KB Article | Forcepoint Support

Problem Description

Forcepoint NGFW with Multi-Link provides a mature and secure SD-WAN solution with no additional costs or licenses. Combine the unrivaled security of Forcepoint NGFW with all the benefits of Multi-Link including high availability, network optimization, zero-touch deployment, and lower TCO for your secure SD-WAN.


Unlike other SD-WAN solutions, Multi-Link SD-WAN is a mature and proven technology that has been in commercial use since 2004. It is fully integrated with Forcepoint NGFW and continues to be actively developed.

Forcepoint Multi-Link SD-WAN is a fully featured SD-WAN solution that delivers:

  • High availability: Achieve total business continuity with no downtime or broken connections during scheduled maintenance breaks or unplanned service outages.
  • Automatic network optimization: Use the best path for all traffic and avoid congestion with dynamic load balancing based on link performance, packet loss, and available bandwidth.
  • Flexible control: Guarantee priority and bandwidth for critical and latency-sensitive applications and specify which paths should balance particular types of traffic with optional QoS features.
  • Simplified management: Easily scale and modify your SD-WAN to accommodate new locations, applications, usage patterns, and cost requirements with centralized management and zero-touch deployment.
  • Lower TCO: Reduce or replace expensive equipment and services like MPLS by balancing more or all of your traffic across lower-cost alternatives with no investments.
  • Unrivaled security: Protect your users and data from end to end with IPsec or SSL VPN tunneling and the unrivaled security of Forcepoint NGFW.

This article provides instructions on how to create a secure SD-WAN in the Forcepoint Security Management Center (SMC) by combining a preexisting site-to-site policy-based VPN with Multi-Link.

Although not covered here, Multi-Link also supports dynamic load balancing and high availability for route-based VPNs and inbound and outbound Internet connections. Refer to your NGFW Product Guide for more details on these and related topics.


  1. Multi-Link secure SD-WANs
    1. NetLinks and VPN links
    2. Link modes, load balancing, and failover
    3. QoS classes
    4. Requirements and limitations
  2. Creating and configuring your SD-WAN
    1. Step 1: Create your NetLinks
    2. Step 2: Add your NetLinks to your VPN Gateway firewalls
    3. Step 3: Configure your VPN links
    4. Step 4: Enable your SD-WAN VPN on your Gateway firewalls
    5. Example SD-WAN VPN link configuration

Multi-Link secure SD-WANs

A Multi-Link secure SD-WAN combines a typical VPN with Multi-Link features. The VPN provides secure tunneling for the SD-WAN while Multi-Link delivers the rest:

  • Network optimization with dynamic path selection and load balancing based on link latency, packet loss, and available bandwidth
  • High availability with Active and Standby modes available for each link based on traffic type
  • Centralized management with configuration of load balancing and high availability for all of your SD-WAN VPN links from a single view
  • Support for any combination of connections mediated by your firewall, including cable and fiber Internet, MPLS, xDSL, LTE, and leased lines

This guide focuses on the 3 main components used when configuring your Multi-Link SD-WAN: NetLinks, VPN links, and QoS classes. Each is discussed briefly below.

NetLinks and VPN links

NetLinks are logical elements representing alternative routes that lead to the same destination IP addresses. Usually a NetLink is an ISP connection, but it can also be any other type of network connection mediated by your NGFW.

A Multi-Link secure SD-WAN configuration with a policy-based VPN uses NetLinks as separate routes from one VPN Gateway to another. Each of these routes can form a separate sub-tunnel interface called a VPN link. Multi-Link manages traffic across VPN links that share the same pair of Gateway peers.

In a typical secure WAN configuration without Multi-Link, a single tunnel interface is formed between two VPN Gateway peers using a single endpoint at each peer. In a Multi-Link secure SD-WAN configuration, a Gateway with multiple NetLink endpoints can form multiple VPN link sub-tunnel interfaces with another peer.

