KB Article | Forcepoint Support

Problem Description

Forcepoint NGFW with Multi-Link provides a mature and secure SD-WAN solution with no additional costs or licenses. Combine the unrivaled security of Forcepoint NGFW with all the benefits of Multi-Link including high availability, network optimization, zero-touch deployment, and lower TCO for your secure SD-WAN.


Unlike other SD-WAN solutions, Multi-Link SD-WAN is a mature and proven technology that has been fully integrated with Forcepoint Next-Generation Firewall (NGFW) since its first release in 2001.

Forcepoint Multi-Link SD-WAN delivers all the benefits of a fully featured SD-WAN and more:

  • High availability: Achieve total business continuity with no downtime or broken connections during scheduled maintenance breaks or unplanned service outages.
  • Automatic network optimization: Use the best path for all traffic and avoid congestion with dynamic load balancing based on latency, packet loss, and available bandwidth.
  • Flexible control: Guarantee priority and bandwidth for critical and latency-sensitive applications and specify which paths should balance particular types of traffic with optional QoS features.
  • Simplified management: Easily scale and modify your SD-WAN to accommodate new locations, applications, usage patterns, and cost requirements with centralized management and zero-touch deployment.
  • Lower TCO: Reduce or replace expensive equipment and services like MPLS by balancing some or all of your traffic across lower-cost alternatives with no additional investments.
  • Unrivaled security: Protect your users and data from end to end with IPsec or SSL VPN tunneling and the unrivaled security of Forcepoint NGFW.


  1. About this guide
  2. Multi-Link secure SD-WANs
    1. NetLinks and VPN tunnels
    2. Tunnel modes, load balancing, and failover
    3. QoS classes
    4. Requirements and limitations
  3. Creating and configuring your SD-WAN
    1. Step 1: Create your NetLinks
    2. Step 2: Add your NetLinks to your VPN Gateway firewalls
    3. Step 3: Configure your VPN tunnels
    4. Step 4: Enable your SD-WAN VPN on your Gateway firewalls
    5. Example SD-WAN VPN tunnel configuration

About this guide

This guide provides instructions on how to create a secure SD-WAN in the Forcepoint Security Management Center (SMC) by adding Multi-Link capabilities to a typical site-to-site policy-based VPN.

Although not covered here, Multi-Link also supports dynamic load balancing and high availability for route-based VPNs and inbound and outbound Internet connections. Refer to your NGFW Product Guide for more details on these and related topics.

Multi-Link secure SD-WANs

A Multi-Link secure SD-WAN combines a typical VPN with Multi-Link features. The VPN provides secure tunneling for the SD-WAN while Multi-Link delivers the rest:

  • Network optimization with dynamic path selection and load balancing based on latency, packet loss, and available bandwidth
  • High availability with Active and Standby modes available for each tunnel based on traffic type
  • Centralized management with configuration of load balancing and high availability for all of your SD-WAN VPN tunnels from a single view
  • Support for any combination of connections mediated by your firewall, including cable and fiber Internet, MPLS, xDSL, LTE, and leased lines

This guide focuses on the 3 main components used when configuring your Multi-Link SD-WAN: NetLinks, VPN tunnels, and QoS classes. Each is discussed briefly below.

NetLinks and VPN tunnels

NetLinks are logical elements representing alternative routes that lead to the same destination IP addresses. Usually a NetLink is an ISP connection, but it can also be any other type of network connection mediated by your NGFW.

A VPN tunnel between two Gateways is formed by a pair of endpoints, one on each Gateway. In a typical policy-based WAN, each Gateway pair can only form a single tunnel because there is only a single endpoint pair to connect them to each other. In a secure Multi-Link SD-WAN, multiple endpoints can be added to a Gateway using NetLinks, which allows multiple tunnels to be formed between two Gateways. Multi-Link then manages and balances traffic across these tunnels for high availability and network optimization.

For example, if Gateway A has 3 NetLink endpoints reaching Gateway B, and Gateway B has 2 NetLink endpoints reaching Gateway A, a total of 6 tunnels can be formed between the two Gateways by using every combination of endpoints.

Wherever multiple VPN tunnels exist between two Gateways, Multi-Link provides failover and load balancing for the traffic across these tunnels according to their modes and QoS classes.

Tunnel modes, load balancing, and failover

Each VPN tunnel managed by Multi-Link can be designated as Active or Standby for some or all traffic.

