN CPE device from their own network management server. The customer server can be located on the local LAN or on another SD WAN site. SNMPv3 is supported using SHA/MD5 and AES ciphers for authentication and privacy. The type of encryption (privacy) can be: DES/3DES, or AES128

Customers who would like to use this feature need to provide authentication details like: username used in the SNMP requests, authentication password, privacy password. SNMP Traps are not provided by the CPE to the LAN, they are provided from SD WAN controller.

4.17 Advanced traffic steering (application based traffic steering)

Traffic Steering allows application traffic to be intelligently forwarded across different paths between SD WAN sites e.g. Internet or MPLS. By default traffic is load-shared across available paths or the customer can define application based policy. Capability to create traffic steering/forwarding policies based on 3000+ pre-defined applications pre-loaded on on-premise SD WAN CPE.

4.18 Advanced analytics (Versa Analytics) (only available for Enterprise segment)

Advanced analytics for applications by sessions, bandwidth, and access circuit on each branch, including bandwidth consumed by each application. It is accessible through Colt Online, and therefore limited for Colt’s direct customer, not Carrier’s end-customer. Please see appendix for details.

4.19 Self-Install CPE (Zero Touch Provisioning)

A simplified way for Customers to enable Colt SD WAN service globally without having to have technical resources on site. As part of this service, a CPE with basic configuration is shipped to end site where any site personnel (even non-technical) can connect it to the network and complete activation to start consuming the services.

Simple workflow:

• CPE received on site
• Connected to the Internet (to access Colt SD WAN Controller)
• On-site personnel connects a PC to the CPE and accesses a URL provided by Colt
• Colt SD WAN Controller checks the serial number against the URL and if there is a match the post staged customer configuration is downloaded to the CPE and it is launched and connected to Customer subscribed Colt SD WAN service.

Once the connectivity service has been confirmed (whether provided by Colt or the customer), the customer will receive shipment info email with following details.

• Site address details to which the CPE will be sent
• List of requirements for the service to be set-up (e.g. connectivity type, Ethernet interfaces etc.)
• Shipment content (e.g. 10/100 Mbps Managed Optical Demarcation Compact CPE Device, TP-TX/FX-SM1310/PLUS-ST, w/ AC Adapter, Quick Start Guide)

In case of failed self-installation, customer can request the services of an on- site technician. Customers shall incur a service charge at the professional installation rate if the technician determines the failure is directly related to customer equipment, inability or unwillingness to complete the self-installation process or mistakes customer made during the self-installation process.

4.20 SD WAN Multi-Cloud

For customers looking for cost-effective, direct connectivity into multiple cloud environments, SD WAN Multi-Cloud is the optimal solution. It offers private MPLS and/or Layer 3 connectivity into multiple cloud providers in a single solution, combined with end-to-end performance backed by a SLA, end-to- end security, and end-to-end analytics. Colt advises customers to establish resilient connects into their preferred CSP by default, in order to create high Cloud connectivity performance towards the SD-WAN locations. With the SD WAN Multi-Cloud solution, customers are able to combine management of their SaaS/IaaS cloud, WAN, and branch site connectivity into a single intelligent platform. SD WAN Multi-Cloud provides high performance, inexpensive, and secure cloud connectivity directly into the Cloud Service Providers (CSPs)

– Amazon AWS, Microsoft Azure, and Google Cloud.

SD WAN Multi-Cloud provides the following benefits:

Direct and secure Branch to Multi-Cloud connectivity and common policy management

Most companies with connectivity to the cloud are working, not just with a sin- gle cloud, but with multiple cloud service providers. There is a growing need for a simple, straightforward way to manage multi-cloud infrastructures. With SD WAN Multi-Cloud, customers are able to connect their branch sites directly to all their cloud-based SaaS and IaaS and manage this connectivity centrally via the Colt SD WAN portal.

SD WAN Multi-Cloud also offers the ability for customers to manage common policies across their branch sites, SD WAN fabric and multi-cloud environment – further increasing the ease of control over their network.

SD WAN-powered dynamic path selection with SLA

With SD WAN Multi-Cloud, cloud-based applications are intelligently and dy- namically routed to the best available path – minimising risk of performance disruption caused by unpredictable cloud traffic and resulting in an overall improved end-user experience and increased productivity.

Performance visibility across WAN and Cloud, powered by SD WAN analytics

Customers are in full control of their network with Colt SD WAN Multi-Cloud, which provides comprehensive visibility of network performance across both WAN and Cloud. Having this visibility enables customers to monitor, trouble- shoot, and make decisions to improve performance across their network.

Support of Cloud-to-Cloud communication

In many cases, customers’ data will travel through multiple cloud environments. Rather than sending that traffic from branch site to one CSP and backhauling to a data centre or SD WAN gateway to reach another, traffic is routed over ded- icated tunnels from one CSP’s environment to the other. This means reduced latency and optimised performance for the end-user.