For example, if Gateway A has 3 NetLinks reaching Gateway B, and Gateway B has 2 NetLinks reaching Gateway A, a total of 6 VPN links can be formed between the two peers.

Wherever a VPN Gateway has multiple routes to a peer using NetLinks, Multi-Link provides failover and load balancing for the traffic between them according to their link modes and QoS classes.

Link modes, load balancing, and failover

Each VPN link can be designated as Active or Standby for some or all traffic.

If there are multiple VPN links in Active mode between two Gateways, Multi-Link monitors the available bandwidth, packet loss rate, and latency of each link and employs fuzzy logic calculations and active balancing to determine which link to use for each connection.

Note: Aggregate mode is also available as a link mode which balances connections on a packet-by-packet basis. This mode is not recommended for use as it often results in decreased performance due to packet reordering. Active mode is the default and recommended mode for load balancing in a Multi-Link SD-WAN.

Standby VPN links act as backups that are only activated when all applicable Active links fail. Standby mode can be used to minimize the use of links that are more expensive or otherwise less preferable while still ensuring high availability of connectivity.

Multi-Link guarantees that even if one or more VPN links fail, your SD-WAN service will continue as long as some link is available. When a link fails, any open TCP connections using that link will automatically failover to another one (if available) to prevent breaking the connection.

QoS classes

To further manage Multi-Link SD-WAN network optimization, you can assign QoS classes to different types of traffic and select which VPN links will manage them. VPN links can use different link modes for each QoS class of traffic they manage. This allows for highly flexible SD-WAN configurations where path selection is optimized for many different scenarios simultaneously. For an example, see the SD-WAN VPN link configuration below.

Additionally, you can use a full QoS implementation to further control your SD-WAN traffic with features such as prioritization, bandwidth guarantees, and DSCP marking and matching. Multi-Link SD-WAN VPN links can be configured to use QoS classes with or without a full QoS implementation.

Requirements and limitations

  • Multi-Link for SD-WANs is fully supported only for VPN links with a Forcepoint NGFW engine or cluster configured as a VPN Gateway at both ends. If an external Gateway allows configuring multiple VPN links between two devices, some Multi-Link features may still be available.
  • Only VPN links with two or more external network connections (NetLinks) mediated by one of the link's VPN Gateways can benefit from Multi-Link.
  • No additional licenses or fees are required to use Multi-Link.

Creating and configuring your SD-WAN

Before you begin, create and configure the policy-based site-to-site VPN used by your Multi-Link SD-WAN including its VPN Profile, Sites, and Gateway firewalls. Consult your Forcepoint NGFW Product Guide for detailed instructions.

Once you have a working VPN configuration, only a few steps are required to add Multi-Link SD-WAN features. Each step is outlined below.

Step 1: Create your NetLinks

Complete this step for each SD-WAN VPN Gateway firewall that has multiple VPN links to another Gateway.

  1. Create a NetLink element for each VPN link:
    1. From the Configuration view, click on Network Elements > Traffic Handlers and add a new Static NetLink or Dynamic NetLink. Static NetLinks connect to statically addressed firewall interfaces, while Dynamic NetLinks connect to dynamically addressed firewall interfaces.
      Note: If your firewall has several interfaces with dynamic IP addresses, you must create a separate Dynamic NetLink element for each dynamically addressed interface.
    2. If using a Static NetLink, select its next-hop Gateway and Network. Here, Network refers to the address space allocated to the NetLink by its service provider.

Step 2: Add your NetLinks to your VPN Gateway firewalls

Complete this step for each SD-WAN VPN Gateway firewall that has multiple VPN links to another Gateway.