If there are multiple tunnels in Active mode between two Gateways, Multi-Link monitors the available bandwidth, packet loss rate, and latency of each tunnel and employs fuzzy logic calculations and active balancing to determine which tunnel to use for each connection.

Note: Aggregate mode is also available which balances connections on a packet-by-packet basis. This mode is not recommended for use as it often results in decreased performance due to packet reordering. Active mode is the default and recommended mode for load balancing in a Multi-Link SD-WAN.

Tunnels in Standby mode act as backups that are only activated when all applicable Active tunnels fail. Standby mode can be used to minimize the use of connections that are more expensive or otherwise less preferable while still ensuring high availability of connectivity.

Multi-Link guarantees that even if one or more VPN tunnels fail, your SD-WAN service will continue as long as some tunnel is available. When a tunnel fails, any open TCP connections using that tunnel will automatically failover to another one (if available) to prevent breaking the connection.

QoS classes

To further manage Multi-Link SD-WAN network optimization, you can assign QoS classes to different types of traffic and select which VPN tunnels will manage them. VPN tunnels can use different modes for each QoS class of traffic they manage. This allows for highly flexible SD-WAN configurations where path selection is optimized for many different scenarios simultaneously. For an example, see the SD-WAN VPN tunnel configuration below.

Additionally, you can use a full QoS implementation to further control your SD-WAN traffic with features such as prioritization, bandwidth guarantees, and DSCP marking and matching. Multi-Link SD-WAN VPN tunnels can be configured to use QoS classes with or without a full QoS implementation.

Requirements and limitations

  • Multi-Link for SD-WANs is fully supported only for VPN tunnels with a Forcepoint NGFW engine or cluster configured as a VPN Gateway at both ends.
  • A Gateway must have two or more endpoints that form tunnels with another Gateway on the same VPN to use Multi-Link. Only traffic directed through these tunnels will benefit from Multi-Link.
  • No additional licenses or fees are required to use Multi-Link.

Creating and configuring your SD-WAN

Before you begin, create and configure the policy-based site-to-site VPN used by your Multi-Link SD-WAN including its VPN Profile, Sites, and Gateway firewalls. Consult your Forcepoint NGFW Product Guide for detailed instructions.

Once you have a working VPN configuration, only a few steps are required to add Multi-Link SD-WAN features. Each step is outlined below.

Step 1: Create your NetLinks

Complete this step for each SD-WAN VPN Gateway firewall that has multiple VPN endpoints reaching another Gateway.

  1. Create a NetLink element for each VPN link:
    1. From the Configuration view, click on Network Elements > Traffic Handlers and add a new Static NetLink or Dynamic NetLink. Static NetLinks connect to statically addressed firewall interfaces, while Dynamic NetLinks connect to dynamically addressed firewall interfaces.
      Note: If your firewall has several interfaces with dynamic IP addresses, you must create a separate Dynamic NetLink element for each dynamically addressed interface.
    2. If using a Static NetLink, select its next-hop Gateway and Network. Here, Network refers to the address space allocated to the NetLink by its service provider.

Step 2: Add your NetLinks to your VPN Gateway firewalls

Complete this step for each SD-WAN VPN Gateway firewall that has multiple VPN endpoints reaching another Gateway.

  1. Add and configure any missing interfaces or VPN endpoints to your firewall. Your firewall should have at least one interface to connect to each NetLink. Consult your NGFW Product Guide for help with adding and configuring firewall interfaces and VPN endpoints.
    Tip: We recommend using a separate network interface for each NetLink. Although it is possible to configure multiple NetLinks for a single network interface, this introduces a single point of failure.
  2. Add each NetLink to its corresponding Gateway firewall interface:
    1. Open your Gateway firewall's Routing menu in Tree View and expand the interface that connects to your NetLink's network.
    2. Right-click the network, select Add Static/Dynamic NetLink, and choose the NetLink you wish to add.
    3. Add routes for your NetLink by right-clicking the NetLink element and selecting Set as Default Route to add a default route or Add... to add a route to a particular element or Network.
      Note: Setting multiple NetLinks as a default route is a valid configuration. A typical configuration of a Gateway with multiple NetLinks is to set each NetLink as a default route. Tunnel modes and QoS classes can be used to further control which routes your SD-WAN traffic will take (see Step 3: Configure your VPN tunnels below).
Example SD-WAN Gateway firewall routing tree
Example SD-WAN Gateway firewall routing tree

Step 3: Configure your VPN tunnels

Your VPN settings control how Multi-Link manages traffic between your SD-WAN VPN tunnels. In this step you can set the default link modes for each VPN tunnel as well as additional modes for handling separate QoS classes. An example VPN tunnel configuration using QoS classes is provided at the end of this guide for reference.

