Orchestrator User Guide 9.0.x 2020 08 03

Silver Peak Unity Orchestrator

User Guide

Orchestrator 9.0.x
Last updated on August 3, 2020
200095-003
Silver Peak Unity Orchestrator User Guide
Copyright and Trademarks

Copyright © 2020 Silver Peak Systems, Inc. All rights reserved. Information in this document is subject to change at
any time. Use of this documentation is restricted as specified in the End User License Agreement. No part of this
documentation can be reproduced, except as noted in the End User License Agreement, in whole or in part, without
the written consent of Silver Peak Systems, Inc.
Trademark Notification
Silver Peak, the Silver Peak logo, and all Silver Peak product names, logos, and brands are trademarks or registered
trademarks of Silver Peak Systems, Inc. In the United States and/or other countries. All other product names, logos,
and brands are property of their respective owners.
Warranties and Disclaimers

THIS DOCUMENTATION IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, OR NON-INFRINGEMENT. SILVER PEAK SYSTEMS, INC. ASSUMES NO RESPONSIBILITY FOR ERRORS OR
OMISSIONS IN THIS DOCUMENTATION OR OTHER DOCUMENTS WHICH ARE REFERENCED BY OR LINKED TO THIS
DOCUMENTATION. REFERENCES TO CORPORATIONS, THEIR SERVICES AND PRODUCTS, ARE PROVIDED “AS IS”
WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED. IN NO EVENT SHALL SILVER PEAK SYSTEMS,
INC. BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND, OR ANY
DAMAGES WHATSOEVER, INCLUDING, WITHOUT LIMITATION, THOSE RESULTING FROM LOSS OF USE, DATA OR
PROFITS, WHETHER OR NOT ADVISED OF THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF LIABILITY,
ARISING OUT OF OR IN CONNECTION WITH THE USE OF THIS DOCUMENTATION. THIS DOCUMENTATION MAY
INCLUDE TECHNICAL OR OTHER INACCURACIES OR TYPOGRAPHICAL ERRORS. CHANGES ARE PERIODICALLY ADDED
TO THE INFORMATION HEREIN; THESE CHANGES WILL BE INCORPORATED IN NEW EDITIONS OF THE
DOCUMENTATION. SILVER PEAK SYSTEMS, INC. MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT
(S) AND/OR THE PROGRAM(S) DESCRIBED IN THIS DOCUMENTATION AT ANY TIME.
Silver Peak Systems, Inc.

2860 De La Cruz Boulevard
Santa Clara, CA 95050
1.877.210.7325 (toll-free in USA)

+1.408.935.1850
http://www.silver-peak.com/support
Copyright © 2020 Silver Peak Systems, Inc. All rights reserved 2

Support
For product and technical support, contact Silver Peak Systems at either of the following:
1.877.210.7325 (toll-free in USA)

+1.408.935.1850
www.silver-peak.com/support
We’re dedicated to continually improving the usability of our products and documentation.
If you have suggestions or feedback for our documentation, send an e-mail to [email protected].
If you have comments or feedback about the interface, send an e-mail to [email protected].

Contents
Getting Started 13
Overview of SD-WAN Prerequisites 14
Unity Overlays 16
Business Intent Overlays 17
Overview 17
SD-WAN traffic to internal subnets 17
Building SD-WAN using these interfaces 18
Service Level objective 18
Link Bonding Policy 18
QoS, Security, & Optimization 19
Breakout Traffic to Internet & Cloud Services 19
Hub versus branch breakout settings 19
Preferred Policy Order and Available Policies 20
Deployment Profiles 21
Mapping Labels to Interfaces 21
LAN–side Configuration: DHCP 21
WAN–side Configuration 22
Definitions 24
A More Comprehensive Guide to Basic Deployments 25
Bridge Mode 25
Router Mode 26
Server Mode 31
Deployment — EdgeConnect HA 32
Enabling EdgeConnect HA Mode 32
IPSec over UDP Tunnel Configuration 32
VRRP Configuration 33
LAN-Side Monitoring 33
Interface Labels 34
Firewall Zones 35
Apply Overlays 36
Internet Traffic 37
IPSec Pre-shared Key Rotation 38
Failure Handling and Orchestrator Reachability 38
Hubs 39
Discovered Appliances 40
Preconfigure Appliances 41
Appliance Configuration Wizard 43
Licenses 46
Cloud Portal 47
SSL Certificates Tab 48
SSL CA Certificates Tab 49
SSL for SaaS Tab 50
Network Configuration Tabs 52

DHCP Failover 53

DHCP Failover State 54

Regions 55
Regional Routing 55
View Status 56
Edit Regions 56
Routing Segmentation 57
Segment Configuration 57
Management Services 62
Inter-Segment DNAT Exceptions 64
Inter-Segment SNAT Exceptions 65
BGP Tab 66
Add Peer 69
BGP Inbound and Outbound Route Redistribution Maps 70
Virtual Tunnel Interface 73
VTI 74
Boost 75
Deployment Tab 76
Interfaces Tab 77
Terminology 78
Routes Tab 79
Route Maps 79
Import 82
Add Interface 84
OSPF Route Redistribution Maps 85
Multicast 87
Loopback 89
Loopback Orchestration 90
Peer Priority Tab 91
Admin Distance Tab 92
Management Routes Tab 93
VRRP Tab 94
VRRP Tab Settings 94
WCCP Tab 96
WCCP Settings 96
Service Group Advanced Settings 98
PPPoE Tab 100
DHCP Server Defaults 102
DHCP Settings 102
DHCP/BOOTP Relay Fields 103
DHCP Leases 104
Tunnels Tab 105
Troubleshooting 107
Using Passthrough Tunnels 107
Tunnel Groups Tab 108
Topology 108
Interfaces 109
Tunnel Exception 110
Schedule Auto MTU Discovery 111
NAT 112
NAT Rules and Pools 113

NAT Pools 113
Policy Configuration Tabs 115

DNS Proxy Policies 116
Configure DNS Proxy Policies 116
Route Policies Tab 117
Priority 118
Match Criteria 118
Source or Destination 118
Wildcard-based Prefix Matching 118
QoS Policies Tab 120
Handling and Marking DSCP Packets 120
Applying DSCP Markings to Optimized (Tunnelized) Traffic 121
Applying DSCP Markings to Pass-through Traffic 122
Priority 124
Match Criteria 124
Schedule QoS Map Activation 126
Optimization Policies Tab 127
Priority 127
Match Criteria 127
Set Actions 129
TCP Acceleration Options 130
NAT Policies Tab 133
Advanced Settings 135
Match Critera 135
Set Actions 136
Merge / Replace 136
Inbound Port Forwarding 138
Security Policies Tab 140
Access Lists Tab 141
Match Criteria 141
Shaper Tab 142
SaaS Optimization Tab 145
Configuration Tab 145
Application Definitions 146
Application Groups Tab 147
Threshold Crossing Alerts Tab 148
ON by default: 149
OFF by default: 149
IP SLA Tab 152
Monitor Use Cases 153

Configuration Templates 161

Using Configuration Templates 162
System Template 163
Auth/Radius/TACACS+ Template 167
Authentication and Authorization 167
Appliance-based User Database 167
RADIUS 167
TACACS+ 168
What Silver Peak recommends 168
SNMP Template 169
Flow Export Template 171
DNS Proxy Policies 172
DNS Template 173
Logging Template 174
Minimum Severity Levels 174
Configuring Remote Logging 175
Banner Messages Template 176
HTTPS Certificate Template 177
User Management Template 179
Default User Accounts 179
Command Line Interface privileges 179
Date/Time Setting 180
Data Collection 180
SSL Certificates Template 181
SSL CA Certificates Template 183
SSL for SaaS Template 184
Tunnels Template 186
VRRP Template 189
Peer Priority Template 191
Admin Distance Template 192
Shaper Template 193
Dynamic Rate Control 193
QoS Policies Template 196
Priority 196
Match Criteria 196
Handling and Marking DSCP Packets 197
Applying DSCP Markings to Optimized (Tunnelized) Traffic 198
Applying DSCP Markings to Pass-through Traffic 199
Routes Template 202
Optimization Policies Template 203
Priority 203
Match Criteria 203
Set Actions Fields 205
Route Policies Template 206
Why? 207
Priority 207

Match Criteria 207

Set Actions Fields 208
NAT Policies Template 209
When to NAT 209
Advanced Settings 210
Match Critera 211
Set Actions 212
Merge / Replace 212
Threshold Crossing Alerts Template 213
ON by default: 214
OFF by default: 214
TCA Metrics 215
SaaS Optimization Template 216
TIPS 217
Security Policies Template 218
Implicit Drop Logging 218
Template 218
CLI Template 220
Session Management Template 221
Apply Template Groups 222
Management Services Template 223
Route Redistribution Template 224
Cloud Services 225

Microsoft Azure Virtual WAN 226
Azure Prerequisites 226
Orchestrator Prerequisites 226
Orchestrator Configuration 227
Verification 229
Works with Office 365 230
Use Cases 230
Zscaler Internet Access 231
Enabling Zscaler 233
Verification 233
AWS Transit Gateway Network Manager 235
Prerequisites for AWS Transit Gateway Network Manager 235
Create a User Profile in AWS 235
Create Transit Gateways 236
Create a Network Manager 237
Orchestrator Configuration 237
Monitoring Status and Performance 240

Dashboard 241
Topology Settings & Legend 242

Viewing Tunnels in the Topology Map 244

Live View 245
Historical Charts 246
Health Map 248
Alarms Tab 250
Disable Alarms 250
Customize Alarms 250
Alarm Severity 251
Alarm Recipients 251
Additional Alarm Indications 252
Schedule & Run Reports 253
View Reports 254
Sample Report 255
Scheduled & Historical Jobs 256
Appliance Bandwidth 257
Appliance Max Bandwidth 258
Appliance Bandwidth Utilization 259
Appliance Bandwidth Trends 260
Appliance Packet Counts 261
Application Bandwidth 262
Application Pie Charts 263
Application Trends 264
Firewall Drops 265
Top Talkers 266
Domains 268
Countries 269
Ports 270
Traffic Behavior 271
Overlay-Interface-Transport 273
Interface Bandwidth Trends 274
Interface Summary 275
Tunnels Bandwidth 276
Show Underlays 276
Traceroute 276
Live View 277
Tunnels Pie Charts 278
Tunnel Bandwidth Trends 279
Tunnel Packet Counts 280
DRC Bandwidth Trends 281
Dynamic Rate Control 281
Flows - Active & Recent 283
Reset or Reclassify Flows 284
Appliance Flow Counts 286
Appliance Flow Trends 287
Tunnel Flow Counts 288
DSCP Bandwidth 289
DSCP Pie Charts 290
DSCP Trends 291
Traffic Class Bandwidth 292
Traffic Class Pie Charts 293

QoS (Shaper) Trends 294

Works with Office 365 295
Use Cases 295
Live View 296
Loss 297
Loss Trends 298
Jitter Summary 299
Jitter Trends 300
Latency 301
Latency Trends 302
Out of Order Packets 303
Mean Opinion Score (MOS) - Summary 305
Mean Opinion Score (MOS) Trends 306
Tunnels Summary 307
Appliance Administration Tabs 308

Appliance User Accounts Tab 309
Auth/RADIUS/TACACS+ Tab 310
Authentication and Authorization 310
RADIUS and TACACS+ 310
Date/Time Tab 311
DNS (Domain Name Servers) Tab 312
SNMP Tab 313
Flow Export Tab 314
Silver Peak Custom Information Elements 314
Logging Tab 319
Severity Levels 319
Remote Logging 320
Banners Tab 321
HTTPS Certificate Tab 322
Orchestrator Reachabililty Tab 323
System Information 324
Software Versions 329
Upgrading Appliance Software 330
Appliance Configuration Backup 331
Viewing Configuration History 333
Restoring a Backup to an Appliance 334
Remove Appliance from Orchestrator 335
Remove Appliance from Orchestrator and Account 336
Synchronizing Appliance Configuration 337
Putting the Appliance in System Bypass Mode 338
Broadcasting CLI Commands 339
Link Integrity Test 340
TCPPERF Version 1.4.8 340
Disk Management 346
Erasing Network Memory 348
Rebooting or Shutting Down an Appliance 349
Behavior During Reboot 349
Scheduling an Appliance Reboot 350
Behavior During Reboot 350

Active Sessions Tab 353
Orchestrator Administration 354

Role Based Access Control 355
Assign Roles & Appliance Access 355
Roles 356
Appliance Access 356
Viewing Orchestrator Server Information 358
Restart, Reboot, or Shutdown 359
Managing Orchestrator Users 360
Adding a User 360
Multi-Factor Authentication 360
Configuring Multi-Factor Authentication through an Application 361
Configuring Multi-Factor Authentication through Email 362
Using Multi-Factor Authentication 362
Modify User 363
User Menu Access 364
Remote Authentication 366
Configuring a RADIUS or TACACS+ Server 367
Configuring an OAuth Server 367
To authenticate using RADIUS or TACACS+ 369
Configuring a JWT Server 369
Configuring a SAML Server 371
SAML and Orchestrator Configuration 371
Cloud Portal 374
Orchestration Settings 375
Audit Logs 375
Pause Orchestration List 377
Tunnel Settings Tab 378
Orchestrator Blueprint Export 382
Brand Customization 383
Maintenance Mode 384
Upgrading Orchestrator Software 385
Checking for Orchestrator and Appliance Software Updates 387
Backing Up on Demand 388
Scheduling Orchestrator Database Backup 389
SMTP Server Settings 390
Proxy Configuration 391
Orchestrator's HTTPS Certificate 392
Timezone for Scheduled Jobs 393
Orchestrator Statistics Configuration 394
Appliance Statistics Configuration 395
Orchestrator Advanced Properties 396
Changing Orchestrator's Log Level 397
Minimum Severity Levels 397
IP Whitelist 398
Orchestrator's Getting Started Wizard 399
Customer and Technical Support 401

Tech Support - Appliances 402

Tech Support - Orchestrator 403

Logging into the Support Portal 404
Monitoring Uploads 405
Packet Capture 406
Upload Local Files 407
Create a Support Case 408
Remote Access 409
Partition Management 410
Remote Log Receivers 411
HTTP Receiver Settings 411
HTTPS Receiver Settings 411
KAFKA Receiver Settings 412
SYSLOG Receiver Settings 412
WEBSOCKET Receiver Settings 413
Routing Peers Table 414
RMA Wizard 415
RMA Wizard 416
Upgrade and Downgrade 417
Built-in Policies 418
Realtime Charts 419
Historical Charts 420
Appliance Charts 421
Internal Drop Trends 422
Appliance Memory Trends 423
System Performance 425
Appliance Crash Report 426
Orchestrator Debug 427
IPSec UDP Status 428
Unverified Emails 429
Orchestrator General Settings and Reference 430

Guidelines for Creating Passwords 431

Getting Started
Orchestrator enables you to globally monitor performance and manage Silver Peak appliances, whether you're
configuring a WAN Optimization network (NX, VX, or VRX appliances) or an SD-WAN network (EC or EC-V appliances).

Overview of SD-WAN Prerequisites

With Orchestrator, you create virtual network overlays to apply business intent to network segments. Provisioning a
device is managed by applying profiles.
Interface Labels associate each interface with a use.
LAN labels refer to traffic type, such as VoIP, data, or replication.
WAN labels refer to the service or connection type, such as MPLS, internet, or Verizon.
Deployment Profiles configure the interfaces and map the labels to them, to characterize the appliance.
Business Intent Overlays use the Labels specified in Deployment Profiles to define how traffic is routed and
optimized between sites. These overlays can specify preferred paths and can link bonding policies based on
application, VLAN, or subnet, independent of the brand and physical routing attributes of the underlay.
This diagram shows the basic architecture and capabilities of Overlays.
Including a new appliance into the Unity fabric consists of two basic steps:
1. Registration and discovery. After you Accept the discovered appliance, the Configuration Wizard opens.
2. Provisioning. Since the wizard prompts you to select profiles, it’s easiest to create these ahead of time.

Figure 1. The process of installing and provisioning an appliance for SD-WAN.

Unity Overlays
These topics describe the pages related to deploying a WAN optimization network or a software-defined Wide Area
Network (SD-WAN).
From a configuration standpoint, an SD-WAN uses Business Intent Overlays (BIOs), whereas a WANop network does
not.