Security (Firewall/NAT) between Public and Private Cloud domains

Security remains a top concern for enterprises, particularly in adopting new technologies like Multi-Cloud. With the security features available with SD WAN Multi-Cloud – including Firewalls and NAT (Network Address Translation) – customers can be assured that customer network is secured from the cloud public domain.

With SD WAN Multi-cloud, we can support multiple connections towards differ- ent or same CSP’s using Colt’s Cloud Gateway infrastructure. These connections are always configured as active-active individual connections.

4.20.1 SD WAN Services into Amazon (Amazon Web Services)

Connectivity to Amazon Web Services can be added towards the SD WAN network. Connectivity to AWS can be added to an existing SD WAN network or ordered as part of a new SD WAN deployment. Colt advises customers to establish resilient connects into AWS by default, to create high Cloud connectivity performance towards the SD-WAN locations.

In both cases, connectivity towards AWS from/to the SD WAN network goes via a Cloud Gateway in the Colt IQ Network

Colt support both the ‘hosted’ AWS Direct Connect option and the ‘dedicated’ AWS Direct Connect port option into Amazon.

For hosted connections customers can choose bandwidth from 50Mbps- 500Mbps in all hosted locations. For dedicated connections bandwidth from 50Mbps up to 1Gbps are supported, please find an overview below:

The existing maximum capacity per Cloud Gateway per customer is 2Gbps. Bandwidths >2Gbps can be supported by distributing connections across 2 or more Cloud Gateways.

The Cloud Gateway supports features like NAT and firewall (for enhanced security).

SD WAN solution into AWS by default supports Cloud-to-Cloud communications between different CSPs, which means that traffic between CSPs does not have to enter the SD WAN network which reduces latency. Customers can order connectivity to any AWS location/region, connected by Colt.

Colt has deployed multiple Cloud Gateways in Europe and Asia to enable resilient connectivity into AWS. To ensure optimal performance of cloud connectivity services on the SD-WAN, customers are requested to order resilient services for AWS.

Colt is a direct partner of AWS and is able to interconnect towards multiple AWS Cloud on-Ramps locations within a metro or cloud region. To offer best performance, Colt routes the Cloud traffic through diverse Cloud Gateways in the Colt IQ Network. Each AWS peering is configured via the AWS Console to support one of the following AWS Virtual Interface types: Private VIF, Public VIF or Transit VIF. For SD-WAN Transit VIF is considered as a Private VIF. Transit VIFs require a bandwidth of 1Gbps and are supported both on AWS Direct Connect Hosted and AWS Direct Connect Dedicated connections. Transit VIFs are available across the majority of Colt’s Direct Connect PoP locations in Europe, Asia and US. Customers are advised to check availability of 1Gbps hosted connections for the required AWS PoP location.

4.20.2 SD WAN Services into Microsoft Azure (ExpressRoute)

Connectivity to Microsoft Azure ExpressRoute services can be added towards the SD WAN network. Connectivity to Microsoft Azure can be added to an existing SD WAN network or ordered as part of a new SD WAN deployment. Colt advises customers to establish resilient connections into Microsoft by default, to create high Cloud connectivity performance towards the SD-WAN locations.

In both cases, connectivity towards Microsoft Azure from/to the SD WAN network goes via a Cloud Gateway in the Colt IQ Network. Note that Colt delivers 2 circuits by default into the Microsoft PoP (each circuit on different Microsoft interconnects).

Colt support ‘hosted’ Microsoft Azure ExpressRoute into Microsoft. It supports both connectivity to the “private” Microsoft domain and “Microsoft/public” domain of Microsoft.

For hosted connections customers can choose bandwidth from 50Mbps – 1Gbps, please find an overview below:

The existing maximum capacity per Cloud Gateway per customer is 2Gbps. Bandwidths >2Gbps can be supported by distributing connections across 2 or more Cloud Gateways.

The Cloud Gateway supports features like NAT and firewall (for enhanced security).

SD WAN solution into Microsoft Azure by default supports Cloud-to-Cloud communications between different CSPs, which means that traffic between CSPs does not have to enter the SD WAN network which reduces latency. Customers can order connectivity to any Microsoft location/region, connected by Colt.

Colt has deployed multiple Cloud Gateways in Europe and Asia to support resilient connectivity into Microsoft. To provide high performance of Cloud connectivity services on the SD-WAN the customer is asked to order resilient service towards Microsoft.

Colt is a direct partner of Microsoft and is able to interconnect towards multiple Microsoft Cloud on-Ramps locations within a metro or cloud region. To offer best performance, Colt routes the Cloud traffic through diverse Cloud Gateways in the Colt IQ Network.

4.20.3 SD WAN Services into Google Cloud Interconnect (GCI)

Connectivity to Google Cloud Interconnect Services can be added towards the SD WAN network. Connectivity to Google Cloud Interconnect can be added to an existing SD WAN network or ordered as part of a new SD WAN deployment. Colt advises customers to establish resilient connects into Google by default to create high Cloud connectivity performance towards the SD-WAN locations.