Complete this step for each pair of VPN Gateways in your SD-WAN with multiple VPN tunnels between them.

  1. Open the Tunnels tab of your policy-based VPN and select a pair of Gateways in the Gateway ↔ Gateway section. The Endpoint ↔ Endpoint section now lists your chosen pair's available VPN tunnels.
  2. For each VPN tunnel in the Endpoint ↔ Endpoint section, do the following:
    1. Choose a mode for the VPN tunnel by right-clicking its Mode cell and selecting Active or Standby. The tunnel will use this mode for all traffic except for traffic classified as one of its QoS exceptions (see below).
    2. (Optional) Add QoS classes and additional modes to the VPN tunnel:
      1. Right-click the tunnel's Mode cell and select Edit Mode to open the tunnel's Link Mode Properties menu.
      2. Add a QoS class for the tunnel to handle and select a Mode under the QoS Exceptions section. The tunnel will perform in this mode only for traffic matching the selected QoS class.
        Note: Active tunnels assigned to a QoS class will failover to Standby tunnels assigned to that class first. Once all tunnels assigned to a QoS class have failed, any available tunnels that are not assigned to the class will take over.

Step 4: Enable your SD-WAN VPN on your Gateway firewalls

Ensure that your Gateway firewalls' policy access rules employ your SD-WAN VPN for selected traffic. If you are using QoS classes to determine VPN tunnel modes, also ensure these classes are assigned before your VPN is employed. For example, you may assign QoS classes to your traffic in a Continue rule that takes place before the rule that employs your VPN, or you may assign them in the same rule that employs your VPN. Consult your Forcepoint NGFW Product Guide for more information on firewall policy access rules.

Example SD-WAN VPN tunnel configuration

Example secure WAN (left) and secure SD-WAN with Multi-Link (right) tunnel topologies
Example secure WAN (left) and secure SD-WAN with Multi-Link (right) tunnel topologies

In the picture above, the diagram on the left represents a secure site-to-site WAN with VPN tunnels between three gateways at separate locations: LOC-1, LOC-2, and LOC-3. Without Multi-Link SD-WAN capabilities, only one tunnel between each pair of gateways is available and paths are selected statically based only on source and destination.

The diagram on the right represents the same three locations configured to use a secure SD-WAN with Multi-Link. This allows multiple tunnels to exist between gateway pairs where paths are selected dynamically based on the secure SD-WAN's configuration.

Example SD-WAN VPN tunnel configuration with QoS classes
Example SD-WAN VPN tunnel configuration with QoS classes

The example tunnel configuration above shows how tunnels between gateways LOC-1 and LOC-2 could be configured in SMC to provide high availability and load balancing. In this example, additional tunnel modes based on QoS classes are configured for enhanced control over path selection.

Note that LOC-1 includes 4 VPN endpoints and LOC-2 includes 2 endpoints for a total of 8 possible tunnels between them. However, since each tunnel between an MPLS connection and a non-MPLS connection is disabled, only 4 tunnels are used.

The example tunnel configuration has the following characteristics:

  • Low Priority traffic is handled exclusively by the Auxiliary Internet (1C-2B) tunnel. This ensures that bandwidth on other tunnels is reserved for all other traffic classes.
  • High Priority traffic is handled exclusively by the MPLS tunnel (1A-2A). This ensures that all critical services and applications are covered by the MPLS Service Level Agreement.
  • All other traffic including traffic with no classification is balanced across the Internet (1B-2B) and Auxiliary Internet (1C-2B) tunnels. This reduces bandwidth requirements on the MPLS tunnel, as it is only needed to handle High Priority traffic.
  • Low Priority and High Priority traffic will both failover to the Internet tunnel if their primary tunnel fails.
  • The Backup Internet tunnel (1D-2B) handles no traffic unless at least two other tunnels fail. This minimizes costs of on-demand, usage-based connections.

Article Feedback

Thank you for the feedback and comments.