Business Intent Overlays

Use the Business Intent Overlays (BIOs) tab to create separate, logical networks that are individually customized
to your applications and requirements within your network. By default, there are several predefined overlays
matching a range of traffic within your network.
The overlay summary table is used for easy comparison of values between your various configured overlays. You
can select any link in the table and the Overlay Configuration dialog launches. You can also temporarily save your
changes before officially applying those changes to your overlay. The pending configuration updates are indicated by
an orange box around the edited item. Select Save and Apply Changes to Overlays when you are ready to apply
the changes and select Cancel if you want to delete the changes.
Overview
Orchestrator matches traffic to an ACL, progressing down the ordered, priority list of overlays until it identifies the
first one that matches. The matched traffic is then analyzed against the overlay's Internet Traffic configuration, and
forwarded within the fabric, or broken out to the internet based on the preferred policy order. If the software
determines that the traffic is not destined for the internet, it refers to the WAN Links & Bonding Policy
configuration and forwards traffic accordingly within the overlay.
SD-WAN traffic to internal subnets

Overlay Configuration
You can begin to configure or modify a default overlay in the Overlay column. You can also select any icon on the
Business Intent Overlay page and the selected editor or dialog opens.
Complete the following steps to configure your overlay.
1. Select the name of the overlay. The Overlay Configuration window opens. If you want to edit the default
overlay or create a new overlay, enter the new name of the overlay in the Name field.
2. Select the Match field and choose the match criteria from the menu.
3. Select the Edit icon next to the ACL field. To apply default ACL's or create your own, select Add Rule in the
Associate ACL window.
4. Select Save.
Region
To view your associated region within your overlay, select the Regions icon in the Region column in the overlay
summary table. You can modify, remove, or edit overlay settings for a selected region by expanding the list at the
right-top of the Overlay Configuration window . For more information regarding Regions, refer to the help in the
tab.
Topology

Select the type of topology you want to apply to your overlay and network. You can choose between the following
types of topology:
Mesh: Choose Mesh if you want to make a local network.
Hub & Spoke: Hubs are used to build tunnels in Hub & Spoke networks, and to route traffic between regions.
If you choose Hub & Spoke, any appliance set as a hub will serve as a hub in any overlay applied to it. Hubs in
different regions mesh with each other to support regional routing. To configure hubs, select the Hubs link at
the top of the page.
Regional Mesh and Regional Hub & Spoke: To streamline the number of tunnels created between groups
of appliances that are geographically dispersed, you can assign appliances to Regions and select Regional
Mesh or Regional Hub & Spoke.
1. At the top of the page, select Regions.
2. You can add and remove a region or view the status of each overlay within a selected region.
Building SD-WAN using these interfaces

You can select which WAN interfaces you want to use for each device to connect to the SD-WAN. First, you assign for
your traffic to go to the Primary interfaces. If the primary interface is unavailable or not meeting the desired Service
Level Objectives configured, the Backup interfaces are used. Move the desired interfaces between Primary and
Backup. The interfaces are grayed out until moved into the Primary or Backup boxes.
Cross Connect allows you to define tunnels built between each interface label. Each appliance has a
maximum number of tunnels that it can support, and using Cross Connect increases the number of tunnels
created.
Add Backup if Primary Are: Specifies when the system should use the Backup interfaces.
Service Level objective

Traffic is routed through the primary interfaces exclusively, unless the service level thresholds for Loss, Latency, or
Jitter have been exceeded. If this occurs, backup interfaces are added so that the service level objective can be met.
NOTE Primary interfaces may still be used to support the overall Service Level Objective.
Link Bonding Policy

You can select the following Link Bonding Policies when you need to specify the criteria for selecting the best route
possible when data is sent between multiple tunnels and appliances.
Field Definition
High Availability For critical services that cannot accept any interruption at all. For example, call
center voice or critical VDI traffic.

Field Definition
High Quality For typical real-time services, such as VoIP or video conferencing. For example,
WebEx or business-quality Skype, VDI traffic.
High Throughput For anything where maximum speed is more important than quality. For
example, data replication, NFS, file transfers, etc.
High Efficiency For everything else. This option sends load balance information on multiple
links, with no FEC or overhead.
QoS, Security, & Optimization

To further customize your overlay configuration, enter the appropriate information for the following fields.
Field Definition
FW Zone Select the firewall zone you want to restrict traffic to from an overlay.
Boost Select True or False if you want to apply any purchased Boost to your overlay.
Peer Unavailable Option Select the following options you want your traffic to go if a peer is unavailable:
Use MPLS, Use Internet, Use LTE, Use Best Route, Drop.
Traffic Class Channels traffic to the desired queue based on the applied service. Select Best
Route or Drop.
LAN DSCP Select the DSCP you want to apply as a filter to the LAN interface.
WAN DSCP Select the DSCP you want to apply as a filter to the WAN interface.
Breakout Traffic to Internet & Cloud Services

You can use the Breakout Traffic to Internet & Cloud Services to monitor and manage traffic coming to or from
the internet.
Hub versus branch breakout settings

You can create different breakout policies for hubs. Any hub you select in the Topology section also displays at the
top of the Internet Traffic to Web, Cloud Services tab. When you select an individual hub, the Use Branch
Settings displays, selected, to the right of the screen. Complete the following steps to create a custom breakout
policy for that hub:
1. Clear the check box for Use Branch Settings.
2. Configure the now accessible parameters.
3. Select OK.

Preferred Policy Order and Available Policies

You can move policies back and forth between the Preferred Policy Order and the Available Policies
columns. You can also change their order within a column. The defaults provided are Backhaul via Overlay,
Break Out Locally, and Drop.
When you choose Break Out Locally, confirm that any selected interface that is directly connected to the
Internet has Stateful Firewall specified in the deployment profile.
You can add services (such as Zscaler, Fortigate, or Palo Alto). The service requires a corresponding Internet-
breakout (Passthrough) tunnel for each appliance traffic to that service. To add a service, select the Edit icon
next to Available Policies.
The Default policy you configure for internet breakout is pushed to all appliances that use the selected
Overlay. However, you might want to push different breakout rules to your hubs.

Deployment Profiles
Instead of configuring each appliance separately, you can create various Deployment Profiles and provision a
device by applying the profile you want. For example, you can create a standard format for your branch.
TIP For a smoother workflow, complete the Configuration > DHCP Server tab before creating Deployment
Profiles.
You can use Deployment Profiles to simplify provisioning, whether or not you choose to create and use Business
Intent Overlays.
NOTE You cannot edit IP/Mask fields because they are appliance-specific.
Mapping Labels to Interfaces

On the LAN side, labels identify the data, such as data, VoIP, or replication.
On the WAN side, labels identify the service, such as MPLS or Internet.
To create a global pool of labels, either:
Click the Edit icon next to Label.
Select Configuration > Interface Labels.
If you edit a label, that change propagates appropriately. For example, it renames tunnels that use that
labeled interface.
LAN–side Configuration: DHCP

By default, each LAN IP acts as a DHCP Server when the appliance is in (the default) Router mode.
The global defaults are set in Configuration > DHCP Server and pre-populate this page. The other choices
are No DHCP and having the appliance act as a DHCP Relay.
Enter the LAN interface from the dropdown. Click +IP to add a specific IP address.
Enter the IP address of the specific LAN interface above the NO DHCP link.
The firewall zones you have already configured will be in the list under FW Zone. Select the FW zone you want
to apply to the LAN you are deploying.
Select the configured segment you want to apply from the segment dropdown.
NOTE You can only change the segment being applied for the LAN interfaces.

WAN–side Configuration
Select the WAN-side label you want to apply to this deployment. Click the edit icon to add a new interface or
delete a previously configured interface.
Firewall Zone: Zone-based firewalls are created on the Orchestrator. A zone is applied to an Interface. By
default, traffic is allowed between interfaces labeled with the same zone. Any traffic between interfaces with
different zones is dropped. Users can create exception rules (Security Policies) to allow traffic between
interfaces with different zones. The firewall zones you have already configured will be in the list under
FW Zone. Select the FW zone you want to apply to the WAN you are deploying.
Firewall Mode: Four options are available at each WAN interface:
Allow All permits unrestricted communication.
Stateful only allows communication from the LAN-side to the WAN-side.
Use this if the interface is behind the WAN edge router.
Stateful with SNAT applies Source NAT to outgoing traffic.
Use this if the interface is directly connected to the Internet.
Harden
For traffic inbound from the WAN, the appliance accepts only IPSec tunnel packets that terminate on a
Silver Peak appliance.
For traffic outbound to the WAN, the appliance only allows IPSec tunnel packets and management
traffic that terminate on a Silver Peak appliance.
WARNING Activating fail-to-wire will DISABLE ALL firewall rules.
NAT Settings: When using NAT, use in-line Router mode to ensure that addressing works properly. That means you
configure paired single or dual WAN and LAN interfaces on the appliance. Select one of the following options:
If the appliance is behind a NAT-ed interface, select NAT.
If the appliance is not behind a NAT-ed interface, select Not behind NAT.
Enter an IP address to assign a destination IP for tunnels being built from the network to this WAN interface.
Shaping: You can limit bandwidth selectively on each WAN interface.
Total Outbound bandwidth is licensed by model. It's the same as max system bandwidth.
To enter values for shaping inbound traffic, which is optional, you must first select Shape Inbound Traffic.

EdgeConnect Licensing: Only visible on EC appliances
For additional bandwidth, you can purchase Plus, and then select it here for this profile.
If you've purchased a reserve of Boost for your network, you can allocate a portion of it in a Deployment
Profile. You can also direct allocations to specific types of traffic in the Business Intent Overlays.
To view how you've distributed Plus and Boost, view the Configuration > Licenses tab.
Select the appropriate licensing you have applied to your EC appliance from the menu. The licenses will only
display depending on the licenses you have for that particular account. You can select the following licensing
options:
Mini
Base
Base + Plus
50 Mbps
200 Mbps
500 Mbps
1 Gbps
2 Gbps
Unlimited
NOTE You must have the correct hardware to support the license selected.
BONDING
When using an NX or EC appliance with four 1Gbps Ethernet ports, you can bond like pairs into a single 2Gbps
port with one IP address. For example, wan0 plus wan1 bond to form bwan0. This increases throughput on a
very high-end appliance and/or provides interface-level redundancy.
For bonding on a virtual appliance, you would need configure the host instead of the appliance. For example,
on a VMware ESXi host, you would configure NIC teaming to get the equivalent of etherchannel bonding.
Whether you use a physical or a virtual appliance, etherchannel must also be configured on the directly
connected switch/router. Refer to the Silver Peak user documentation.

Definitions
DHCP Server
Field Name Description
Default gateway When selected, indicates the default gateway is being used.
Default lease, Specify, in hours, how long an interface can keep a DHCP–
Maximum lease assigned IP address.
DNS server(s) Specifies the associated Domain Name System server(s).
Exclude first N addresses Specifies how many IP addresses are not available at the
beginning of the subnet's range.
Exclude last N addresses Specifies how many IP addresses are not available at the end of
the subnet's range.
NetBIOS name server(s) Used for Windows (SMB) type sharing and messaging. It resolves
the names when you are mapping a drive or connecting to a
printer.
NetBIOS node type The NetBIOS node type of a networked computer relates to how
it resolves NetBIOS names to IP addresses. There are four node
types:
B-node = 0x01 Broadcast
P-node = 0x02 Peer (WINS only)
M-node = 0x04 Mixed (broadcast, then WINS)
H-node = 0x08 Hybrid (WINS, then broadcast)
NTP server(s) Specifies the associated Network Time Protocol server(s).

Start Offset Specifies how many addresses not to allocate at the beginning of
the subnet's range. For example, entering 10 means that the first
ten IP addresses in the subnet aren't available.
Subnet Mask A mask that specifies the default number of IP addresses reserved
for any subnet. For example, entering 24 reserves 256 IP
addresses.
DHCP/BOOTP Relay
Destination DHCP/BOOTP Server The IP address of the DHCP server assigning the IP addresses.
Enable Option 82 When selected, inserts additional information into the packet
header to identify the client's point of attachment.
Option 82 Policy Tells the relay what to do with the hex string it receives. The
choices are append, replace, forward, or discard.

A More Comprehensive Guide to Basic Deployments

This section discusses the basics of three deployment modes: Bridge, Router, and Server modes.
It describes common scenarios, considerations when selecting a deployment, redirection concerns, and some
adaptations.
For detailed deployment examples, refer to the Silver Peak website for various deployment guides.
In Bridge Mode and in Router Mode, you can provide security on any WAN-side interface by hardening the
interface. This means:
For traffic inbound from the WAN, the appliance accepts only IPSec tunnel packets.
For traffic outbound to the WAN, the appliance only allows IPSec tunnel packets and management traffic.
Bridge Mode
Single WAN-side Router
In this deployment, the appliance is in-line between a single WAN router and a single LAN-side switch.
Dual WAN-side Routers
This is the most common 4-port bridge configuration.

2 WAN egress routers / 1 or 2 subnets / 1 appliance
2 separate service providers or WAN services (MPLS, IPsec VPN, MetroEthernet, etc.)
Considerations for Bridge Mode Deployments
Do you have a physical appliance or a virtual appliance?
A virtual appliance has no fail-to-wire, so you would need a redundant network path to maintain connectivity if
the appliance fails.
If your LAN destination is behind a router or L3 switch, you need to add a LAN-side route (a LAN next-hop).
If the appliance is on a VLAN trunk, then you need to configure VLANs on the Silver Peak so that the appliance
can tag traffic with the appropriate VLAN tag.
Router Mode
There are four options to consider:
1. Single LAN interface & single WAN interface
2. Dual LAN interfaces & dual WAN interfaces
3. Single WAN interface sharing LAN and WAN traffic
4. Dual WAN interfaces sharing LAN and WAN traffic
For best performance, visibility, and control, Silver Peak recommends Options #1 and #2, which use separate
LAN and WAN interfaces. And when using NAT, use Options #1 or #2 to ensure that addressing works properly.
#1 - Single LAN Interface & Single WAN Interface

For this deployment, you have two options:
1. You can put Silver Peak in-path. In this case, if there is a failure, you need other redundant paths for high
availability.
2. You can put Silver Peak out-of-path. You can redirect LAN-side traffic and WAN-side traffic from a router or
L3 switch to the corresponding Silverpeak interface, using WCCP or PBR (Policy-Based Routing).
To use this deployment with a single router that has only one interface, you could use multiple VLANs.
#2 - Dual LAN Interfaces & Dual WAN Interfaces
This deployment redirects traffic from two LAN interfaces to two WAN interfaces on a single Silver Peak appliance.
2 WAN next-hops / 2 subnets / 1 appliance

Out-of-path dual LAN and dual WAN interfaces
For this deployment, you have two options:
1. You can put Silverpeak in-path. In this case, if there is a failure, you need other redundant paths for high
availability.
2. You can put Silverpeak out-of-path. You can redirect LAN-side traffic and WAN-side traffic from a router or L3
switch to the corresponding Silverpeak interface, using WCCP or PBR (Policy-Based Routing).
#3 - Single WAN Interface Sharing LAN and WAN traffic
This deployment redirects traffic from a single router (or L3 switch) to a single subnet on the Silver Peak appliance.

This mode only supports out-of-path.
When using two Silver Peaks at the same site, this is also the most common deployment for high availability
(redundancy) and load balancing.
For better performance, control, and visibility, Silver Peak recommends Router mode Option #1 instead of
this option.
#4 - Dual WAN Interfaces Sharing LAN and WAN traffic
This deployment redirects traffic from two routers to two interfaces on a single Silver Peak appliance.
This is also known as Dual-Homed Router Mode.
2 WAN next-hops / 2 subnets / 1 appliance
This mode only supports out-of-path.
For better performance, control, and visibility, Silver Peak recommends Router mode Option #2 instead of
this option.
Considerations for Router Mode Deployments
Do you want your traffic to be in-path or out-of-path? This mode supports both deployments. In-path
deployment offers much simpler configuration.
Does your router support VRRP, WCCP, or PBR? If so, you may want to consider out-of-path Router mode
deployment. You can set up more complex configurations, which offer load balancing and high availability.
Are you planning to use host routes on the server/end station?
In the rare case when you need to send inbound WAN traffic to a router other than the WAN next-hop router,
use LAN-side routes.
Examining the Need for Traffic Redirection

Whenever you place an appliance out-of-path, you must redirect traffic from the client to the appliance.
There are three methods for redirecting outbound packets from the client to the appliance (known as LAN-side
redirection, or outbound redirection):
PBR (Policy-Based Routing) — configured on the router. No other special configuration required on the
appliance. This is also known as FBR (Filter-Based Forwarding).
If you want to deploy two Silver Peaks at the site, for redundancy or load balancing, then you also need to use
VRRP (Virtual Router Redundancy Protocol).
WCCP (Web Cache Communication Protocol) — configured on both the router and the Silver Peak appliance.
You can also use WCCP for redundancy and load balancing.
Host routing — the server/end station has a default or subnet-based static route that points to the Silver
Peak appliance as its next hop. Host routing is the preferred method when a virtual appliance is using a single
interface, mgmt0, for datapath traffic (also known as Server Mode).
To ensure end-to-end connectivity in case of appliance failure, consider using VRRP between the appliance
and a router, or the appliance and another redundant Silver Peak.
How you plan to optimize traffic also affects whether or not you also need inbound redirection from the WAN
router (known as WAN-side redirection):
If you use subnet sharing (which relies on advertising local subnets between Silver Peak appliances) or
route policies (which specify destination IP addresses), then you only need LAN-side redirection.
If, instead, you rely on TCP-based or IP-based auto-optimization (which relies on initial handshaking outside
a tunnel), then you must also set up inbound and outbound redirection on the WAN router.
For TCP flows to be optimized, both directions must travel through the same client and server appliances. If
the TCP flows are asymmetric, you need to configure flow redirection among local appliances.
A tunnel must exist before auto-optimization can proceed. There are three options for tunnel creation:
If you enable auto-tunnel, then the initial TCP-based or IP-based handshaking creates the tunnel. That
means that the appropriate LAN-side and WAN-side redirection must be in place.
You can let the Initial Configuration Wizard create the tunnel to the remote appliance.
You can create a tunnel manually on the Configuration - Tunnels page.