In both cases, connectivity towards Google Cloud Interconnect from/to the SD WAN network goes via a Cloud Gateway in the Colt IQ network.

Colt support the ‘GCI partner / hosted’ Google Cloud Interconnect option into Google Cloud. It supports connectivity to the “private” Google Cloud domain.

For hosted connections customers can choose bandwidth from 50Mbps – 1Gbps, please find an overview below:

The existing maximum capacity per Cloud Gateway per customer is 2Gbps. Bandwidths >2Gbps can be supported by distributing connections across 2 or more Cloud Gateways.

The SD WAN solution into Google by default supports Cloud-to-Cloud communications between different CSPs, which means that traffic between CSPs does not have to enter the SD WAN network which reduces latency. Customers can order connectivity to any Google location/region, connected by Colt.

Colt has deployed multiple Cloud Gateways in Europe and Asia in order to support resilient connectivity into Google. To provide high performance of Cloud connectivity services on the SD-WAN the customer is asked to order resilient service towards Google.

Colt is a direct partner of Google and can connect to multiple Google Cloud on-Ramps locations within a metro or cloud region. To offer best performance, Colt routes the Cloud traffic through diverse Cloud Gateways in the Colt IQ Network.

4.21 IPv6 support on LAN

IPv6 is supported on LAN-to-LAN communication for the customer (note that Internet Breakout for IPv6 is not supported).

Customers are allowed to provide their IPv6 address and gateway address to Colt, similar to IPv4.

• LAN IPv6 Static Routing

IPv6 route shall be added along with tag numbering using Versa director keeping the next-hop as IPv6 address according to customer’s requirement.

• LAN IPv6 Dynamic Routing

Dynamic routing support in IPv6 Colt SD WAN supports the customer to enable eBGP with IPv6 address family identifier between their Versa CPE and customer LAN device in native IPv6 address.

The BGP parameters of the customer device will be provided by the customer similar to the Dynamic routing IPv4 currently in production.

• Routing Policy requirement
• Customer Local AS Number
• Neighbour IPv6 address
• BGP Password

4.22 IPv6 Support on WAN

IPv6 support on WAN side has been enabled for single CPE, Single internet with IPv6 sites only.

The following types of Internet Access and options are supported:

• Colt IP Access
• 3rd party Internet
• Customer-owned Internet

Local Internet Breakout with basic firewall only has been supported with IPv6 only site.

To support LIB, It is mandatory to have both IPv6 WAN and IPv6 LAN range as NAT46 is not supported.

Note: CIB, Advanced security features with IPv6 only sites are not supported

4.23 SaaS Optimization

This feature provides optimal routing to selective SaaS applications to deliver the best end-user application experience.

In an SD-WAN network, a tenant or organization can reach a SaaS application using multiple WAN links. These WAN links can use different paths and even different transport networks. Because the transmission latency among different paths can vary, it is important to choose the best available path for optimal SaaS application performance.

It improvs Internet traffic steering rules by providing path selection based on user-defined SLA’s such as latency and packet loss to determine the best performance to specific SaaS Applications across:

• Multiple local internet breakout options at the branch and/or
• Both local and centralised internet breakout options

Note: Its available for up to 20 of the most common SaaS applications

4.24 Internet Egress QoS

Internet Egress QoS is a non-chargeable feature that allows the user to apply Quality of Service (QoS) on the egress (outgoing) traffic of Internet based links of the SDWAN CPE. This means that the user can now apply priority queuing and traffic shaping on Internet connections, allowing for control and prioritization of data traffic.

Internet Egress QoS, unlike QoS over MPLS is not end to end. QoS is not applied ingress (to the CPE), as such the Colt access router will not apply QoS. In case of non-colt internet, Colt and most likely also the customer will have no control over QoS.

Internet Egress QoS only impacts the SDWAN overlay and does not impact on underlay.

Some connection types have asymmetrical speeds (e.g. DSL), the reference bandwidth the customer should use in this case is the upstream (from CPE to Internet) bandwidth.

The configuration of Internet Egress QoS is done via the SDWAN portal only. The functionality  can be used by the customers who want to use the capability if required. The actual configuration only impacts the SDWAN CPE and affects the overlay only.

Internet Egress QoS can be configured for ON-NET, OLO or Bring your own (BYO) Internet links with the fixed bandwidths against which the policy can be configured. Internet Egress QoS cannot be configured for Wireless (3G/4G/LTE) WAN connections.

5. NetFlow & IPFIX

NetFlow is used for the collection and monitoring of network traffic flow data generated by NetFlow-enabled routers and switches. It enables analyses of network traffic flow and volume to determine where traffic is coming from, where it is going to, and how much traffic is being generated. NetFlow-enabled routers export traffic statistics as NetFlow records which are then collected by a NetFlow collector.