  1. Add and configure any missing interfaces or VPN endpoints to your firewall. Your firewall should have at least one interface to connect to each NetLink. Consult your NGFW Product Guide for help with adding and configuring firewall interfaces and VPN endpoints.
    Tip: We recommend using a separate network interface for each NetLink. Although it is possible to configure multiple NetLinks for a single network interface, this introduces a single point of failure.
  2. Add each NetLink to its corresponding Gateway firewall interface:
    1. Open your Gateway firewall's Routing (tree) view and expand the interface that connects to your NetLink's network.
    2. Right-click the network, select Add Static/Dynamic NetLink, and choose the NetLink you wish to add.
    3. Add routes for your NetLink by right-clicking the NetLink element and selecting Set as Default Route to add a default route or Add... to add a route to a particular element or Network.
      Note: Setting multiple NetLinks as a default route is a valid configuration. A typical configuration of a Gateway with multiple NetLinks is to set each NetLink as a default route. Link modes and QoS classes can be used to further control which routes your SD-WAN traffic will take (see Step 3: Configure your VPN links below).
Example SD-WAN gateway firewall routing tree
Example SD-WAN gateway firewall routing tree

Step 3: Configure your VPN links

Your VPN settings control how Multi-Link manages traffic between your SD-WAN VPN links. In this step you can set the default link modes for each VPN link as well as additional link modes for handling separate QoS classes. An example VPN link configuration using QoS classes is provided at the end of this guide for reference.

Complete this step for each pair of VPN Gateways in your SD-WAN with multiple VPN links between them.

  1. Open the Tunnels tab of your policy-based VPN and select a peer pair in the Gateway ↔ Gateway section. The Endpoint ↔ Endpoint section now lists your chosen peer pair's VPN links.
  2. For each VPN link in the Endpoint ↔ Endpoint section, do the following:
    1. Choose a link mode for the VPN link by right-clicking its Mode cell and selecting a link mode. The VPN link will use this link mode for all traffic except for traffic classified as one of its QoS exceptions (see below).
    2. (Optional) Add QoS classes and additional link modes to the VPN link:
      1. Right-click the link's Mode cell and select Edit Mode to open the link's Link Mode Properties menu.
      2. Add a QoS class for the link to handle and select a link Mode under the QoS Exceptions section. The VPN link will perform in this link mode only for traffic matching the selected QoS class.
        Note: Active links assigned to a QoS class will failover to Standby links assigned to that class first. Once all links assigned to a QoS class have failed, links that are not assigned to the class will take over.

Step 4: Enable your SD-WAN VPN on your Gateway firewalls

Ensure that your Gateway firewalls' policy access rules employ your SD-WAN VPN for selected traffic. If you are using QoS classes to determine VPN link modes, also ensure these classes are assigned before your VPN is employed. For example, you may assign QoS classes to your traffic in a Continue rule that takes place before the rule that employs your VPN, or you may assign them in the same rule that employs your VPN. Consult your Forcepoint NGFW Product Guide for more information on firewall policy access rules.

Example SD-WAN VPN link configuration

In the example configuration shown below, two locations (HEL and WDC) form part of a full-mesh Multi-Link secure SD-WAN. The HEL location includes 4 VPN links and the WDC site includes 2 VPN links for a total of 8 possible links between them. However, since each link between an MPLS connection and a non-MPLS connection is disabled, only 4 links are used.

Example SD-WAN VPN link configuration with QoS classes
Example SD-WAN VPN link configuration with QoS classes

The example configuration has the following characteristics:

  • Low Priority traffic is handled exclusively by the Low Cost Internet link. This ensures that bandwidth on other links is reserved for all other traffic classes.
  • High Priority traffic is handled exclusively by the MPLS link. This ensures that all critical services and applications are covered by the MPLS Service Level Agreement.
  • Real-time traffic in this case is latency-sensitive but not business-critical, so it is balanced across both the Low Latency Internet and MPLS links.
  • All other traffic including traffic with no classification is balanced across the Low Cost and Low Latency links. This reduces bandwidth requirements on the MPLS link, as it is only needed to handle High Priority and some Real-time traffic.
  • Low Priority and High Priority traffic will both failover to the Low Latency link if their primary link fails.
  • The Backup link handles no traffic unless at least two other links fail. This minimizes costs of on-demand, usage-based connections.

Article Feedback

Thank you for the feedback and comments.