Server Mode
This mode uses the mgmt0 interface for management and datapath traffic.
ADDING DATA INTERFACES
You can create additional data-plane Layer 3 interfaces, to use as tunnel endpoints.
To add a new logical interface, click +IP.

Deployment — EdgeConnect HA
The EdgeConnect HA (High Availability) mode is a high availability cluster configuration that provides appliance
redundancy by pairing two EdgeConnect devices together.
When a deployment profile configures two EdgeConnect appliances in EdgeConnect HA mode the resilient cluster
acts as a single logical system. It extends the robust SD-WAN multipathing capabilities such as Business Intent
Overlays seamlessly across the two devices as if they were one entity.
With EdgeConnect HA mode a WAN uplink is physically plugged into a single one of the EdgeConnect appliances but
is available to both in the cluster. For WAN connections that perform NAT (for example, a consumer-grade
Broadband Internet connection), it means that only a single Public IP needs to be provisioned in order for both the
EdgeConnect devices in the EdgeConnect HA cluster to be able to build Business Intent Overlays using that transport
resource.
Enabling EdgeConnect HA Mode

1. In the navigation pane, select the appliance and then right-click to select Deployment from the contextual
menu. The appliance's Deployment page appears.
2. Select the EdgeConnect HA checkbox.
3. Configure the interfaces (LAN and WAN–side) on both EdgeConnect devices to reflect the WAN connections
that are plugged into each one of the respective appliances.
NOTE Both EdgeConnect devices will be able to leverage all WAN connections regardless of which chassis
they are physically plugged into. It is however important to match the deployment profile interface
configuration to the actual chassis the WAN connection is physically, directly connected to.
4. Select the physical ports on the respective EdgeConnect appliances that you will connect to each other using
an Ethernet cable (RJ-45 twisted pair or SR optical fiber)
NOTE You can choose any LAN or WAN port combination for this HA Link that is available on the respective
EdgeConnect chassis. You must match the media type and speed for both ends of the HA link (for example, 1
Gigabit-Ethernet RJ-45 to RJ-45 or 10 Gigabit-Ethernet multimode fiber LC-connector-to-LC-connector). Also
please note that you cannot use MGMT ports for the HA Link; only LAN or WAN ports.
IPSec over UDP Tunnel Configuration

For both EdgeConnect appliances in a high availability cluster to be able to share a common transport connection,
you must set the tunnel type to IPSec over UDP mode.
Please see the Overlay Tunnel Settings in the Orchestrator, under the Orchestrator Overlay Manager and Tunnel
Settings menu.

NOTE If you are deploying a network with EdgeConnect appliances running VXOA 8.1.6 or higher and Orchestrator 8.2
or higher, the tunnel type is already set to IPSec over UDP mode by default.
VRRP Configuration
Typically, in a branch site deployment, you will choose to configure the cluster with a VRRP protocol and assign a VIP
(virtual IP) address to the cluster.
Set the VRRP priority of the preferred LAN-side Primary EdgeConnect to 128.
Set the other, Secondary appliance’s VRRP priority to 127.
LAN-Side Monitoring
The IP SLA feature should be configured to monitor the LAN-side VRRP state in order to automatically disable subnet
sharing from that appliance in the case of a LAN link failure.
Please refer to the IP SLA configuration guide for more information.

Interface Labels
Configuration > Overlays > Interface Labels
Use this page to create labels for the WAN and LAN interfaces.
Select New Label to add a new interface label to an appliance.
You can also use interface labels to end a connection between tunnels.
Select the Edit icon and the Interface Label Configuration window pops up.
Enter the name of the interface label name of the tunnels to be avoided in a selected topology.

Firewall Zones
Configuration > Overlays > Firewall Zones
Zone-based firewalls are created on the Orchestrator.
A zone is applied to an Interface.
By default, traffic is allowed between interfaces labeled with the same zone.
Any traffic between interfaces with different zones is dropped.
Users can create exception rules (Security Policies) to allow or deny traffic between interfaces within the same or
different zones.
NOTE "Default" will always be the initial default zone. You cannot have another zone named "Default".
NOTE The name of your firewall cannot exceed 16 characters and cannot contain any special characters. It can only
contain alphanumeric characters and underscores only.

Apply Overlays
Use this page to add or remove overlays from appliances. If you select Edit Overlays, you will be redirected to the
Business Intent Overlay tab for further customization. You can also view the status of the overlays if you select
View Status.

Internet Traffic
Internet Traffic is defined as any traffic the does NOT match the internal subnets listed on this page.

IPSec Pre-shared Key Rotation

Use this page to schedule the rotation of auto-generated IPsec pre-shared keys.
Failure Handling and Orchestrator Reachability

Orchestrator distributes key material to all EdgeConnect appliances in the network. Immediately before the end of a
key rotation interval, Orchestrator activates new ephemeral key material for all of the EdgeConnect appliances in the
SD-WAN network. For key activation, all the appliances should be reachable to Orchestrator. However, there are two
cases of unreachability:
1. Inactive appliances: When appliances are inactive, they exist in the Orchestrator, but don't have tunnels
configured to any active appliances.
2. Temporary unreachability: Temporary unreachability issues occur in cases where an EdgeConnect
appliance reboots or if there is a link or communication failure. In this case, Orchestrator won't activate the
new key material until all active appliances are reachable and have received the new key material. If the
appliance is unreachable for a period longer than the key rotation interval, it will be treated as an inactive
appliance.
Re-authorization: Inactive appliances that become active at a later point in time will be authorized to receive the
current key material. Only then will they be able to download configurations and build tunnels.

Hubs
Configuration > Overlays > Hubs
In this tab, you can add, remove, and associate hubs to a specified region within the Regional Mesh or Regional Hub-
and-Spoke topologies configured in the Business Intent Overlay tab.
Complete the following steps to add a hub:
1. Enter the name of the hub you want to add from the menu.
2. Select Add Hub.
To delete a hub, select the X icon next to the hub you want to delete.

Discovered Appliances
This page lists each appliance that Orchestrator discovers.
To enable Orchestrator to manage an appliance after you verify its credentials, click Approve.
If the appliance doesn't belong in your network, click Deny. If you want to include it later, click Show Denied
Devices, locate it in the table, and click Approve.
As a security measure to prevent unauthorized management of your network, any Orchestrator with your
Account Name and Account Key must be approved by the originally deployed Orchestrator.
To view the approved Orchestrators, click Show Approved Orchestrators.

Preconfigure Appliances
You can use this page to prepopulate flat data files that are matched with appliances as you add them to your
network.
The information in the files is a combination of items found in the Appliance Configuration Wizard, along with site-
specific information (such as BGP, OSPF, IP SLA rules, VRRP, interfaces, and addressing).
You can create a new file or clone (and rename) an existing one. Make any changes with the built-in editor.
After the appliance is discovered and approved, software upgrade and configuration push are done automatically.

New or Clone
Field Definition
Name Assigns a name to the preconfiguration file.

Comment An optional descriptive field
Auto Approve when Discovered When selected, the Orchestrator finds the appliance that
matches the Discovery Criteria and automatically loads it
without the need for user intervention.
When deselected, the user will be prompted to manually
approve the association of preconfiguration file to the
appliance.
Serial The serial number associated with the appliance that is to
receive this configuration.
Appliance Tag A free-form text or unique identifier that an administrator can
associate with the appliance. Available as a discovery criteria
for EC-Vs.

Appliance Configuration Wizard

Configuration > [Overlays > Discovery] Configuration Wizard
Use this wizard to set up a newly added appliance or to reconfigure an appliance that’s already in your network.
NOTE Orchestrator assumes that you'll be pushing many of the same configuration items to each appliance. To that
end, it surveys the templates and Overlay prerequisite items and displays the Recommended Configuration list,
showing what comprehensive items you have and have not yet configured.



Licenses
This page lists each appliance's make, model, license terms, and registered services. You can also revoke or regrant
a metered license to/from an appliance or change the EdgeConnect (EC) license settings and RMA your device.
Complete the following steps to configure or modify your EC license.
1. Select the Edit icon next to a selected appliance in the table. The Configure EdgeConnect License window
opens.
2. Check Grant, Revoke, or No Change.
3. Select the following EC size options from the menu: Mini, Base, Base + Plus, 50 Mbps, 200 Mbps, 500
Mbps, 1 Gbps, 2 Gbps, and Unlimited.
4. Check Enable Boost if you want to enable the boost you have purchased with your license.
5. Enter the amount of boost you have applied to your EC.
6. Select Apply.
NOTE EdgeConnect stops passing traffic if your license has expired.

Cloud Portal
Configuration> [Overlays > Licensing] Cloud Portal
Orchestrator > [Orchestrator Server > Licensing] Cloud Portal
The Cloud Portal is used to register cloud-based features and services, such as SaaS optimization and
EdgeConnect.
When you purchase one of these services, Silver Peak sends you an Account Name and instructions to
obtain your Account Key.You will use these to register your appliance(s).
The cloud portal populates the Contact field from information included in your purchase order.
Use of these services requires that your appliance(s) can access the cloud portal via the Internet.

SSL Certificates Tab

Silver Peak provides deduplication for Secure Socket Layer (SSL) encrypted WAN traffic by supporting the use of SSL
certificates and other keys.
This report summarizes the SSL certificates installed on appliances for decrypting non-SaaS traffic.
Silver Peak decrypts SSL data using the configured certificates and keys, optimizes the data, and transmits
data over an IPSec tunnel. The peer Silver Peak appliance uses configured SSL certificates to re-encrypt data
before transmitting.
Peers that exchange and optimize SSL traffic must use the same certificate and key.
For the SSL certificates to function, the following must also be true:
The tunnels are in IPsec or IPsec UDP mode for both directions of traffic.
In the Optimization Policy, TCP acceleration and SSL acceleration are enabled.
TIP For a historical matrix of Silver Peak security algorithms, click here.

SSL CA Certificates Tab

This tab lists any installed Certificate Authorities (CA) that the browser uses to validate up the chain to the root CA.
If the enterprise certificate that you used for signing substitute certificates is subordinate to higher level Certificate
Authorities (CA), then you must add those CA certificates. If the browser can't validate up the chain to the root CA, it
will warn you that it can't trust the certificate.

SSL for SaaS Tab

This report lists the appliances' signed substitute certificates.
To fully compress SSL traffic for a SaaS service, the appliance must decrypt it and then re-encrypt it.
To do so, the appliance generates a substitute certificate that must then be signed by a Certificate Authority (CA).
There are two possible signers:
For a Built-In CA Certificate, the signing authority is Silver Peak.
The appliance generates it locally, and each certificate is unique. This is an ideal option for Proof of Concept
(POC) and when compliance is not a big concern.
To avoid browser warnings, follow up by importing the certificate into the browser from the client-side
appliance.
For a Custom CA Certificate, the signing authority is the Enterprise CA.

If you already have a subordinate CA certificate (for example, an SSL proxy), you can upload it to Orchestrator
and push it out to the appliances. If you need a copy of it later, just download it from here.
If this substitute certificate is subordinate to a root CA certificate, then also install the higher-level SSL CA
certificates (into the SSL CA Certificates template) so that the browser can validate up the chain to the root
CA.
If you don't already have a subordinate CA certificate, you can access any appliance's Configuration > SaaS
Optimization page and generate a Certificate Signing Request (CSR).

Network Configuration Tabs

These topics describe the pages related to configuring and managing the network.

DHCP Failover
Configure the following settings to apply to your DHCP failover servers.
1. Check the DHCP Failover box to enable the DHCP Failover feature.
2. Select whether you are configuring the failover settings for either the Primary or Secondary server.
3. Complete configuring the remaining settings in the table below.
DHCP Failover Fields

My IP The IP address of the LAN interface.
My Port The port number of the LAN interface.
Peer IP The IP address of the DHCP peer.
Peer Port The port number of the DCHP peer.
MLCT Optional. If selected, the default is 60 minutes. This field cannot be
zero.
SPLIT Optional. If selected, determines which peer (primary/secondary)
should process the DHCP requests.
Max Response Delay Optional. If selected, determines how many seconds the DHCP
server may pass without receiving a message from its failover
peer before it assumes the connection has failed.
Max Unacked Updates Tells the remote DHCP server how many BNDUPD messages it
can send before it receives a BNDACK from the local system.
Load Balance Max Seconds Optional. Allows you to configure a cutoff after which load
balancing is disabled. The cutoff is based on the number of
seconds since the client sent its first DHCPDISCOVER or
DHCPREQUEST message, and only works with clients that
correctly implement the secs field

DHCP Failover State

EdgeConnect appliances can act as a DHCP server for clients on the LAN side. DHCP failover allows redundancy by
creating failover groups when two appliances are combined in an HA configuration. DHCP failover also provides
stability if one EdgeConnect dies by allowing the other EdgeConnect HA pair to take over as the DHCP server. To do
so, the primary and secondary servers must be completely synchronized so each server can reply on the other if one
fails.
This tab displays the DHCP failover peer states of each server for troubleshooting purposes.
DHCP Failover Fields

Appliance Name The name of the Silver Peak appliance that is part of the DHCP
failover configuration.
Interface Name The failover group name that is the same for all the tagged and
untagged interfaces corresponding to one physical interface.
My State The failover endpoint state of the selected primary appliance. The
three states are: Normal, Communications-Interrupted,
Partner-Down, Recover, Recover-wait, Recover-done.
My State Time The date and time the selected appliance's DHCP server entered
the specified state in the table.
Partner State The failover endpoint state of the partner appliance. The three
states are: Normal, Communications-Interrupted, Partner-
Down, Recover, Recover-wait, Recover-done.
Partner State Time The date and time the partner appliance entered the specified
state in the table.
MCLT The maximum client lead time: the maximum amount of time that
one server can extend a lease for a client's binding beyond the
time known by the partner.

Regions
Use this page to add or remove regions from the SD-WAN fabric and configure regional routing. The regions within
your SD-WAN fabric can represent geographical regions, administrative regions, or a set of sites in the network that
have common business goals.
Regional Routing
Regional routing when enabled, allows you to manage your SD-WAN fabric by regions. It involves intra-region and
inter-region route distribution across the SD-WAN fabric. The regions within your network can represent
geographical regions, administrative regions, or a set of sites in the network that have common business goals. You
can provide different Business Intent Overlay for each region by enabling regional routing and customizing BIOs per
region. The following diagrams show examples of different regional network topologies you can build by enabling
regional routing.

You can enable regional routing within your Orchestrator UI. Navigate to the Regional Routing window and select the
Enable Regional Routing icon in the header and move the toggle.
View Status
Select View Status to view the status of the added or updated appliances to regions.
Edit Regions
Complete the following steps to add a region or edit existing regions that you want to add to your overlays.
1. Select Edit Regions.
2. Select New Region.
3. Enter the name of your new region in the Region Configuration window.
4. Select Save.
You can also edit an existing region.
1. Select the Edit icon next to the region you want to edit.
2. Enter the region name.
3. Select Save.
Navigate to the Business Intent Overlay tab to make further customizations to your regions and overlays.

Routing Segmentation
Use this tab to enable and disable Routing Segmentation across your network and apply unique configuration to your
segments. Routing Segmentation allows for the configuration of VRF (Virtual Routing and Forwarding) style layer-3
segmentation in your SD-WAN deployments. Please note the following prior to configuring routing segmentation in
Orchestrator.
You must upgrade all EdgeConnect appliances and Orchestrator to version 9.0.
If a new appliance has been added to your network or if an existing appliance has been replaced, you need to
upgrade the appliance software to the appropriate version running in the network.
After upgrading, segmentation is disabled by default; You will have to enable in this tab.
Regardless if segmentation is enabled or disabled, a Default segment is automatically created when you
upgrade to 9.0.
The system generated Default segment cannot be deleted.
Once you have enabled routing segmentation, all existing configuration across your network is associated
with the Default segment.
Adding a New Segment
Before adding a segment, you must enable segmentation by moving the toggle at the top of the page. If Routing
Segmentation is not enabled, you cannot make any modifications to the Default segment or add any new segments.
To add a new segment, click +Add Segment and enter a Segment Name. You can make further specifications by
clicking the edit icon or selecting the +Add icon in any of the columns in the table. Use the following to make further
specifications to your segments:
NOTE Inter-Segment Routing & DNAT and Inter-Segment Routing & SNAT are only applicable if you are using
different segments.
Segment Configuration
You can uniquely configure your segments by specifying the following on this page:
Overlays & Breakout Policies
Firewall Zone Policies
Inter-Segment Routing & D-NAT
Inter-Segment SNAT
Loopback
Refer to the sections below for more details.