The collector does that actual traffic analysis and presentation to the user and can take the form of a hardware appliance or software. In our case we use software.

SDWAN CPE log forwarding to Analytics nodes and to third-party NetFlow collectors enables data analysis to provide required reports and data visualization. SDWAN devices export log data in IPFIX and syslog format.

To allow SDWAN devices to send log data to Analytics and third-party collectors, the log export functionality (LEF) is enabled on the device. To export log data from the devices to a NetFlow collector, a NetFlow collector, group, and profile are configured, followed by specifying which data to export.

Customers can request flow data in IPFIX format for their NetFlow collector through the SDWAN portal. The IPFIX feature will be available for all customers in the SDWAN portal. Customers need to configure collectors for selected sites/CPE to enable flow monitoring. The IPFIX feature will be enabled at the site level with the capability to copy the relevant IPFIX configurations for some or all sites in the SDWAN Portal.

Following information is captured in the Portal. Up to 5 collectors will be supported per site with following config per collector.

• NetFlow collector IP address– Max 5 (Only IPv4 address is supported by Versa)
• Port ID
• Protocol – TCP/UDP
• VRF instance (By default LAN-1 VRF)
• Frequency of flow record
• Match condition – L4 prefix/Application filter

Customer can choose the frequency at which the flow record will be updated based on what is supported on their collector.

• Start of flow – log data at the start of each session
• End of flow – log data at the end of each session
• Start and End – log data at the start and end of each session

Every 1 minute – log data every 1 minute while the flow is active.

Logging

No additional logging for Colt Analytics has been introduced through this development and no change to existing logging to Colt log servers. Flow logs (traffic monitoring) will be sent directly from CPE to Customer NetFlow collector only.

Only following Versa verified NetFlow collectors are supported

• Solarwinds;
• Cisco Stealthwatch;
• CA Technologies NetFlow

6. Log Forwarding

Overview

There is a growing demand for streaming logs to third party collectors for the purposes of audit, forensics and analytics that can provide actionable intelligence. In the SDWAN context, customers subscribing to firewall features may require firewall service logs for these purposes. The Versa platform is not designed to be a log streaming platform in terms of performance and log segregation perspective so Colt offers a Secure Log Forwarding service based on CPE firewall log forwarding to third part or customer collectors.

The service is an advanced level logging feature, delivered at a branch site level and known as the Secure Log Forwarding (SLF) feature.

The service is configurable via the SDWAN Portal for shipping logs towards up to two customer or third party collectors. The service supports two collectors for TCP streams but limited to only one for UDP streaming.

The service must be enabled in the Security tab in the Portal and is only available if the feature flag is set by Colt.

Supported log formats are Syslog or IPFIX.

Once one site has been configured with the required forwarding configuration, there is a bulk copy capability which can export one site-level configuration to other sites.

Versa CPE Log types

Versa CPE creates and forwards firewall session logs which this includes all enabled NGFW features, such as

• Security Policy
• URL/IP Filtering
• DOS
• IPS
• AntiVirus
• Decryption

For security policy firewall session logs, Colt have not to enabled logging for all sessions, but have enabled session logging for deny rules only as recommended . This configuration default for security features (URL filtering, AV, IDP/IPS) other than security policies and is to reduce risk of overutilizing bandwidth for log forwarding and CPE performance impact.

Caveats and Assumptions:

• This is a best efforts service which is based on the availability of the customer or third party collector.
• Colt do not monitor the SLF service feature over and above the CPE availability included in our SDWAN product.
• The feature flag must be requested to be activated by the customer.
• Configuration of SLF is customer responsibility only, rather than something Colt will configure on request, and must be done via the portal.
• If the SLF is configured to send FW logs towards customer’s syslog servers, this will mean these logs will no longer be present in the Colt deployment of Versa Analytics. This will mean Colt will not have direct visibility of such logs anymore for troubleshooting purposes unless they are provided to Colt by the customer.

Versa Director Log Forwarding (VDLF)

Overview

Along with Versa service logs such as the CPE Security logs as provided by our Secure Log Forwarding (SLF) service option, some customers require their own collection of logs from systems that control the SDWAN for security compliance and audit purposes. For Colt Versa SDWAN services, the Versa Director Audit logs keep track of all changes performed on the Versa Director API or CLI, so can be collected to provide visibility and reporting for changes made to the SDWAN, both by Colt as the service provider and by authorized customer administrators.

The Versa platform is not designed to be a log streaming platform in terms of both performance and log segregation perspective, so Colt offers a separate Director Log Forwarding service (DLF) for this purpose.

It should be noted that the DLF design is a ‘best effort’ service so is not supported by a Colt SLA. This means that the solution can contain single points of failure and may not provide logs during scheduled maintenance of the related platform.

DLF Service

When a Colt customer opts for this feature, the logs generated by the Versa Director platform are exported directly to a customer-provided log monitoring/collection tool.

Examples of the types of logs that customers are as follows:

1. Change log for firewall rules
2. Change log for QoS
3. Change for Traffic Steering
4. Change for other features such as DHCP and the logging service itself

An example of the format of the audit logs generated is shown below for a Colt customer:

—–

Dec  7 21:08:51 NV-VD01-MUM [07-Dec-2021 21:08:51.582][,,][INFO][https-jsse-nio-9183-exec-28][VOAE] username@IPC12345, 10.91.194.45:64975, modify, vni:”vni-0/0″, template:CPE-14-xxxxx-MYS-DUAL-MI-P , changeset:devices { template{CPE-14-xxxx-MYS-DUAL-MI-P} { config { interfaces { vni{vni-0/0} { – description TEST-123 + description TEST-1 + ether-options + hold-time } } } } }

—–

Colt Filtering and Forwarding Service

In order to ensure that the logs that are sent are segregated correctly per customer and irrelevant logs generated by the platform are not forwarded, Colt will filter the logs that are forwarded to the customer in the following ways:

• exclude any message containing “Event” : this will remove general platform alarms and events which are used by Colt to provide service assurance and maintenance.
• include any message containing the specific customer “IPC*”; this ensure only logs for the customer in question are sent. ‘IPC*’ is the format used by Colt in the Versa Director to identify different tenants on the platform, e.g. in the example log provided above, ‘IPC12345’ ensures only logs for that specific customer are forwarded by the service.
• A separate log forwarding server is used for the purpose of delivering the exclusions and ensuring the customer log forwarding segregation via appropriate scripting and processing, since Versa Director is not able to provide this filtering capability natively

Streaming Requirements

In order to securely stream the logs to the customer platform, Colt will initiate a TLS Encryption between the log forwarding server and the customer platform which should be reachable via a public IP address. Details of this encryption will be finalised with the customer during the project initiation, including the required process for Certificate Management and Renewal process of the certificates. TheSD WAN Gateway customer will be required to provide a certificate for this purpose and the detail of this will be gathered by the account team.

Caveats and Assumptions

• The output from the service has been tested with syslog-ng as the recipient collector but any stable log management system should be able to receive and process the logs without restriction
• This is a ‘best efforts’ service which is based on the availability of the customer or third party collector
• Colt do not monitor the DLF service feature over and above the Versa Director availability included in our SDWAN product
• The feature must be requested by the customer via our Colt Sales Engineer/Account Executive
• For clarity, Colt will not provide any support on the contents of the log that is being received by the customer. Colt will provide support if the logs are not being received by a customer but analysis and interpretation of the contents are the responsibility of the customer only
• Please note that by the nature of the service being associated with changes to the Versa Director, there may be no logs generated for extended periods
• It is the customer’s responsibility to initiate any required Certificate renewal process on expiry
• The output from the service has been tested with syslog-ng as the recipient collector but any stable log management system should be able to receive and process the logs without restriction

7. SD WAN Gateway

SD WAN gateways are primarily used to provide following functions:

• As transit hub for internetworking between SD WAN and Non SD WAN sites. This is currently used for interworking with legacy MPLS VPN sites.
• As an SD WAN hub for connecting SD Wan sites on disjoint transport networks e.g. an MPLS only site and internet site

Colt’s Versa SD WAN solution supports following types of SD WAN Gateways:

1. Shared SD WAN Gateway (Default option): SD WAN shared gateways are multi-tenant FlexVNF instances hosted by Colt in the SD WAN nodes. Shared SD WAN gateways are available on the shared Versa platform. These gateways come with 1+1 redundancy and provide 100mbps CIR bandwidth per customer. Allocation of shared gateways is determined based on internal rules, such as the shortest path and available capacity.
2. Dedicated Gateway: SD WAN customer dedicated gateways are hosted by Colt as VNF on the Colt NFVI platform. These dedicated gateways can be available on either a shared or a customer’s dedicated Versa platform. They come with standard redundancy options of 1+1, 2+0, and 2+1, with a bespoke 2+2 redundancy available within regions such as Europe, the US, or Asia. The dedicated gateways offer bandwidth options of 1G, 2G, or 5G, and the gateway VNF flavour is selected based on the chosen bandwidth.
3. Customer branch as a Gateway: This gateway option provides customers with flexibility to select one or more of their SD WAN sites as SD WAN gateways.

SD WAN gateway guidelines:

• Customers can now choose different SDWAN Gateway options for each region (Eu, USA, or Asia) as part of their overall SDWAN network.
• Customers can not mix Dedicated and Shared SDWAN Gateway options under a single SDWAN network.
• Customers must choose only one type of SDWAN Gateway option for each region. No mix & match allowed.
• As part of their SDWAN network, following are the ONLY allowed combination of SD WAN gateways options customer can choose in different regions,
  • “Shared SDWAN Gateways” and  “Customer Branch as SDWAN Gateways”.
  • “Dedicated SDWAN Gateways” and  “Customer Branch as SDWAN Gateways”.
• Possible number of customer branches as gateways in a region:
  • Minimum 2 or Maximum 4 in case of single CPE SD WAN sites
  • Minimum 1 or Maximum 2 in case of dual CPE SD WAN sites
• Customer branch as SDWAN GW must be on-boarded before onboarding any other branch CPE in the same region.