Overlays & Breakout Policies for Segments

Use this window to configure overlays and breakout policies for your segments. This configuration determines the
overlays used by each segment when traffic is originating from that segment and sent over the SD-WAN fabric to
other sites. This configuration is also used when traffic breaks out locally to the Internet and Cloud Services using the
Preferred Policy Order in the Business Intent Overlay (BIO) tab. For traffic to match what is in the specified BIO tab,
ensure the following two conditions are true:
BIO must include the defined segment policy
The BIO match criteria must match the new flow
The overlays are arranged by priority defined in the Match field in the Overlay in the BIO page. You can specify if
you want to include or skip the segment for each overlay by clicking Include or Skip icon in the table cell. By default,
all overlays are included for all configured segments.
Include and Skip
If you want to skip an overlay, click the enabled Include icon and Skip appears grayed-out. The segment will not be
applied to the specified overlay. Click Skip again to include the segment and it will turn back to green. If an overlay is
set to Skip, traffic will not match that overlay and moves to the next prioritized BIO. Additionally, if no BIOs match,
traffic is dropped.
TIP If overlay is set to Skip, Flow Details in the Flows tab displays the list of skipped overlays.
Firewall Zones
Use this tab to enable and associate firewall zones to your segments. With segmentation enabled, firewall zone
security policies are orchestrated and there is no need for Firewall Security Templates.
Before you begin Firewall Zone configuration, please note the following:
Review your existing security policies
Create a new security templates group with the new firewall zoning policies that only includes zones
associated with LAN and WAN interfaces
Delete all rules in your previous security policy template in the Apply Template Group tab
Ensure you have selected the Replace option in the previous security policy template
Save the previously used security policy template. This deletes the security policy rules on your appliances
Complete the following steps to set a rule or policy to your firewall zones within your segment.
1. Select the cell of the segment you want to update in the Matrix View. The From Zone To Zone window
opens.
NOTE If you are already in Table View, click Add Rule.

2. Enter the Source Segment in the Source Segment field. This is the segment that the firewall is starting from.
3. Enter the Destination Segment in the Destination Segment field. This is the segment where the firewall is
going to.
4. Select Add Rule.
5. Complete the content in the table.
Field Description
Priority Enter the priority amount.
Match Click the edit icon in this column to modify and create the match criteria for the zones.
Criteria
Action Select Allow or Deny to determine if this zone will apply the selected segment.
Enable Click the checkbox to enable or else deselect it to unable.
Logging Determines the filter for the zone-based firewall drop logging levels. You can select one of the
following levels to apply: None, Emergency, Alert, Critical, Error, Warning, Notice, Info, or
Debug.
Tag The tag used that triggers the configured rules.
Comment Any additional details about the firewall zone.
NOTE Firewall zones are unique to each segment. For example, the default zone in Segment X will not be the same
default zone in Segment Y.
Inter-Segment Routing & DNAT

Use this tab to configure inter-segment routing and DNAT rules when traffic is crossing between segments. Click
+Add and the Inter-Segment Routing & DNAT window opens. Click +Add again and select any rule in the table to
modify the following:
Field Description
Source Segment The name of the segment traffic is initiating from.
Matches Destination The IP address that matches the destination segment IP address.
IP
Send to Segment The name of the segment the packets are translated to from the matched destination IP
address.
Translated The IP address of the DNAT IP address when the segment is translated.
Destination
Enabled Whether or not this is enabled or disabled within your segment.
Comment Any additional information.

Inter-Segment Routing & SNAT

This window allows you to enable source network address translation to your segments.
NOTE The default setting for SNAT is enabled for Inter-Segment traffic.
Field Description
Source The name of the segment that the SNAT is starting from.
Destination The name of the segment that SNAT is translated to.
SNAT Whether SNAT is enabled or disabled.
Loopback
Click +Add and you are redirected to the Loopback Orchestration tab. Select the segment you want to apply a
loopback interface from the table and then click +Add Loopback Interface.
Appliances
This column represents the amount of appliances the selected segment is enabled on.
Deleting a Segment
WARNING Segmentation involves drastic changes to your physical network. Deleting segments can be service
affecting. Please read this section carefully prior to deleting any of your segments.
Deleting a segment removes all the segmentation configuration from all the appliances within your network. When
you delete a segment, Orchestrator automatically deletes the following:
The segment’s association with the overlay and break-out policies
The intra-segment and inter-segment firewall zone policies
The Inter-Segment Routing & D-NAT rules
The Inter-Segment S-NAT rule
The loopback interfaces associated with the segment
The VTI interfaces associated with the segment
All the interface and VLAN interfaces
Additional Manual Tasks to complete after deleting:
The following configuration is disassociated from the segment and you need to manually delete the following:

Any manual created tunnels
BGP peers in the segment
Internal subnet table rules
Overlay ACL rules associated to the deleted segment
To delete a segment, click the X in the last column in the table. A Delete Routing Segment warning appears. Click
Delete or Cancel.
Disabling a Segment
To disable routing segmentation across the network, you need to delete all the segments in the network except
default segment (which cannot be deleted). Refer to the section above. After all the segments are deleted, navigate
to this tab and move the toggle at the top of the page to disable.

Management Services
In this tab, Management services can be configured irrespective if routing segmentation is enabled or disabled.
When routing segmentation is disabled, all the interfaces are available for configuration. When routing segmentation
is enabled, based on the selected interface, management service is functional in the associated segment.
NOTE Management Services will still function if Routing Segmentation is not enabled on your Orchestrator. If this is
the case, you will only be able to use the default configuration: Any interface with the Default segment.
Field Description
Appliance Name The name of the appliance selected.
Management The management service being used by your appliance.

Service
Source IP The IP address of the interface being used by the selected management service.
Address
Segment The name of the associated segment that is applied to the management service when your
source IP address is selected.
Click the edit icon to get started.
Click the Any field in the Source IP Address column and a dropdown list displays all the interfaces configured on
your appliance. Once a source IP address is selected, the Segment column automatically updates and provides the
associated segment.
Refer to the table below for the management service and its associated behavior.
Service Behavior
HTTP(S) These services use the selected interface’s Interface for the
Cloud Portal Source IP Address as the source address to establish
Orchestrator reachability and WebSocket connections to the Cloud Portal
SaaS Opt and Orchestrator. HTTP/HTTPS uses the Interface for the
Source IP Address for connection as well.
If routing segmentation is enabled, SaaS Opt packets are
sent from the Interface for the Source IP Address
segment interface.
CAUTION If routing segmentation is enabled, make sure to provide

Internet connectivity from the segment to the Interface for source IP
Address associated with the segment.

NTP Each of these management services uses Interface for the Source IP
NetFlow Address as the source IP address. The source interface configured from
SNMP the management route table is ignored if the Interface for Source IP
Address is not “Any”.
SSH
Syslog

Inter-Segment DNAT Exceptions

Use this tab to configure inter-segment routing and DNAT rules when traffic is crossing between segments. Click the
edit icon and the Inter-Segment Routing & DNAT window opens. Click +Add and select any rule in the table to
modify or define the following:
Field Description
Appliance The name of the appliance that the DNAT exception is being applied to.
Name
Source The name of the segment traffic is initiating from.

Segment
Matches The IP address that matches the destination segment IP address, prior to DNAT. The IP address
Destination IP is included in the defined policy match criteria.
Send to The name of the segment the packets are translated to from the matched destination IP address.
Segment This is in included in the set criteria.
Translated The IP address of the DNAT IP address when the segment is translated.
Destination
NOTE If DNAT is not needed, this field is empty.
Enabled Whether inter-segment DNAT is enabled or disabled within your segment.
Comment Any additional information.
INFO This tab only pushes the inter-segment DNAT exceptions to one appliance, selected in the left toolbar.

Inter-Segment SNAT Exceptions

This window allows you to enable source network address translation to your segments. Select an appliance or
group of appliances from the left menu to apply your SNAT exceptions.
NOTE The default setting for SNAT is enabled for Inter-Segment traffic.
Field Description
Source The name of the segment that the SNAT is starting from.
Destination The name of the segment that SNAT is translated and going to.
SNAT Whether SNAT is enabled or disabled for the specified segment.

BGP Tab
In this tab, you can configure BGP (Border Gateway Protocol) for appliances and add their BGP peers (also known
as BGP "neighbors"). You can also add and modify peer-based advertisement and redistribution rules. Silver Peak
has the following behaviors relative to communities:
Although Silver Peak does not configure BGP communities, it propagates existing communities.
Appliances can display up to 10 communities per route.
Appliances subnet-share communities with their Silver Peak peers.
Appliances advertise communities to remote peers, if learned from Silver Peak peers.
Appliances advertise communities to BGP neighbors.
All BGP-learned subnets also appear in the appliance Routes table, displayed on the Routes configuration
page. In addition, any AS Path or BGP Community information learned with a particular subnet will also be
displayed with that subnet entry in the table.
BGP route updates are not refreshed unless the peer specifically asks for it. To update the BGP routes, go to
the Peers table and select Soft Reset in the desired row.
The following table represents the fields in the BGP table.
Field Description
Appliance Name The name of the appliance.

Segment The name of the segment being used, if enabled.
Peer IP The IP address of the Silver Peak peer.
Local Interfaces A list of the interfaces that can be chosen: Any, lan0, wan0,
wan1.
Peer ASN The peer's Autonomous System Number.
Peer State The state of the peer.
Soft Reset Allows new changes to be incorporated without taking the
entire BGP session down
Established Time The final peer state that indicates neighbor connection as
complete.
Type Governs what kinds of routes the appliance is allowed to
advertise to this BGP peer. These routes are itemized as Route
Export Policies.
Inbound Route Map The route map being used for the inbound traffic.
Outbound Route Map The route map being used for the outbound traffic.

Field Description
Local Preference The local preference is the first attribute a Cisco router looks at
to determine which route towards a certain destination is the
“best” one. This value is not exchanged between external BGP
routers. Local preference is a discretionary BGP attribute.
Default value is 100. The path with the highest local preference
is preferred.
MED Multi Exit Discriminator. When BGP chooses the best route to
reach a certain destination, it first looks at the local preference
and AS path attributes. When the local preference and AS path
length are the same for two or more routes towards a certain
prefix, the Multi Exit Discriminator (MED) attribute is chosen.
With MED, the lowest value is preferred.
NOTE If you configured the Metric Delta parameter

in an earlier version of our software, this value has
been translated into a MED value.
Input Metric The metric that is advertised with the route when shared.
Enable Import Allows the learning of routes from this specific BGP peer.
AS Prepend Count The learned path from an external prepend between a remote
BGP site to local BGP peers.
Next-Hop-Self The advertised route connected to a CE router that an
EdgeConnect appliance learns from the eBGP with a PE router.

Field Description
Graceful Restart If enabled, receiver-side graceful restart capability. Silver Peak

retains routes learned from the peer and continues to use it for
forwarding (if possible) if/when a BGP peer goes down. The
retained routes are considered stale routes and will be deleted
and replaced with newly received routes.
Max Restart Time Specifies the
maximum time
(in seconds) to
wait for a
Graceful Restart
capable peer to
come back after
a peer restart or
peer session
failure.

Stale Path Specifies
maximum time
(in seconds)
following a peer
restart that SP
waits before
removing stale
routes
associated with
that peer.
Redistribute Local The redistributed local subnets to the BGP peer.
Keep Alive Timer This specifies the interval, in seconds, between keep alive
signals to a peer.
Hold Timer When availability to a peer is lost, this specifies how long to wait
before dropping the session.
Peer Details Any additional details regarding a peer or it's state.
To edit a BGP, select the edit icon in the right column of the table.
Use this window to enable BGP for your appliances and to configure BGP peers. Complete the following steps to start
BGP configuration.
1. Move the toggle to Enable BGP.
2. Complete the following fields.

Field Description
Autonomous System Number (ASN) Configure this number as needed for your network.
Router ID This router identifier is the IPv4 address by which the remote peer can
identify this appliance for purposes of BGP.
Graceful Restart Enable receiver-side graceful restart capability. Silver Peak retains
routes learned from the peer and continues to use it for
forwarding (if possible) if/when a BGP peer goes down. The
retained routes are considered stale routes and will be deleted
and replaced with newly received routes.
Max Restart Time Specifies the maximum
time (in seconds) to
wait for a Graceful
Restart capable peer to
come back after a peer
restart or peer session
failure.

Stale Path Specifies maximum
time (in seconds)
following a peer restart
that SP waits before
removing stale routes
associated with that
peer.
AS Path Propagate Check to enable. This will provide the learned path from an external
prepend between a remote BGP site to local BGP peers.
To add a BGP peer, select Add. The Add Peer window opens.
Add Peer
Complete the following fields to add a BGP peer.
Field Definition
Peer IP The IP address of the Silver Peak peer.

Local Interface You can specify the source address or interface for a specific
BGP peer. Select the interface from the menu: Any, lan0, wan0,
wan1.
Peer ASN The peer's Autonomous System Number.
Admin Status Select if you want the Admin Status as UP or DOWN.
Next-Hop-Self Check to enable the next-hop-self.
Inbound Route Map The route map for inbound traffic. Select the edit icon to load or
configure inbound route maps.

Field Definition
Outbound Route Map The route map for outbound traffic. Select the edit icon to load or
configure your outbound route maps.
Keep Alive Timer This specifies the interval, in seconds, between keep alive signals to a
peer.
Hold Timer The specified time how to wait before dropping the session when the
reachability to a peer is lost.
Enable MD5 Password Select the Enable MD5 Password to add a password to authenticate
the TCP session with the peer.
BGP Inbound and Outbound Route Redistribution Maps

Route Maps are policies applied to static, OSPF, BGP and SD-WAN fabric learned routes. These policies have match
and set criterias. A route map is applied to the routes during the route redistribution between routing protocols and
allows for filtering routes or modifying route attributes.
The number of BGP route maps and rules per route map is specified below:
BGP Inbound route map: 20 rules
BGP Outbound route map: 20 rules
You can apply up to 128 rules per route map.
Use this window to apply your route maps. Route maps can be redistributed between various dynamic routing
protocols.
You can also Add a Map, Delete a Map, Rename a Map, or Clone Map.
You can specify the following fields for each inbound or outbound route map:
Inbound
Priority If you are using Orchestrator templates to add

route map entries, the range for rules is 1000 –
9999 before applying its policies.
You can create rules from 1 – 999 (per appliance), which
have higher priority than Orchestrator template rules.
Similarly, you can create rules from 10000 – 65534 which
have lower priority than Orchestrator template rules.
Adding a rule increments the last Priority by 10. This leaves

room for you to insert a rule in between rules without
having to renumber subsequent priorities. Likewise, you can
just edit the number.

Source Protocol
BGP Enter the prefix (list of subnets separated by commas) and

your BGP communities.
Prefix
BGP Communities
Outbound
Match Criteria
Source Protocol Fields (based on protocol chosen)
Local/Static Enter the prefix (list of subnets separated by

commas) and your BGP communities.
Prefix
BGP Communities
SD-WAN (Local/Static) Prefix

BGP Communities
BGP Prefix
BGP Communities
OSPF Prefix
OSPF Tag
SD-WAN (BGP) Prefix
BGP Communities
SD-WAN (OSPF) Prefix
OSPF Tag
Set Actions
Permit Enable or disable.
BGP Local Preference The best BGP destination. The default value is

100.
Metric The metric for the route.
BGP Communities A label of extra information that is added to

one or more prefixes advertised to
BGP neighbors.

Nexthop The advertised route connected to a CE

router that an EdgeConnect appliance learns
from the eBGP with a PE router.
ASN Prepend Count The original route path that was used.
The following table describes the redistribution commands supported in the BGP routing protocol.
Command Redistribution Support
Match prefix Yes
Set metric Yes
Set tag Yes

Virtual Tunnel Interface

A VTI (Virtual Tunnel Interface) is a tunneling protocol that does not require a static mapping of IPsec sessions to a
physical interface. The tunnel endpoint is associated with a tunnel interface that enables a constant secure and
stable connection throughout your network.
Select the Edit icon to get started configuring your VTIs.

VTI
Complete the following steps to configure a VTI with an associated tunnel in Orchestrator.
1. Select Add.
2. The Add Interface window appears. Complete the following fields with the appropriate information.
Field Definition

Segment The name of the segment, if enabled.
Interface The name of the VTI interface.
Admin Select whether the interface is up or down.
Status The status of the VTI tunnel.
IP/Mask The IP and mask address of your VTI.
Passthrough Tunnel The name of the passthrough tunnel associated with your VTI.
Interface Type The type of interface.
Direction The direction of the label for your VTI: LAN or WAN.
Label The label on your VTI interface.
Zone Select the zone from the drop-down list that you are applying the VTI to.
3. Select Add.