8. SD WAN QoS

The Colt SD-WAN platform allows customers to effortlessly monitor and manage their network through a user-friendly self-service portal. This platform enables users to set up and manage routing policies, enhancing agility, security, and IT responsiveness to business needs.

As part of our roadmap, we have developed IP QoS and CIB management features in our portal. Customers can manage QoS policies independently through the portal.

Colt SD WAN Qos Overview

• Customer QoS Classes + Routing & Management
• Premium (EF)
  • Business-1 (AF31)
  • Business-2 (AF21)
  • Business-3 (AF11)
  • Standard (Best Effort)
  • Management & Routing (AF41)

• QoS available on MPLS circuits only – traffic prioritised on MPLS WAN and across MPLS underlay
• DSCP rw (read-write) applied to inner and outer packet (Tunnel rw inner-to-outer)
• Customer defines (Currently in the order)
  • % Bandwidth for each class, max 50% for premium with 5% reserved for management/routing
  • Rules to map traffic to different QoS classes
    • Match on source/destination ip port, protocol, or DSCP
    • Match on Application (incl. source/destination ip)

• Recommendation – Voice & Video should be in Premium (TC1) & Data in Business 1, 2, 3 (TC2)
• SD WAN QoS guarantees the BW for each Traffic class
• SD WAN QOS gives flexibility of guaranteed BW for each Traffic class
• SD WAN QOS  provides easy management through portal
• SD WAN QOS  provides better reporting

9. Central Internet Breakout

The central internet breakout feature allows customer to purchase a shared/Dedicated/SD WAN branch infrastructure gateway that enables diverse paths for applications to breakout to the internet under policy.

• Shared GW – These gateways are traffic shaped to limit available bandwidth per customer
• Dedicated GW – These gateways provides higher bandwidths, high resiliency and Interworking.
• Customer branch as a Gateway: This gateway option provides customers with flexibility to select one or more of their SD WAN sites as SD WAN gateways

The SD WAN Gateway will be configured as Central Internet break-out for Customers requesting CIB functionality through ordering system to

• Provide basic Internet access to MPLS only sites.
• Provide Internet backup over MPLS for hybrid sites.
• Application Based Internet Breakout

Existing SDWAN gateways will be configured to provide Internet access for all the SDWAN sites by default for the Customers enabled with CIB.

P.S. Ensure traffic classification does not conflict with SDWAN policy; if it does, SDWAN policy will override Internet policy.

9.1 Application Based Internet Breakout

Application-based internet breakout enables users to direct specific application traffic to a designated Internet uplink or CIB according to their business policies.

The Colt SD WAN portal enables customers to configure application-based internet breakout policies as detailed below:

• SDWAN policy with Next-hop priorities will be used in order to steer Internet traffic based on Application type.
• SDWAN policy with Next-hop definition will override the routing decisions and selectively send traffic over preferred Internet uplink or CIB.
• Traffic for applications not specified in SDWAN policy will be forwarded based on routing table lookup

10. Security+

Colt SD WAN Security+ feature set is ideal for Customers needing protection against modern web-based security threats like malware attacks, targeted attacks, application layer attacks; these attacks exploit weaknesses in applications, rather than weaknesses in networking components and services which are traditional attacks and can be prevented by a stateful firewalls.

Security+ is a powerful on prem security tool which encompasses NGFW & UTM (unified Threat Management Features). When customer upgrades to Security+ automatically NGFW & UTM features are enabled. UTM comprises are key security features such as

• Intrusion Detection(IDS)
• Intrusion Protection(IPS)
• Anti-Virus(AV)

Intrusion Detection & Protection (IDS & IPS)

A security vulnerability is an unintended flaw that allows malicious users to surreptitiously attack a network. Attackers can exploit such vulnerabilities to break into and damage the network by changing, destroying, or stealing secured or confidential information, or by installing malware.

To protect a network against security vulnerabilities, Versa  unified threat management (UTM) capabilities include intrusion detection and prevention (IDP). IDP is a pre-emptive approach to network security that identifies potential threats and responds to them based on user-defined policy.

Intrusion Detection (IDS)

• Signature Detection
• Alert Administrator

Intrusion Protection (IPS)

• Alert Administrator
• Drop Malicious Packets
• Blocking the source address & Reset

Client Protection

Client traffic is the request which gets initiated to the server, which is hosting services, the service could be web, mail, file service etc., In such case the protection is applied to prevent client from downloading any virus or preventing from any intrusions.

Server Protection

For those customers who wish to publish their services to the internet world, there should be a protection applied for such incoming malicious attempts. In such case the protection can be applied in the firewall rule where access is enabled for the server. In this way all incoming traffic to the services get inspected through IDP & AV and the clean traffic gets forwarded to the server.

Caveats For AV and IPS

• Not supported for MPLS only sites and towards SDWAN traffic now,
• Limited to Versa CPE models 220,810 and 1800 only
• Logging limitations due to existing infrastructure capacity constraints
• AV/IPS/SSL decryption Impacts Performance due to the CPU intensive process involved on this.
• AV is not supported with protocol MAPI currently.
• SNAT support for East-west firewall rule is limited to single CPE deployment
• SNAT,DNAT,DDOS is supported only with single cpe topologies now.

Antivirus Protection

Our antivirus engine which can scan the live traffic and it scans the files after the entire file is received. When the file is extracted and buffered, the file is trans- ferred to the destination except the last data packet. Once the virus scan is performed the rest of the file is transferred or blocked to the destination depending upon the action defined in the policy.

• NGFW policy with Antivirus profile: We can configure one or more antivirus profiles and be configured under the NGFW access policy rules. it’s enforced only for the traffic that matches that rule.
• Direction: We support the antivirus scanning of file extracting only from upload or download direction as default. As on option we should be able to provide both directions scanning too.
• Protocols & File Type: We support file extraction from all protocols and file types supported by versa

Protocols:

• Web traffic sent using FTP and HTTP
• Email traffic sent use IMAP,POP3, and SMTP

7zip	Docx	mach_o	mpeg	class	tar	c
Cpp	Lha	php	ppptx	gif	xml	exe
Html	Msoffice	rtf	torrent	mdi	coff	targa
mp3	Rar	xls	appleplist	doc	pl	gzip
Ppt	Wav	cab	reg	jpeg	rm	mov
Tif	Bat	flv	wmf	msi	wmv	zip
android	Dwg	mdb	bmp	psd	txt
Dll	Lnk	pif	elf	lzh	avi
Jar	Pdf	sh	xlsx	Pgp	png

• Performance Benchmark: Portal shall display the top malwares, antivirus attacks on the traffic flowing on the network. It shall also provide the attackers, victims and applications infected via analytics. We have the alerting mechanism to send real time warning upon any security vulnerability observed (e.g. Virus found in transmitting / receiving file) Similar to IDP caveat there is limitation in terms of storing logs and performing historical or real time intelligent analysis of traffic to alert the customers and needs to be considered/ vetted and provided to customer later in the product roadmap.

11. NGFW

Colt SD WAN uses an integrated Next Generation firewall that offers advanced firewall capabilities integrated with SDWAN router, the functionality can be configured via Colt SDWAN portal. The Advanced firewall capabilities allow the customer to connect separate LAN and DMZ networks to the SD WAN CPE and is used in combination with the local Internet breakout feature.

Colt also offers The Denial of Service (DoS) protection feature with Versa SDWAN. It is used to protect services on the customer LAN or DMZ that are exposed to the Internet e.g. web servers, mail servers. It is only supported in combination with the DMZ / destination NAT feature for the traffic from the Internet towards the LAN/DMZ.

P.S: SD Wan portal supports DDoS policy management for single CPE topologies as standard IP Filtering

Traffic passing through the network may have IP addresses that are associated with a bad reputation and that may cause security risk to your network. To block these IP ad- dresses based on IP address reputation and IP address metadata such as geolocation, you can configure IP address filtering profiles and then associate them with security policy. IP filtering is based on the reputation associated with an IP address and its geo- location where you can filter traffic based on IP reputation and IP address metadata (that is, geolocation). Versa Networks provides an IP reputation feed that is updated both through Spack updates. It will be supported from NGFW service enabled CPEs.

Following are the requirements to be referred for development of IP filtering solution

NGFW policy with IP filtering profile:

We can configure one or more Ip-filtering profiles and are configured under the NGFW access policy rules. It is enforced for the traffic that matches that rule.

IP filtering Profiles supports user defined profiles in which it supports to create rules for both IP reputation and Geolocation based filtering. Each IP filtering profile object consists of the following:

1. Rules for geolocation-based actions- It will be supported with either one or multiple actions in one profile
2. Rules for IP reputation–based actions -It will be supported with either one or multiple actions in one profile

IP reputation:

IP filter profile supports using the following predefined IP reputations:

• BotNets
• Denial of service
• Phishing
• Proxy
• Reputation
• Scanners
• Spam sources
• Web attacks
• Windows exploits

Geolocation

Colt provides a list of predefined regions that provided by vendor versa which you can use to create IP filter profiles based on geolocation.

In addition, it will support matching the IP address based on the following match criteria:

• Source IP address
• Destination IP address
• Source or destination IP address
• Source and destination IP address

You can enforce the following actions when a session’s IP address matches the condi- tions in the IP filtering profile:

• Allow
• Alert
• Drop packet
• Drop session
• Reset

Note: Default action will be in effect, if the user defined actions are not matched for the customer traffic.(Similar like URLF)

IP filtering profile will be override though we have URLF profiles matching the same traffic pattern. So, it must be created accordingly to meet customer requirements through SDWAN portal.