Boost
This page shows you various details regarding your boost. You can purchase additional boost for the traffic within
your network. You can also search for the boost used per appliance by the hour or specify a time frame within the
Range field at the top of the page.
The following table shows the fields and definitions regarding your boost.
Field Definition
Appliance The name of the appliance you are applying boost to.
% Time Insufficient Boost The percent of time the appliance did not have enough boost configured to
boost the traffic.
Minutes Insufficient Boost The amount of time (in minutes) the appliance did not have enough boost
configured to boost the traffic.
Configured Boost (Kbps) The amount of boost configured on the appliance.
Average Boost Bytes The average boost in bytes.
Trends A graph displaying the trends of your boost.
To configure or update your boost:
1. Select the appliance you want to add more or less boost to from the table in the Boost tab.
2. Select Increase 20%, Decrease 20%, or Set to this Value.
3. If you select Set to this Value, enter the exact amount in the field.
4. Select Apply.

Deployment Tab
This page summarizes the appliance Deployment settings in either Summary or Details view.
Summary View
Field Definition
Appliance Name The name of the appliance that was deployed.

Mode One of four deployment Modes displays:
Router Single or dual WAN interfaces share LAN and WAN data traffic.
InLine Router Uses separate LAN and WAN interfaces to route data traffic.
Bridge Uses a virtual interface, bvi, created by binding the WAN and
LAN interfaces.
Server Both management and data traffic use the mgmt0 interface.
WAN Labels Used Identify the service, such as MPLS or Internet.

LAN Labels Used Identify the data, such as data, VoIP, or replication.
Segment The name of the segment being used.
Details Select the information icon to view further deployment details of an appliance.

Interfaces Tab
The Interfaces tab lists the appliance interfaces.
Please refer to the following table for the Interfaces field descriptions.

Appliance Name The name of the appliance of an interface.
Name The name of the LAN/WAN interface selected.
Status The status of the interface (up or down.)
IP Address/Mask The IP address.
Public IP The public IP address.
Segment The name of the configured segment being used.
DHCP Whether this interface's IP address is obtained from the DHCP
server. Displays as Yes, No, No data (not configured), or Invalid
data (error condition).
Speed The current interface speed.
Duplex The current interface duplex.
MTU The maximum number of packets being transmitted.
MAC Addresses The MAC addresses applied to an interface.

Speed/Duplex should never display as half duplex after auto-negotiation. If it does, the appliance will
experience performance issues and dropped connections. To resolve, check the cabling on the appliance and
the ports on the adjacent switch/router.
To directly change interface parameters for a particular appliance, select Edit. It takes you to the Appliance
Manager's Configuration > Interfaces page.
To change the IP address for a lan or wan interface, either use the Appliance Manager's Configuration >
Deployment page or the CLI (Command Line Interface).
To change the IP address for mgmt0, either use the Appliance Manager's Administration > Management
IP/Hostname page or the CLI.
Terminology
Interface Description
blan Bonded LAN interfaces (as in lan0 + lan1)

bwan Bonded WAN interfaces (as in wan0 + wan1)
bvi Bridge Virtual Interface. When the appliance is deployed in-line (Bridge mode), it's the routed
interface that represents the bridging of wan0 and lan0.
tlan 10-Gbps fiber LAN interface
twan 10-Gbps fiber WAN interface

Routes Tab
Each appliance builds a routes table from one of the three following ways: entries added automatically by the
system, added manually by a user, or learned from a routing protocol: BGP (Border Gateway Protocol) or OSPF
(Open Shortest Path First). When two appliances are connected by a tunnel, they exchange this information and use
it to route traffic.
Route Maps
Orchestrator supports the ability to apply route maps to various routing protocols. This provides more control to
import and export routes to and from the SD-WAN fabric. You can configure your route maps to modify information
of a route through ACLs and applying tags by using commands. Each route map has a match command and set
command. The match command verifies the attributes of the original route the protocol supports and the set
command modifies information that is redistributed into the target protocol. Silver Peak supports route mapping for
the following protocols and the direction of those protocols:
Local, static to SD-WAN fabric
BGP, OSPF to SD-WAN fabric
SD-WAN fabric to BGP Outbound peers
Local, BGP, OSPF to BGP outbound peers
Local BGP Peers to EdgeConnect BGP sessions
The following table lists the routing protocols and the associated commands supported.
Command Redistribution Support BGP OSPF SD- Local/Static

WAN
Match Yes Yes Yes Yes Yes

prefix
Set metric Yes Yes Yes Yes Yes
Set tag Yes Yes Yes Yes Yes
You can filter the type of route by selecting All, Local / Static, SD-WAN Fabric, BGP, and OSPF routes. You can also
import or export subnets to a .csv file.
Filter by Subnet
Filter by subnet is a filtering tool that can be used to filter all existing routes and the results are populated in the
Routes tab.
A Very Large Query Response pop-up will display if the number of the routes filtered exceeds 500,000. You can
filter by subnet, cancel, or continue waiting to help mitigate this issue.
NOTE If the number of the routes filtered is greater than 500,000 the following pop-up will display.

You can filter by subnet, cancel, or continue waiting to help mitigate the above issue.
Segment
The segments you have configured in the Routing Segmentation tab are listed in the Segment field. Once you specify
the segment, the Routes table displays only the routes belonging to that segment.
The following represents the content in the Routes table.
Field Definition

Segment The routes displayed belonging to this segment.
Subnet/Mask Actual subnet to be shared or learned.
Next Hop The deployment interface’s next-hop address.
Interface The interface for outgoing traffic. Display only.
State Shows if the route is either up or down.
Metric The metric of the subnet. Value must be between 0 and 100. When a peer has
more than one tunnel with a matching subnet (for example, in a high
availability deployment), it chooses the tunnel with the lower numerical value.
Advertise to Peers Select to share subnet information with categories of peers. Select from the
following options:
Advertise to Silver Peak Peers
Advertise to BGP Peers
Advertise to OSPF Peers
Peers then learn the subnets.

To add a subnet to the table without divulging it to peers, deselect this option.

Field Definition
Type (of route) Auto (System) Automatically

added subnets of
interfaces on this
appliance.
Auto (Saas) Automatically
added subnets
from SaaS
services.
Added by user Manually
added/configured
subnets for this
appliance
SP: Hostname Subnets added as
a result of
exchanging
information with
peer appliances.
If the peer has
learned the
subnet from a
remote BGP or
OSPF peer, that
information is
appended.
<BGP peer Type>: <BGP peer ip> Subnets added as
a result of
exchanging
information with
local BGP peers.
OPSF: OPSF neighbor IP Subnets added as
a result of
exchanging
information with
local OSPF peers.
Additional Info The following tags are available:
Tag FROM_LAN Used to restrict
route lookups to
traffic arriving on a
LAN–side interface.
Tag FROM_WAN Used to restrict
route lookups to
traffic arriving on a
WAN–side interface.
Comment Any additional information you would like to include.

To edit a route, select the edit icon in the Routes table.
Route Table Lookup Criteria
Each Route table has a lookup criteria that is used in the following order:
Longest Prefix Match
Route Table admin distance of the source protocol (lower the better)
Metric (lower the better)
Use peer priority (if configured) as a tie-breaker.
If there are two or more routes that match all the above criteria, then use multiple routes.
Admin Distance Configuration
You can configure the admin distance by using the Admin Distance template in the Templates tab. The default
settings in this template determine the most reliable route with the use of admin distance. See the table below for
the various default admin distances per route type.
Route Type Default Admin Distance
Local 1
SD-WAN Fabric - Static 10
SD-WAN Fabric - BGP 15
SD-WAN Fabric - OSPF 15
eBGP 20
OSPF 110
iBGP 200
Navigate to the BGP and OSPF tabs for more information to apply or configure your route maps.
Import
Import allows you to import a CSV file (Comma Separate Values) into a pair of appliances used at the same
site. Before you import, you must remove the header row and save the files on your computer. Complete the
following steps to begin your import.
1. Select the appliance you want to upload the routes to.
2. Select Import in the Routes page.
3. Select Choose File.
4. Locate the file you want to import on your desktop.

5. Select Open.
6. Select Import. Orchestrator will begin generating a CSV file.
The following table is an example of what the CSV file will look like before you import a file.
Subnet Mask Metric Is Adv to SP Adv to BGP Next Adv to OSPF Interface
Length Local Peers Peers Hop Neighbors
Name

10.1.0.0 16 50 TRUE TRUE FALSE 10.1.0.1 FALSE lan0
NOTE You can limit the file to only the Subnet, Mask Length, and Metric columns. Orchestrator then uses
the default values for the six unlisted columns.
NOTE No table cell can be blank when using nine columns.
This tab manages OSPF (Open Shortest Path First) on LAN and WAN interfaces.
OSPF learns routes from routing peers, and then subnet shares them with Silver Peak peers and/or BGP neighbors.
A route tag is applied to a route to better identify the source of the network it originated from. It is primarily used to
filter routes from being redistributed in a routing loop.

Field Definition
Appliance Name The name of the appliance

Enable [Route Metric] The cost associated with a route. The higher the value, the
less preferred.
Router ID This router identifier is the IPv4 address by which the remote peer can
identify this appliance for purposes of OSPF.
Redistribute Routes to OSPF The redistribution map being used to redistribute routes to OSPF.
Details Any additional details regarding your route.
Select the edit icon in the OSPF table to edit and enable OSPF.
Use this page to manage OSPF (Open Shortest Path First) on LAN and WAN interfaces.
This protocol learns routes from routing peers, and then subnet shares them with Silver Peak peers and/or BGP
neighbors.


Field Definition
Enable OSPF When enabled, the appliance has access to use the OSPF protocol.
Router ID The IPv4 address of the router that the remote peer uses to identify the
appliance for purposes of OSPF.
Redistribute routes to OSPF Redistributing routes into OSPF from other routing protocols or from static
will cause these routes to become OSPF external routes. Select the edit icon
to the left of this field and select the OSPF route redistribution maps you
would like to select.
To add an additional interface to an OSPF route, select Add.
To configure or modify an OSPF route map, select the edit icon next to the Redistribute route to OSPF field.
Add Interface
Complete the following fields to add an interface to OSPF.

Field Definition
Interface Indicates whether a Backup Designated Router (BDR) is

specified for the Designated Router (DR). Options are Yes or
No.
Area ID The number of the area in which to locate the interface. The
Area ID is the same for all interfaces.
It can be an integer between 0 and 4294967295, or it can
take a form similar to an IP address, A.B.C.D.
Cost The cost of an interface in OSPF is an indication of the
overhead required to send packets across a certain
interface. It's used in the OSPF path calculation to determine
link preference.
Priority Router priority [If two or more best routes are subnet
shared, then peer priority is used as the tie-breaker.]

Field Definition
Admin Status Indicates whether the interface is set to admin UP or
DOWN.
Hello Interval Specifies the length of time, in seconds, between the hello
packets that a router sends on an OSPF interface.
Dead Interval Number of seconds that a router's Hello packets have not
been seen before its neighbors declare the OSPF router
down.
Transmit Delay Number of seconds required to transmit a link state update
packet. Valid values are 1 to 65535.
Retransmit Interval The amount of time (in seconds) the router will wait to send
retransmissions if the router receives no acknowledgment.
Authentication None: No authentication
Text: Simple password authentication allows a password
(key) to be configured per area.
MD5: Message Digest authentication is a cryptographic
authentication. A key (password) and key-id are
configured on each router. The router uses an algorithm
based on the OSPF packet, the key, and the key-id to
generate a "message digest" that gets appended to the
packet.
Comment Any information you want to include for your own use.
OSPF Route Redistribution Maps

Use this window to apply your OSPF route maps to your routing protocols. Route maps provide more flexibility
because they can be redistributed between various dynamic routing protocols.
These policies have match and set criterias. A route map is applied to the routes during the route redistribution
between routing protocols and allows for filtering routes or modifying route attributes.
The number of OSPF route maps and rules per route map is specified below:
OSPF route map: 20 rules
You can apply up to 128 rules per route map.
You can Add a Map, Delete a Map, Rename a Map, or Clone Map.
You can also add various rules to your route map to further specify your routing protocols by selecting Add Rule.
You can deny or permit or match and filter your routes.
You can specify the rules using the following fields for each OSPF route map:

Source Protocol Fields (based on protocol chosen)
Priority If you are using Orchestrator

templates to add route map entries,
the range for rules is 1000 – 9999
before applying its policies.
You can create rules from 1 – 999 (per
appliance), which have higher priority
than Orchestrator template rules.
Similarly, you can create rules from
10000 – 65534 which have lower priority
than Orchestrator template rules.
Adding a rule increments the last Priority

by 10. This leaves room for you to insert
a rule in between rules without having to
renumber subsequent priorities.
Likewise, you can just edit the number.
Local/Static Prefix
SD-WAN Routes Prefix

BGP Communities
OSPF Tag
BGP Prefix
BGP Communities
Set Actions Permit: Specify if you want to allow or

deny the route map.
OSPF Tag: Value of OSPF tag to set in
routing information sent to destination.
OSPF Metric Type: Filters redistributed
routes to OSPF.
Metric: The metric for the route.
Comment: Any additional comments you
would like to include.

Multicast
Orchestrator supports multicast routing, a method of sending data from a single IP address to a larger group of
recipients. This is only supported in Inline Router mode. There are three different ways you can display the status of
multicast: Interfaces, Neighbors, and Routes.
From Summary, Interfaces, Neighbors, or Routes view:
1. Select the Edit icon.
2. Select Enable Multicast.
3. Enter the Rendezvous Point IP Address.
Interfaces
Select Add to add an interface. The Add Interface window appears.
1. Select the Interface field and select the desired interface from the list.
2. Select if you want to Enable PIM.
3. Select if you want to Enable IGMP.
4. Select Add.
Field Definition
Interface The name of the interfaces you want to connect.

PIM Enabled Enabling the Protocol Independent Multicast.
IGMP Enabling Internet Group Management Protocol.
DR Priority The designated router priority of the given interface.
DR Router IP The IP address of the designated router within your network.
Neighbors
Field Definition
Appliance Name The name of the appliance you are using for multicast.
Interface The name of the interfaces you want to connect.
Neighbor DR Priority The designated router priority of the neighbor.
Neighbor IP The IP address of the neighbor.
Routes
Field Definition
Source The transmitter of the multicast data.

Field Definition
Group The IP address of the multicast group.

Incoming Interface The interface that receives inbound traffic.
Outgoing Interfaces The interface that receives outbound traffic.
You can also export an excel file of the multicast report, as well as refresh the page and the information from each
appliance.

Loopback
Configuration > Routing > Loopback
The loopback features enhances reliability and security by allowing you to access your network using one, static,
IP address. If one interface goes down, You can access all interfaces through the one, static IP address. To add a
loopback interface to your network, do the following:
1. Navigate to the Loopback tab in Orchestrator.
3. Select Add.
4. Enter the appropriate information for your loopback interface in the Add Interface window.

Loopback Orchestration
You can create a pool of loopback addresses for Orchestrator to automatically create one or more loopback
interfaces. You can also assign IP addresses from the pool to each appliance in the network. Complete the following
steps to create the range for your loopback interfaces.
1. Select +Add Loopback Interface. The Loopback Interface window opens.
2. Specify the Label from the dropdown menu. This is optional and if no label is selected, "None" is assigned.
Additionally, Label only displays the LAN side interface labels configured in the Interface Labels tab.
3. Specify the firewall zone if you want the loopback interface to be part of a specific firewall zone.
4. Check the management box if you want the interface to be used by management applications running on the
appliance.
NOTE You can only select one loopback interface as management if you configure multiple loopbacks.
5. Click Add.
The following table represents the fields for loopback orchestration.
Segment The associated segment that has loopback orchestration applied.
Label The label of the LAN interface being used.
Zone The firewall zone associated with the loopback interface.
Management IP The loopback interface selected as the management interface.
Loopback Pool The pool of loopback addresses representing each device.
Allocated / Total The number of loopback IP addresses allocated from the pool out of
the total number of IP addresses in the pool.
Deleted The number of loopback interfaces deleted.
NOTE You can only delete an interface from an appliance in the

Appliance Manager.

Peer Priority Tab

When an appliance receives a Subnet with the same Metric from multiple remote/peer appliances, it uses the Peer
Priority list as a tie-breaker.
If a Peer Priority is not configured, then the appliance randomly distributes flows among multiple peers.
The lower the number, the higher the peer’s priority.
Note: By default, the peer priority range starts at 1.