IP filtering analytics requirements:

1. IP-Filter monitoring fields
2. IP-Filtering Analytics

Note in scope:

• Predefined IP filtering profiles
• Override of URLF profile in IP filtering profile.
• Custom IP reputation action
• Whitelisting and Blacklisting of IP address in IP Filtering profile

URL Filtering

To address the customer demand on ever growing SDWAN space, besides other features such as firewall, AAR etc. It is imperative need for customers to use web safely for business needs. URL filtering is one of best features available in the market which is provided by many vendors such as Versa, Zscaler, Fortinet, Barracuda and Palo Alto etc.

URL filtering is mainly used for blocking certain URL from loading on company’s network, If an employee would attempt to visit this URL, either by entering it manually or clicking a link in a search engine, they will be redirected to a page notifying the content is blocked. URL filtering relies on filtering databases that classify URLs by topic; each topic in this system is either “blocked” or “allowed.”

Administrators are capable of setting up blocklists for individual URLs, blocking specific websites they know to be dangerous or harmful. More broadly, administrators can block entire URL categories, block listing entire groups of websites at once.

The Colt SDWAN URL filtering solution is a powerful next generation firewall feature that is used to monitor and control how users access the web over HTTP and HTTPS. This feature can be used to gain complete visibility and control of the traffic that traverses your firewall and will be able to safely enable and control how your users access the web. We use versa URLF NG firewall service to enable URLF feature in which it can perform URL categories and reputation including customer-defined, Cloud-based lookups, Policy trigger based on URL profile (blacklist, whitelist, category and reputation) action include allow, alert, block and Captive portal response including customer defined actions include block, ask, Override and justify by URLF profile.

Sales to capture the URL filtering requirement in EOF at site level and URLF feature is enabled for all the Customers in SDWAN portal. Customers can configure URL rules for selected sites/CPE to enable URLF under firewall.

Category Based Filtering

Security access rule with URLF profile for ex. allowing Social sites category and blocking job sites.

Reputation Based Filtering

Security access rule with URLF profile for ex. allowing Trustworthy & Low risk reputation sites and blocking high risk and suspicious reputation sites

URL Filtering Setup

Topologies supported.

Please find the various single CPE topologies supported with standard deployments as mentioned below,

• Internet Only Single CPE (INT)
  • Internet Only Single CPE (LTE)
  • Hybrid CPE Single CPE (INT & MPLS)
  • Hybrid CPE Single CPE (LTE & MPLS)
  • Dual Internet Single CPE (INT & INT)
  • Dual Internet Single CPE (INT & LTE)
  • SINGLE-CPE-DUAL-INTERNET-HYBRID-LTE (New MWL)

Please find the Dual CPE topologies supported with standard deployments as mentioned below,

• Dual Internet Dual CPE (INT & INT)
• Dual Internet Dual CPE (INT & LTE)
• Hybrid Dual CPE (INT & MPLS)
• HYBBRID Dual CPE (LTE & MPLS)
• DUAL-CPE-DUAL-INTERNET-HYBRID-LTE-PRI (New MWL)
• DUAL-CPE-DUAL-MPLS-HYBRID-LTE-PRI (New MWL)
• DUAL-CPE-TRIPLE-INTERNET-LTE (New MWL)
• DUAL-CPE-TRIPLE-INTERNET (New MWL)
• DUAL-CPE-DUAL-INTERNET-HYBRID (New MWL)
• DUAL-CPE-DUAL-MPLS-HYBRID (New MWL)
• DUAL-CPE-DUAL-HYBRID-DUAL LTE (New MWL)
• DUAL-CPE-QUAD-INTERNET (New MWL)
• DUAL-CPE-TRIPLE-INTERNET-HYBRID (New MWL)

URLF filtering has been developed and productized as below:

URLF Phase -1

Under this phase for all standard customers the following features are developed

• Filtering of Web traffic for standard/Bespoke CPEs based on the Whitelist, Black list, Category and Reputation With URLF actions supported
  • Alert
  • Allow
  • Block.

URLF Phase -2

Under this phase for all standard customers the following features are developed

• Filtering of Web traffic based on the Whitelist, Backlist, Category and reputation With URF actions supported
  • Alert
  • Allow
  • Block
  • Ask
  • Justify along with Captive portal and SSL decryption.

URLF Phase -3 & 4

Under this phase for all standard customers the following features are developed

• Filtering of Web traffic based on the Whitelist, Black list, Category and reputation With URLF actions supported
  • Alert
  • Allow
  • Block
  • Ask
  • Justify
  • User defined action (Override/Ask/Block/Justify) along with Captive portal ,
  • SSL decryption
  • SSL-decryption Bypass feature

Bulk URLs upload feature in portal.