Admin Distance Tab

Configuration > Networking > Admin Distance
This table shows the values associated with various types of Admin Distance.
Admin Distance (AD) is the route preference value assigned to dynamic routes, static routes, and directly connected
routes. When the appliance's Routes table has multiple routes to the same destination, the appliance uses the route
with the lowest administrative distance.
Field Description
Local A manually configured route, or one learned from locally connected subnets.
BGP Branch A type of dynamic route learned from a local BGP branch peer.
BGP PE A type of dynamic route learned from a local BGP PE (Provider Edge) router.
BGP Remote A route learned from a BGP peer.
BGP Transit A type of dynamic route learned from a local BGP branch-transit peer.
OSPF A route learned from an OSPF (Open Shortest Path First) neighbor.
Subnet Shared A route learned from a Silver Peak peer.

Management Routes Tab

Use this tab to configure next-hops for management interfaces.
Management routes specify the default gateways and local IP subnets for the management interfaces.
In a Dual-Homed Router Mode configuration, you may need to add a static management route for flow
redirection between appliances paired for redundancy at the same site.
The management routes table shows the configured static routes and any dynamically created routes. If you
use DHCP, then the appliance automatically creates appropriate dynamic routes. A user cannot delete or add
dynamic routes.
If the Source IP is listed as 0.0.0.0, then packets sent using this route use the Interface's IP address as the
Source IP address. If the Source IP lists a specific IP address, then that IP address is used instead.

VRRP Tab
This tab summarizes the configuration and state for appliances deployed with Virtual Router Redundancy
Protocol (VRRP).
In an out-of-path deployment, one method for redirecting traffic to the Silver Peak appliance is to configure VRRP on
a common virtual interface. The possible scenarios are:
When no spare router port is available, a single appliance uses VRRP to peer with a router (or Layer 3 switch).
This is appropriate for an out-of-path deployment where no redundancy is needed.
A pair of active, redundant appliances use VRRP to share a common, virtual IP address at their site. This
deployment assigns one appliance a higher priority than the other, thereby making it the Master appliance,
and the other, the Backup.
VRRP Tab Settings

Field Name Definition
Admin The options are up (enable) and down (disable).
Advertisement Timer The default is 1 second.
Group ID A value assigned to the two peers. Depending on the deployment, the group can
consist of an appliance and a router (or L3 switch), or two appliances. The valid
range is 1 - 255.
Interface The interface that VRRP is using for peering.
IP Address Owner A Silver Peak appliance cannot use one of its own IP addresses as the VRRP IP, so
this will always be No.
Master IP Current VRRP Master's Interface or local IP address.
Master State Transitions Number of times the VRRP instance went from Master to Backup and vice versa. A
high number of transitions indicates a problematic VRRP configuration or
environment. If this is the case, check the configuration of all local appliances and
routers, and review the log files.
Preemption Leave this selected/enabled so that after a failure, the appliance with the highest
priority comes back online and again assumes primary responsibility.
Priority The greater the number, the higher the priority. The appliance with the higher
priority is the VRRP Master.
State Uptime Time elapsed since the VRRP instance entered the state it's in.
State The VRRP instance has three options:
Backup = Instance is in VRRP backup state.
Init = Instance is initializing, it's disabled, or the interface is down.
Master = Instance is the current VRRP master.
Virtual IP The IP address of the VRRP instance. VRRP instances may run between two or more
appliances, or an appliance and a router.

Virtual MAC address MAC Address that the VRRP instance is using. On an NX Appliance, this is in 00-00-
5E-00-01-{VRID} format. On virtual appliances, the VRRP instance uses the
interface's assigned MAC Address (for example, the MAC address that the
hypervisor assigned to wan0).

WCCP Tab
Configuration > [Networking] WCCP
Use this page to view, edit, and delete WCCP Service Groups.
Web Cache Communications Protocol (WCCP) supports the redirection of any TCP or UDP connections to appliances
participating in WCCP Service Groups. The appliance intercepts only those packets that have been redirected to it.
The appliance optimizes traffic flows that the Route Policy tunnelizes. The appliance forwards all other traffic as
pass-through or pass-through-unshaped, as per the Route Policy.
For the Service Groups to be active, you must select Enable WCCP. Otherwise, the service groups are
configured, but not in service.
The appliance should always be connected to an interface/VLAN that does not have redirection enabled --
preferably a separate interface/VLAN would be provided for the appliance.
If the appliance uses auto-optimization, then WCCP redirection must also be applied on the uplinks of the
router or L3 switch to the core/WAN.
INFO Refer to the Silver Peak Network Deployment Guide and the SD-WAN Deployment Guide for examples, best
practices, and deployment tips.
WCCP Settings
Admin Values are up and down. The default is up.
Advanced Settings You can only configure these options directly on the appliance. For more
information, and best practices, refer to the Silver Peak Network Deployment
Guide.


Compatibility Mode Select the option appropriate for your router. If a WCCP group is peering with a
router running Nexus OS, then the appliance must adjust its WCCP protocol
packets to be compatible. By default, the appliance is IOS-compatible.
Forwarding Method Also known as the Redirect Method. Packet redirection is the process of forwarding
packets from the router or L3 switch to the appliance. The router or L3 switch
intercepts the packet and forwards it to the appliance for optimization. The two
methods of redirecting packets are Generic Route Encapsulation (GRE) and L2
redirection.
either allows the appliance and the router to negotiate the best option. You
should always select either. During protocol negotiation, if the router offers
both GRE and L2 as redirection methods, the appliance will automatically select
L2.
GRE (Layer 3 Generic Routing Encapsulation) allows packets to reach the
appliance even if there are other routers in the path between the forwarding
router and the appliance. At high traffic loads, this option may cause high CPU
utilization on some Cisco platforms.
L2 (Layer-2) redirection takes advantage of internal switching hardware that
either partially or fully implements the WCCP traffic interception and redirection
functions at Layer 2. Layer-2 redirection requires that the appliance and router
be on the same subnet. It is also recommended that the appliance is given a
separate subnet to avoid pass-through traffic from being redirected back to the
appliance and causing a redirection/Layer-3 loop.
Group ID Refers to the Service Group ID.

Interface The default value is wan0.
Oper Status Common states:
INIT. Initializing or down
ACTIVE. This indicates that the protocol is established and the router has
assigned hash/mask buckets to this appliance.
BACKUP. This indicates that the protocol is established but the router has not
assigned any hash/mask buckets to this appliance. This may be caused by using
a Weight of 0.
Designated. This state (in addition to Active/Backup) indicates that the
appliance is the designated web-cache for the group. The designator
communicates with the router(s) to assign hash/mask assignments. When there
is more than one appliance in a group, the appliance with the lowest IP
becomes the designator for that group.
Protocol Although many more protocols are supported, generally TCP and UDP are the
focus. For troubleshooting, you may consider adding a group for ICMP as well.
Router IP is the IP address of the WCCP router. For Layer 2 redirection, use
the physical IP address of the interface that is directly connected to
the appliance. For Layer 3 redirection, consider using a loopback IP.
It is not recommended to use VRRP or HSRP IPs as router IPs.

Service Group Advanced Settings

Assignment Detail This field can be used to customize hash or mask values. If you have only one
appliance or if you are using route-map or subnet sharing to tunnelize, use the
default LAN-ingress setting.
WAN-ingress and LAN-ingress are not applicable if there is only one active
appliance.
WAN-ingress and LAN-ingress are also not applicable if you are using route-
map or subnet sharing to tunnelize.
If there is more than one active appliance and you're using TCP-IP auto-
optimization:
Use LAN-ingress for WCCP groups that are used to redirect outbound
traffic.
Use WAN-ingress for WCCP groups that are used to redirect inbound
traffic.
This ensures that a connection will go through the same appliance in both
inbound and outbound directions and avoid asymmetry.
custom provides granular control of the distribution of flows. Contact Silver
Peak Technical Support for assistance.
Assignment Method Determines how redirected packets are distributed between the devices in a
Service Group, effectively providing load balancing among the devices. The options
are:
either, which lets the appliance and router negotiate the best method for
assignment. This is preferred. If the router offers both hash and mask
methods, then the appliance will select the mask assignment method.
hash, for hash table assignment
mask, for mask/value sets assignment
Force L2 Return Generally is not selected. Normally, all Layer-3 redirected traffic
that isn't optimized (that is, it's pass-through) is returned back to
the WCCP router as GRE (L3 return). Processing returned GRE traffic
may create additional CPU overhead on the WCCP router. Force L2
Return may be used to override default behavior and route pass-
through traffic back to the appliance's next-hop router, which may
or may not be the WCCP router. Use caution, as this may create a
Layer 3 loop, if L2 returned traffic gets redirected back to the
appliance by the WCCP router.
Password This field is optional.
Priority The lowest priority is 0, and the default value is 128. Only change this setting from
the default if an interface has multiple WCCP service groups defined for the same
protocol (for example, TCP) and you wish to specify which service group to use.

Weight The default value is 100. You may use this to influence WCCP hash/mask
assignments for individual appliances when more than one appliance is in a cluster.
For Active/Backup appliance configuration, use a Weight of 0 on the backup
appliance.
The Hash and Mask areas are only accessible when you select custom in the Assignment Detail field.

PPPoE Tab
Point-to-Point Protocol over Ethernet (PPPoE) is a network protocol for encapsulating PPP frames inside Ethernet
frames. It is used mainly with DSL services where individual users connect to a DSL modem over Ethernet.
When configuring a PPPoE connection, complete the following fields:
Field Definition
Ethernet Device Specifies which physical interface to use for sending the protocol. Generally, this is
a WAN-side interface.
Password This is set up with your Internet Service Provider (ISP).
PPPoE Name The name is ppp, followed by a numerical suffix from 0 to 9.
User Name This is set up with your Internet Service Provider (ISP).
Generally, this is all the configuration required. If your ISP is fine-tuning the access, you may be asked to configure
some of the Optional Fields, below.
Field Definition
ACNAME Access Concentrator Name. Provided by ISP.

Connect Poll Specifies how many times to try to establish the link. The default value is 2.
Connect Timeout When trying to establish the link, this specifies how many seconds until the effort
times out. The default value is 30 seconds.
Default Route If the checkbox is selected, the connection uses the default gateway provided by
the ISP.
DNS Type This specifies which resolver to use:
NOCHANGE – Don't accept or configure the ISP's Domain Name Server (DNS).
Use the DNS configured in the Orchestrator Administration > [General
Settings > Setup] DNS tab.
SERVER – Accept the ISP's DNS. This then overrides Silver Peak's DNS
configuration.
SPECIFY – Use DNS1 and DNS2 to resolve domain names.
LCP Failure Link Control Protocol Failure. Specifies the number of times the keep-alive can fail
before the link goes down. The default value is 3.
LCP Interval The default value for this keep-alive interval is 20 seconds.
Service Name Provided by ISP.
DHCP Server Defaults

You can reduce your workload by using this page to configure global defaults for Dynamic Host Configuration
Protocol (DHCP).
These defaults apply to the LAN interfaces in Deployment Profiles that specify Router mode.
There are three choices:
No DHCP
Each LAN interface acts as a DHCP Server.
The Silver Peak appliance acts as a DHCP Relay between a DHCP server at a data center and clients
needing an IP address.
On the Configuration > Deployment Profiles tab, the selected default displays consistently under each
LAN–side IP/Mask field.
For any LAN–side interface, you can override the global default by clicking the Edit icon to the right of the label
and changing the values or selection.
Changes you save to the global default only apply to new configurations.
To view or revise the list of reserved subnets, select Monitoring.
DHCP Settings
DHCP Server Fields
Default gateway When selected, indicates the default gateway is being used.
Default lease, Specify, in hours, how long an interface can keep a DHCP–
Maximum lease assigned IP address.
DNS server(s) Specifies the associated Domain Name System server(s).
Exclude first N addresses Specifies how many IP addresses are not available at the
beginning of the subnet's range.
Exclude last N addresses Specifies how many IP addresses are not available at the end of
the subnet's range.
NetBIOS name server(s) Used for Windows (SMB) type sharing and messaging. It resolves
the names when you are mapping a drive or connecting to a
printer.
NetBIOS node type The NetBIOS node type of a networked computer relates to how
it resolves NetBIOS names to IP addresses. There are four node
types:
B-node = 0x01 Broadcast
P-node = 0x02 Peer (WINS only)
M-node = 0x04 Mixed (broadcast, then WINS)
H-node = 0x08 Hybrid (WINS, then broadcast)
NTP server(s) Specifies the associated Network Time Protocol server(s).

Start Offset Specifies how many addresses not to allocate at the beginning of
the subnet's range. For example, entering 10 means that the first
ten IP addresses in the subnet aren't available.
Subnet Mask A mask that specifies the default number of IP addresses reserved
for any subnet. For example, entering 24 reserves 256 IP
addresses.
DHCP Failover
DHCP/BOOTP Relay Fields

DHCP/BOOT: If enabled, the DHCP settings will only be applied to the configured LAN interface. Enter the
specific IP address you want your DHCP settings to be applied in the Destination DHCP/BOOTP Server field.
Global - All LAN Interfaces on this Appliance: If enabled and Enable Option 82 is selected, the
DHCP settings will be applied to every appliance. The choices are append, replace, forward, or discard.
DHCP Leases
This page lists which IP addresses are currently being leased from the DHCP pool.
Tunnels Tab
Use this page to view, edit, add, or delete tunnels. This tab has separate tables for Overlay, Underlay, and
Passthrough tunnels.
If you've deployed an SD-WAN network, then Business Intent Overlays (BIOs) govern tunnel creation and
properties.
Overlay tunnels consist of bonded underlay tunnels.
If you're not using Overlays, then use the Tunnels configuration template to assign tunnel properties. In
general, accepting the defaults is sufficient and appropriate.
To create tunnels, use Tunnel Groups.
These tunnels display in the Underlays table.
. Status: You can also filter by the following statuses: All, Up, or Down.
Add a Tunnel
Complete the following to add a tunnel to an Overlay or Passthrough Tunnel.
Field Definition
Appliance The name of the selected appliance.

Segment The name of the segment, if enabled.
Overlay Tunnel The designated overlay tunnel.
Overlay The tunnels are applied to this designated overlay.
Admin Status Indicates whether the tunnel has been set to admin Up or Down.
Field Definition
Status The indications are as follows:

Down The tunnel is down. This can be because the tunnel
administrative setting is down, or the tunnel can't
communicate with the appliance at the other end. Possible
causes are:
Lack of end-to-end connectivity / routability (test with
iperf)
Intermediate firewall is dropping the packets (open the
firewall)
Intermediate QoS policy (be packets are being starved.
Change control packet DSCP marking)
Mismatched tunnel mode (udp / gre / ipsec / ipsec_udp)
IPsec is misconfigured: (1) enabled on one side (see show
int tunnel configured), or mismatched pre-shared key
Down - In The tunnel is down. Meanwhile, the appliance is exchanging

progress control information with the appliance at the other end,
trying to bring up the tunnel.
Down - The two appliances are configured with the same System ID
Misconfigured (see show system)
Up - Active The tunnel is up and active. Traffic destined for this tunnel
will be forwarded to the remote appliance.
Up - Active - The tunnel is up and active but hasn't had recent activity in
Idle the past five minutes, and has slowed the rate of issuing
keep-alive packets.
Up - Reduced The tunnel is up and active, but the two endpoint appliances
Functionality are running mismatched software releases that give no
performance benefit.
UNKNOWN The tunnel status is unknown. This can be because the

appliance is unable to retrieve the current tunnel status. Try
again later.
MTU Maximum Transmission Unit. The largest possible unit of data that can be sent
on a given physical medium. Silver Peak provides support for MTUs up to 9000
bytes. Auto allows the tunnel MTU to be discovered automatically, and it
overrides the MTU setting.
Uptime How long since the tunnel has been up.
Underlay Tunnels The designated underlay tunnel.
Live View A live view of the status of your selected tunnel. You can view by bandwidth,
loss, jitter, latency, MOS, chart, traceroute, inbound or outbound, and lock the
scale.
Historical Charts A display of the historical charts for the selected appliance.
Troubleshooting
1. Have you created and applied the Overlay to all the appliances on which you're expecting tunnels to be built?
Verify this in the Apply Overlays tab.
2. Are the appliances on which you're expecting the Overlays to be built using Release 8.0 or later?
View the active software releases on Administration > Software Versions.
3. Do you have at least one WAN Label selected as a Primary port in the Overlay Policy?
Verify this in the Business Intent Overlay tab, in the WAN Links & Bonding Policy section.
4. Are the same WAN labels selected in the Overlay assigned to the WAN interfaces on the appliances?
Verify that at least one of the Primary Labels selected in the Business Intent Overlay is identical to a Label
assigned on the appliance's Deployment page. Tunnels are built between matching Labels on all appliances
participating in the overlay.
5. Do any two (or more) appliances have the same Site Name?
We only assign the same Site Name if we don't want those appliances to connect directly. To view the list of
Site Names, go to the Configuration > Tunnels tab and click Sites at the top.
Using Passthrough Tunnels

You would add a passthrough tunnel under the following circumstances:
For internet breakout to a trusted SaaS application, like Office 365
For service chaining to a cloud security service, like Zscaler or Symantec
This requires building secure, compatible third-party IPsec tunnels from Silver Peak devices to non-
Silver Peak devices in the data center or cloud.
When you create the tunnel, the Service Name in the Business Intent Overlay's Internet Traffic
Policies must exactly match the Peer/Service specified in the Passthrough tunnel configuration.
To load balance, create two or more passthrough IPsec tunnels and, in the Business Intent Overlay,
ensure that they all specify the same Service Name in the Internet Traffic Policies.
Tunnel Groups Tab

If you are not using Business Intent Overlays (BIOs) to deploy an SD-WAN network, then you would use Tunnel
Groups to create the links.
A Tunnel Group consists of a set of appliances, paired with a configuration that defines how to build tunnels among
them.
Use this page to create Tunnel Groups.
Orchestrator automatically builds these tunnels in the background.
Tunnel groups are self-healing. If a change is made to an IP address (as with DHCP) or to a Label, those
changes propagate appropriately through the tunnel groups.
To assign tunnel properties, use Orchestrator > Tunnels Settings.
To add and remove appliances from Tunnel Groups, click Manage Appliances and Tunnel Groups.
To view a list of tunnels, refer to the Configuration > Tunnels tab.
To pause Orchestrator's tunnel management while you troubleshoot, click Settings and deselect Enable.
Topology
You can choose either a Mesh or a Hub & Spoke topology.
If choosing Hub & Spoke, choose the hubs you need from the Select Hubs area. If one you need isn't displayed,
click +Add, as needed.
Orchestrator builds the topology when you apply a Business Intent Overlay to appliances that have already been
assigned a Deployment Profile.
Interfaces
Connect all Available Interfaces refers to WAN ports only. If an appliance is in Server mode, its WAN port is the
mgmt0 interface.
Only Connect These Labels is an option when the appliance is at Release 8.0 or later, and you have used
Orchestrator to assign labels to interfaces. Generally, WAN interfaces are named according to the service or service
provider.
Tunnel Exception
Orchestrator includes a tunnel exception feature that allows you to specify tunnel transactions between overlays.
There are two ways you can enable this feature in Orchestrator.
You can configure tunnel exceptions through the Tunnel Exception tab.
Configuration> Tunnels > Tunnel Exception
1. Select the two appliances that you do not want to connect to via a tunnel.
2. Enter the Interface Labels.
The interface label can be any type of connection, such as any, MPLS, Internet, or LTE. Specifying the label
excludes appliances within a given network to communicate with that particular appliance.
Note: The description field allows you to add a comment if you want to list why you are adding an exception.
Schedule Auto MTU Discovery

Use this screen to schedule when to discover Auto MTU.
NAT
NAT allows for multiple sites with overlapping IP addresses to connect to a single SD-WAN fabric. You can configure
S-NAT (Source Network Address Translation), D-NAT (Destination Network Address Translation), destination TCP,
and UDP port translation rules to LAN to SD-WAN fabric traffic in the ingress and egress direction. The following
address translation options are supported:
1:1 source and destination IP address translation
1:1 subnet to subnet source and destination IP address translation
Many to one IP source address translation
NAT pools for translated source IP address
You can view both NAT Rules and NAT Pools within your network by selecting NAT Rule or NAT Pools at the top of
the page. You can also export a CSV file of your branch NAT traffic. Select the Edit icon to add rules to your NAT and
NAT Pools.
NAT Rules and Pools

You can add NAT rules by completing all the values in the table shown below. Each NAT rule has a directional field or
value. Outbound rules are applied to the traffic flows initiated from the LAN, destined to the SD-WAN fabric. Inbound
rules are applied to the traffic flows initiated from the SD-WAN fabric destined to the LAN. Return traffic for a given
flow does not require an additional rule. The destination IP address must be configured for each rule.
NOTE You must disable advertisements of local, static routes on the LAN side at the site so the routes are
completely unique. Additionally, you must configure static routes for NAT pools and advertise them to the SD-WAN
fabric by enabling Advertise to Silver Peak Peers.
Complete the following steps to add a rule to your NAT:
1. Select Add Rule.
2. Complete the following values in the table by selecting any of the columns.
Field Definition
Priority The order in which the rules are executed: the lower the priority, the
higher the chance your NAT rule will be applied.
LAN Interface The name of the LAN interface the NAT rule is using. This is configurable
for an outbound NAT rule only.
Direction Select the direction the traffic is going:
Outbound (LAN to Fabric)
Inbound (Fabric to LAN)
Protocol The type of protocol being used for each NAT.

Source The original source IP address of the IP packet.
Destination The address of the LAN/WAN interface where the traffic is going to.
Translated Source The translated source IP address when the NAT rule is applied.
Translated Destination The translated destination IP address when the NAT rule is applied.
Enabled Check this box to enable your customized NAT rule. Direction can be
both inbound or outbound.
Comment Any comment you want to add pertaining to your NAT rule.
Criteria Match: LAN interface, direction, source, destination
Set: Translated source, translated destination
NAT Pools
You also have the option to configure a NAT pool. Complete the following steps to create a NAT pool:
1. Select the Edit icon in the NAT tab. The NAT window opens.
2. Select the NAT Pools icon. The NAT Pools window opens.
3. Select Add.
4. Select the columns in the table, starting with Name, to enter information regarding your Pool.
Field Definition
Name The name of your pool.

Direction Whether the traffic is outbound or inbound.
Subnet The IP address of the subnet.
Translate Ports Enable source port address translation if the NAT pool is too small to
accommodate multiple, flows simultaneously with 1:1 IP address translation.
Policy Configuration Tabs

These topics describe the pages related to managing access lists and policies.
DNS Proxy Policies

Configuration > Polices > DNS Proxy Policies
The DNS (Domain Name Server) Proxy stores public IP addresses with their associated domain name. Server A is
primarily used as a private DNS to backhaul traffic and Server B is used to match all other domains that are not
included under Server A. Server B is also used for public (cloud services) to breakout traffic. See the table below for
the field descriptions in this tab.
Field Definition
Appliance Name The name of the appliance associated with DNS

proxy.
DNS Proxy Enabled Whether the DNS Proxy is enabled. Select True or
False.
Interface The name of the interface associated with the
DNS proxy.
Server A Addresses The IP addresses of Server A.
Server A Domains The domain addresses of Server A.
Server A Caching Whether you configured the server to be cached.
Server B Addresses The IP addresses of Server B.
Server B Domains The domain addresses of Server B.
Server B Caching Whether you configured the server to be cached.
Configure DNS Proxy Policies

Complete the following steps to configure and define your DNS Proxy policies.
NOTE This feature is only configurable if you have loopback interfaces configured.
1. Choose if you want to enable the DNS Proxy by selecting ON or OFF.
2. Select the name of the loopback interface or the LAN-side label associated with your DNS proxy.
3. Enter the IP addresses for Server A in the Server A Addresses field.
4. Choose if you want Caching to be ON or OFF. If selected, the domain name to the IP address mapping is
cached. By default, caching is ON.
5. Enter the domain names of the Server A for the above IP addresses.
6. Enter Server B IP addresses in the Server B Addresses field. Server B will be used if there are no matches to
the Server A domains.
NOTE You can Clear DNS Cache. This will erase the domain name to the IP address mapping you had cached for
both Server A and B.
Route Policies Tab

The Route Policies report displays the route policy entries that exist on the appliance(s).
This includes the appliance-based defaults, entries applied manually (via the Appliance Manager or CLI), and entries
that result from applying an Orchestrator Route Policies template, or applying Business Intent Overlays (if you're
deploying an SD-WAN).
Each appliance's default behavior is to auto-optimize all IP traffic, automatically directing flows to the appropriate
tunnel. Auto-optimization strategies reduce the need to create explicit route map entries for optimization. The
three strategies that Silver Peak uses are TCP-based auto-opt, IP-based auto-opt, and subnet sharing. By default,
all three are enabled on the Templates tab, under System.
The Route Policy only requires entries for flows that are to be:
sent pass-through (shaped or unshaped)
dropped
configured for a specific high-availability deployment
routed based on application, VLAN, DSCP, or ACL (Access Control List)
You may also want to create a Route Policy entry when multiple tunnels exist to the remote peer, and you want the
appliance to dynamically select the best path based on one of these criteria:
load balancing
lowest loss
lowest latency
specified tunnel
Manage these instances on the Templates tab, or select the Edit icon to manage Routing policies directly for a
particular appliance.
If you're deploying an SD-WAN network and setting up Internet breakout from the branch, you must create manual
route policy entries for sanctioned SaaS applications or Guest WiFi.
Priority
You can create rules with any priority between 1 and 65534.
If you are using Orchestrator templates to add route map entries, Orchestrator will delete all entries
from 1000 – 9999, inclusive, before applying its policies.
You can create rules from 1 – 999, which have higher priority than Orchestrator template rules.
Similarly, you can create rules from 10000 – 65534 which have lower priority than Orchestrator
template rules.
Adding a rule increments the last Priority by 10. This leaves room for you to insert a rule in between rules
without having to renumber subsequent priorities. Likewise, you can just edit the number.
Match Criteria
These are universal across all policy maps — Route, QoS, Optimization, NAT (Network Address
Translation), and Security.
If you expect to use the same match criteria in different maps, you can create an ACL (Access Control List),
which is a named, reusable set of rules. For efficiency, create them in Configuration > Templates > Access
Lists, and apply them across appliances.
The available parameters are Application, Address Map (for sorting by country, IP address owner, or SaaS
application), Domain, Geo Location, Interface, Protocol, DSCP, IP/Subnet, Port, and Traffic Behavior.
To specify different criteria for inbound versus outbound traffic, select the Source:Dest checkbox.
Source or Destination
An IP address can specify a subnet - for example: 10.10.10.0/24 (IPv4) or fe80::204:23ff:fed8:4ba2/64 (IPv6).
To allow any IP address, use 0.0.0.0/0 (IPv4) or ::/0 (IPv6).
Ports are available only for the protocols tcp, udp, and tcp/udp.
To allow any port, use 0.
Wildcard-based Prefix Matching

When using a range or a wildcard, the IPv4 address must be specified in the 4-octet format, separated by the
dot notation. For example, A.B.C.D.
Range is specified using a dash. For example, 128-129.
Wildcard is specified as an asterisk (*).
Range and Wildcard can both be used in the same address, but an octet can only contain one or the other. For
example, 10.136-137.*.64-95.
A wildcard can only be used to define an entire octet. For example, 10.13*.*.64-95 is not supported. The
correct way to specify this range is 10.130-139.*.64-94.
The same rules apply to IPv6 addressing.
CIDR notation and (Range or Wildcard) are mutually exclusive in the same address. For example, use either
192.168.0.0/24 or 192.168.0.1-127.
These prefix-matching rules only apply to the following policies: Router, QoS, Optimization, NAT, Security, and
ACLs.
QoS Policies Tab

The QoS Policy determines how flows are queued and marked.
The QoS Policies tab displays the QoS policy entries that exist on the appliances. This includes the appliance-based
defaults, entries applied manually (via the Appliance Manager or CLI), and entries that result from applying an
Orchestrator QoS Policy template or Business Intent Overlay.
Use the Shaper to define, prioritize, and name traffic classes.

Think of it as, the Shaper defines and the QoS Policy assigns.
Use the Templates tab to create and manage QoS policies for multiple appliances, or click the Edit icon to manage
QoS Policies directly for a particular appliance.
The QoS Policy's SET actions determine two things:
to what traffic class a shaped flow — optimized or pass-through — is assigned
whether to trust incoming DSCP markings for LAN QoS and WAN QoS, or to remark them as they leave for the
WAN
Handling and Marking DSCP Packets

DSCP markings specify end-to-end QoS policies throughout a network.
The default values for LAN QoS and WAN QoS are trust-lan.
Applying DSCP Markings to Optimized (Tunnelized) Traffic

The appliance encapsulates optimized traffic. This adds an IP outer header to packets for travel across the
WAN. This outer header contains the WAN QoS DSCP marking.
LAN QoS – the DSCP marking applied to the IP header before encapsulation
WAN QoS – the DSCP marking in the encapsulating outer IP header. The remote appliance removes the
outer IP header.
Applying DSCP Markings to Pass-through Traffic

The appliance applies the QoS Policy's DSCP markings to all pass-through flows -- shaped and unshaped.
Pass-through traffic doesn't receive an additional header, so it's handled differently:
The Optimization Policy's LAN QoS Set Action is ignored.
The specified WAN QoS marking replaces the packet's existing LAN QoS DSCP marking.
When the packet reaches the remote appliance, it retains the modified QoS setting as it travels to its
destination.
Priority
template rules.
Match Criteria

example, 10.136-137.*.64-95.
192.168.0.0/24 or 192.168.0.1-127.
ACLs.
Schedule QoS Map Activation

Configuration> [Policies] Schedule QoS Map Activation
You can schedule appliances to apply different QoS maps at different times.
Before using this option, verify the following:
The desired Template Group has the QoS maps you need.
You’ve applied the Template Group to the appliances that you want to schedule.
TIP To specify the timezone for scheduled jobs and reports, go to Orchestrator > [Software & Setup > Setup]
Timezone for Scheduled Jobs.
Optimization Policies Tab

The Optimization Policies tab displays the Optimization policy entries that exist on the appliances. This includes
the appliance-based defaults, entries applied manually (via the Appliance Manager or CLI), and entries that result
from applying an Orchestrator Optimization Policy template or Business Intent Overlay.
Use the Templates tab to create and manage Optimization policies, or click the Edit icon to manage Optimization
policies directly for a particular appliance.
Priority
template rules.
Match Criteria

example, 10.136-137.*.64-95.
192.168.0.0/24 or 192.168.0.1-127.
ACLs.
Set Actions
Set Action Definition
Network Memory Addresses limited bandwidth. This technology uses advanced fingerprinting
algorithms to examine all incoming and outgoing WAN traffic. Network Memory
localizes information and transmits only modifications between locations.
Maximize Reduction Optimizes for maximum data reduction at the potential
cost of slightly lower throughput and/or some increase
in latency. It is appropriate for bulk data transfers such
as file transfers and FTP, where bandwidth savings are
the primary concern.
Minimize Latency Ensures that Network Memory processing adds no

latency. This may come at the cost of lower data
reduction. It is appropriate for extremely latency-
sensitive interactive or transactional traffic. It's also
appropriate when the primary objective is to fully
utilize the WAN pipe to increase the LAN-side
throughput, as opposed to conserving WAN bandwidth.
Balanced Is the default setting. It dynamically balances latency

and data reduction objectives and is the best choice for
most traffic types.
Disabled Turns off Network Memory.
IP Header Compression The process of compressing excess protocol headers before transmitting them on a
link and uncompressing them to their original state at the other end. It's possible to
compress the protocol headers due to the redundancy in header fields of the same
packet, as well as in consecutive packets of a packet stream.
Payload Compression Uses algorithms to identify relatively short byte sequences that are repeated
frequently. These are then replaced with shorter segments of code to reduce the size
of transmitted data. Simple algorithms can find repeated bytes within a single packet;
more sophisticated algorithms can find duplication across packets and even across
flows.
TCP Acceleration Uses techniques such as selective acknowledgments, window scaling, and maximum
segment size adjustment to mitigate poor performance on high-latency links.
INFO The slow LAN alert goes off when the loss has fallen below 80% of the
specified value configured in the TCP Accel Options window.
For more information, see TCP Acceleration Options.

Protocol Acceleration Provides explicit configuration for optimizing CIFS, SSL, SRDF, Citrix, and iSCSI
protocols. In a network environment, it's possible that not every appliance has the
same optimization configurations enabled. Therefore, the site that initiates the flow
(the client) determines the state of the protocol-specific optimization.
TCP Acceleration Options

TCP acceleration uses techniques such as selective acknowledgement, window scaling, and message segment size
adjustment to compensate for poor performance on high latency links.
This feature has a set of advanced options with default values.
CAUTION Because changing these settings can affect service, Silver Peak recommends that you do not modify
these without direction from Customer Support.
Option Description
Adjust MSS to Tunnel MTU Limits the TCP MSS (Maximum Segment Size) advertised by the end hosts in the
SYN segment to a value derived from the Tunnel MTU (Maximum Transmission
Unit). This is TCP MSS = Tunnel MTU – Tunnel Packet Overhead.
This feature is enabled by default so that the maximum value of the end host
MSS is always coupled to the Tunnel MSS. If the end host MSS is smaller than
the tunnel MSS, then the end host MSS is used instead.
A use case for disabling this feature is when the end host uses Jumbo frames.
Auto Reset Flows NOTE: Whether this feature is enabled or not, the default behavior when a
tunnel goes Down is to automatically reset the flows.
If enabled, it resets all TCP flows that aren't accelerated but should be (based on
policy and on internal criteria like a Tunnel Up event).
The internal criteria can also include:
Resetting all TCP accelerated flows on a Tunnel Down event.
Resetting
TCP acceleration is enabled
SYN packet was not seen (so this flow was either part of WCCP
redirection, or it already existed when the appliance was inserted in the
data path).
Enable Silver Peak TCP SYN Controls whether or not Silver Peak forwards its proprietary TCP SYN option on
option exchange the LAN side. Enabled by default, this feature detects if there are more than two
Silver Peak appliances in the flow's data path, and optimizes accordingly.
Disable this feature if there's a LAN-side firewall or a third-party appliance that
would drop a SYN packet when it encounters an unfamiliar TCP option.
End to End FIN Handling This feature helps to fine tune TCP behavior during a connection’s graceful
shutdown event. When this feature is ON (Default), TCP on the local appliance
synchronizes this graceful shutdown of the local LAN side with the remote Silver
Peak’s LAN side. When this feature is OFF (Default TCP), no such
synchronization happens and the two LAN segments at the ends gracefully
shutdown, independently.
IP Black Listing If selected and if the appliance doesn’t receive a TCP SYN-ACK from the remote
end within 5 seconds, the flow proceeds without acceleration and the
destination IP address is blacklisted for one minute.
Keep Alive Timer Allows us to change the Keep Alive timer for the TCP connections.
Probe Interval - Time interval in seconds between two consecutive Keep
Alive Probes
Probe Count - Maximum number of Keep Alive probes to send
First Timeout (Idle) - Time interval until the first Keep Alive timeout
Option Description
LAN Side Window Scale This setting allows the appliance to present an artificially lowered Window Scale
Factor Clamp Factor (WSF) to the end host. This reduces the need for memory in scenarios
where there are a lot of out-of-order packets being received from the LAN side.
These out-of-order packets cause a lot of buffer utilization and maintenance.
Per-Flow Buffer (Max LAN to WAN Buffer and Max WAN to LAN Buffer)
This setting clamps the maximum buffer space that can be allocated to a flow, in
each direction.
Persist timer Timeout Allows the TCP to terminate connections that are in Persist timeout stage after
the configured number of seconds.
Preserve Packet Boundaries Preserves the packet boundaries end to end. If this feature is disabled, then the
appliances in the path can coalesce consecutive packets of a flow to use
bandwidth more efficiently.
It's enabled by default so that applications that require packet boundaries to
match don't fail.
Route Policy Override Tries to override asymmetric route policy settings. It emulates auto-opt
behavior by using the same tunnel for the returning SYN+ACK as it did for the
original SYN packet.
Disable this feature if the asymmetric route policy setting is necessary to
correctly route packets. In that case, you may need to configure flow redirection
to ensure optimization of TCP flows.
Slow LAN Defense Resets all flows that consume a disproportionate amount of buffer and have a
very slow throughput on the LAN side. Owing to a few slower end hosts or a
lossy LAN, these flows affect the performance of all other flows such that no
flows see the customary throughput improvement gained through TCP
acceleration.
This feature is enabled by default. The number relates indirectly to the amount
of time the system waits before resetting such slow flows.
Slow LAN Window Penalty This setting (OFF by default) penalizes flows that are slow to send data on the
LAN side by artificially reducing their TCP receive window. This causes less data
to be received and helps to reach a balance with the data sending rate on the
LAN side.
WAN Congestion Control Selects the internal Congestion Control parameter:
Optimized - This is the default setting. This mode offers optimized
performance in almost all scenarios.
Standard - In some unique cases it may be necessary to downgrade to
Standard performance to better interoperate with other flows on the WAN
link.
Aggressive - Provides aggressive performance and should be used with
caution. Recommended mostly for Data Replication scenarios.
WAN Window Scale This is the WAN-side TCP Window scale factor that Silver Peak uses internally
for its WAN-side traffic. This is independent of the WAN-side factor advertised
by the end hosts.
NAT Policies Tab

This report has two views to show the NAT policies configured on appliances:
1. The Basic view shows whether NAT is enabled on all Inbound and Outbound.
2. The Advanced view displays all the NAT map rules.
Two use cases illustrate the need for NAT:
1. Inbound NAT. The appliance automatically creates a source NAT (Network Address Translation) map when
retrieving subnet information from the Silver Peak Cloud portal. This ensures that traffic destined to SaaS
servers has a return path to the appliance from which that traffic originated.
2. Outbound NAT. The appliance and server are in the cloud, and the server accesses the internet. As in the
example below, a Citrix thin client accesses its cloud-based server, and the server accesses the internet.
For deployments in the cloud, best practice is to NAT all traffic — either inbound (WAN-to-LAN) or outbound (LAN-
to-WAN), depending on the direction of initiating request. This avoids black-holing that can result from cloud-specific
IP addressing requirements.
Enabling NAT all applies NAT policies to pass-through traffic as well as optimized traffic, ensuring that black-
holing doesn't occur. NAT all on outbound only applies pass-through traffic.
If Fallback is enabled, the appliance moves to the next IP (if available) when ports are exhausted on the
current NAT IP.
In general, when applying NAT policies, configure separate WAN and LAN interfaces to ensure that NAT works
properly. You can do this by deploying the appliance in Router mode in-path with two (or four) interfaces.
Advanced Settings
The appliance can perform source network address translation (Source NAT or SNAT) on inbound or outbound
traffic.
There are two types of NAT policies:
Dynamic – created automatically by the system for inbound NAT when the SaaS Optimization feature is
enabled and SaaS service(s) are selected for optimization. The appliance polls the Silver Peak Unity Cloud
Intelligence service for a directory of SaaS services, and NAT policies are created for each of the subnets
associated with selected SaaS service(s), ensuring that traffic destined for servers in use by those SaaS
services has a return path to the appliance.
Manual – created by the administrator for specific IP addresses / ranges or subnets. When assigning priority
numbers to individual policies within a NAT map, first view dynamic policies to ensure that the manual
numbering scheme doesn't interfere with dynamic policy numbering (that is, the manually assigned priority
numbers cannot be in the range: 4000-5000). The default (no-NAT) policy is numbered 65535.
The NAT policy map has the following criteria and Set Actions:
Match Critera

example, 10.136-137.*.64-95.
192.168.0.0/24 or 192.168.0.1-127.
ACLs.
Set Actions
Set Action Option Definition
NAT Type no-nat Is the default. No IP addresses are changed.

source-nat Changes the source address and the source port in the IP
header of a packet.
NAT Direction inbound NAT is on the LAN interface.
outbound NAT is on the WAN interface.
none The only option if the NAT Type is no-nat.
NAT IP auto Select if you want to NAT all traffic. The appliance then picks
the first available NAT IP/Port.
tunnel Select if you only want to NAT tunnel traffic. Applicable only
for inbound NAT, as outbound doesn't support NAT on
tunnel traffic.
[IP address] Select if you want to make NAT use this IP address during
address translation.
Fallback If the IP address is full, the appliance uses the next available
IP address.
When you select a specific IP, then ensure that the routing is in place for NAT-ted return traffic.
Merge / Replace
At the top of the page, choose
Merge to use the values in the template, but keep any values set on the appliance as is (producing a mix of template
and appliance rules),
-OR-
Replace (recommended) to replace all values with those in the template.
Inbound Port Forwarding

Inbound port forwarding allows traffic from the WAN to reach computers or services within a private LAN when you
have a stateful firewall. It helps define and manage inbound traffic, remap a destination IP address and port number
to an internal host, and create policies to manage branch devices from the WAN. Use this tab to define the desired
inbound traffic.
Inbound Port forwarding is available in two modes when you add or edit a rule, depending if the translate mode is
enabled or disabled.
The first operating mode for inbound port forwarding is when translate mode is disabled with inbound port
forwarding. The LAN-side subnet with private IP addresses is allowed access through an inbound port forwarding
rule (defined by you in the following steps) and exposes any external services. This requires LAN side private
addresses to be routed on the WAN side. This represents the process of DMZ (Demilitarized Zone).
NOTE This mode it not common unless the port forwarding source is directly connected to the EdgeConnect, or if
the LAN side device address is routed from the WAN side. Additionally, inbound port forwarding does not support
TFTP servers.
To establish a DMZ connection, complete the following steps:
1. Go to the Inbound Port Forwarding tab.
2. Select the Edit icon next to Appliance Name.
3. Select Add Rule.
4. Complete each field with the appropriate information.
Field Definition
Source IP/Subnet The source of the WAN device managing the LAN device(s) specified in the
destination.
Destination IP/Subnet The address of the LAN device(s) managed remotely.
The second mode is when translate mode is enabled. When enabled, the EdgeConnect WAN interface performs
destination NAT to reach LAN side device(s) from an external network.
Complete the following steps to enable the translate mode. This represents the process of DNAT (Destination
Network Translation).
1. Go to the Inbound Port Forwarding tab.
3. Select Add Rule.
4. Check the translate box to enable the Translate mode.
5. Complete each field with the appropriate information.
Field Definition
Source IP/Subnet The source of the WAN device managing the LAN device(s) specified in the
destination.
Destination IP/Subnet The address of the WAN interface IP.
Destination Port/Range The port/range of the LAN device(s) that are managed remotely.
Protocol Select the protocol you want to apply: UDP, TCP, ICMP, Any. If you select Any,
the Destination and Translated Ports have a default value that need to be
between 0-100. If the value exceeds, 100 a warning appears.
Translated IP The IP address of the LAN device accessed inside your network.
Translated Port/Range The port/range of the LAN device accessed inside your network.
Source Interface The source interface name.
Comment Any additional details.
Additional Information
Interface Modes
Port forwarding is only used when you have 'stateful' or 'stateful+snat' configured on interfaces. It does not
apply when you have 'Allow All' or 'Harden' configured.
Security Policies
*If 'security policies' are configured, make sure they allow the traffic specified in the port forwarding rules.
You can also reorder the appliances associated with inbound port forwarding by selecting Reorder when
adding a rule.
Note: 'Any' is only a protocol option on versions or 8.1.9.4 and later.
Security Policies Tab

This tab displays the Security Policies, which manage traffic between zone-based firewalls.
Zones are created on the Orchestrator. A zone is applied to an Interface.
By default, traffic is allowed between interfaces labeled with the same zone. Any traffic between interfaces
with different zones is dropped. Users can create exception rules (Security Policies) to allow traffic between
interfaces with different zones.
Define your Security Policies by creating templates. You can then apply templates to Interfaces and/or
Overlays.
Selecting the Edit icon opens the Security Policy that has been applied. Any changes made here are local to
that appliance.
Selecting Manage Security Policies with Templates will allow you to define policies on all appliances within
your network. You can use the matrix and table view to further specify your policies.
Logging: In table view, you can specify the log level when adding and editing a rule. Select the appropriate
level from the options in the list.

example, 10.136-137.*.64-95.
192.168.0.0/24 or 192.168.0.1-127.
ACLs.
Access Lists Tab

This tab lists the configured Access Control List (ACL) rules. An ACL is a reusable MATCH criteria for filtering flows,
and is associated with an action, permit or deny: An ACL can be a MATCH condition in more than one policy ---
Route, QoS, or Optimization.
An Access Control List (ACL) consists of one or more ordered access control rules.
An ACL only becomes active when it's used in a policy.
Deny prevents further processing of the flow by that ACL, specifically. The appliance continues to the next
entry in the policy.
Permit allows the matching traffic flow to proceed on to the policy entry's associated SET action(s).
Match Criteria

example, 10.136-137.*.64-95.
192.168.0.0/24 or 192.168.0.1-127.
ACLs.
Shaper Tab
This report provides a view of the Shaper settings.
The Shaper provides a simplified way to globally configure QoS (Quality of Service) on the appliances.
It shapes traffic by allocating bandwidth as a percentage of the system bandwidth.
The Shaper's parameters are organized into ten traffic classes. Four traffic classes are preconfigured and
named --- real-time, interactive, default, and best effort.
The system applies these QoS settings globally after compressing (deduplicating) all the outbound tunnelized
and pass-through-shaped traffic --- shaping it as it exits to the WAN.
To manage Shaper settings for an appliance's system-level WAN Shaper, access the Shaper template.
For minimum and maximum bandwidth, you can configure traffic class values as a percentage of total
available system bandwidth and as an absolute value. The appliance always provides the larger of the
minimum values, and limits bandwidth to the lower of the maximum values.
If you set Min Bandwidth to a value greater than Max Bandwidth, then Max overrides Min.
Shaper Tab Settings

Excess Weighting If there is bandwidth left over after satisfying the minimum
bandwidth percentages, then the excess is distributed among the
traffic classes, in proportion to the weightings specified in the
Excess Weighting column. Values range from 1 to 10,000.
Interface Shaper Enables a separate shaper for a specific WAN interface.
For WAN optimization, the interface shaper can be used but is
not recommended.
For SD-WAN, it should never be used because overlay traffic
isn't directed to an interface shaper; traffic is always shaped by
the default WAN shaper.
Max Bandwidth % This limits the maximum bandwidth that a traffic class can use to a
percentage of total available system bandwidth.
Max Bandwidth Absolute (kbps) This limits the maximum bandwidth that a traffic class can use to
an absolute value (kbps). You can specify a maximum absolute
value to cap the bandwidth for downloads and streaming.
Max Wait Time Any packets waiting longer than the specified Max Wait Time are
dropped.
Min Bandwidth % Refers to the percentage of bandwidth guaranteed to each traffic
class, allocated by priority. However, if the sum of the percentages
is greater than 100%, then lower-priority traffic classes might not
receive their guaranteed bandwidth if it's all consumed by higher-
priority traffic.
If you set Min Bandwidth to a value greater than Max Bandwidth,
then Max overrides Min.
Min Bandwidth Absolute (kbps) This guarantees a specific level of service when total system
bandwidth declines. This is useful for maintaining the quality of
VoIP, for example.
Priority Determines the order in which to allocate each class's minimum
bandwidth - 1 is first, 10 is last.
Rate Limit (kbps) You can set per-flow rate limit that a traffic class uses by
specifying a number in the Rate Limit column. For no limit, use 0
(zero).
Recalc on IF State Changes When an interface state changes to UP or DOWN, selecting this
recalculates the total bandwidth based on the configured
bandwidth of all UP interfaces. For example, when wan0 goes
down, wan0 bandwidth is removed from the total bandwidth when
recalculating.
Traffic ID The number assigned to the traffic class.
Traffic Name The name assigned to a traffic class, either prescriptively or by the
user.
SaaS Optimization Tab

When SaaS optimization is enabled, this report provides a view of the information retrieved from the Silver Peak Unity
Cloud Intelligence Service.
Configuration Tab
To directly access an appliance and configure the SaaS applications/services you want to optimize, select the desired
row and click the edit icon. The SaaS Optimization window opens.
Application Definitions
This tab provides application visibility and control. You can search to see if Silver Peak has a definition for a specific
application and, if so, how it's defined.
Orchestrator uses these eight dimensions for identifying and defining applications:
IP Protocol
UDP Port
TCP Port
Domain Name
Address Map – (formerly known as IP Intelligence). Given a range of IP addresses, the Address Map
reveals what organization owns the segment, along with the country of origin.
DPI (Deep Packet Inspection). An expanded list of Orchestrator's legacy built-in applications.
Compound – Created by user from multiple criteria.
SaaS – Created by user. If any components of the definition change, the user must manually update
the definition.
You can modify or disable an existing application.
You can use any of the dimensions to define a new application.
Auto update is enabled by default.
Application Groups Tab

Application groups associate applications into a common group that you can use as a MATCH criteria. The
applications can be built-in, user-defined, or a combination of both.
The Group Name cannot be empty.
Group names are case-insensitive.
A group can be empty or contain up to 128 applications.
An application group cannot contain an application group.
Group name followed by * is a group defined by a user.
You are not allowed to change the group name for groups provided by Silver Peak. You are allowed to add or
delete applications within those groups.
Threshold Crossing Alerts Tab

Threshold Crossing Alerts (TCAs) are pre-emptive, user-configurable alarms triggered when specific thresholds
are crossed.
They alarm on both rising and falling threshold crossing events (i.e., floor and ceiling levels). For both levels, one
value raises the alarm, while another value clears it.
When you configure appliance and tunnel TCAs with an Orchestrator template, all alerts apply globally, so all
of an appliance's tunnels have the same alerts.
To create a tunnel-specific alert, go to Configuration > Tunnels, select the tunnel, click the Edit icon to
access the tunnel directly, and then click the icon in the Alert Options column. Make your changes and click
OK.
To view globally applied system and tunnel alerts, click System.
To view alerts that are specific to an individual tunnel, click Tunnel.
Times to Trigger - A value of 1 triggers an alarm on the first threshold crossing instance.
ON by default:
Appliance Capacity - triggers when an appliance reaches 95% of its total flow capacity. It is not configurable
and can only be cleared by an operator.
File-system utilization - percent of non-Network Memory disk space filled by the appliance. This TCA cannot
be disabled.
Tunnel latency - measured in milliseconds, the maximum latency of a one-second sample within a 60-
second span
OFF by default:
LAN-side receive throughput - based on a one-minute average, the LAN-side receive TOTAL for all
interfaces
WAN-side transmit throughput - based on a one-minute average, the WAN-side transmit TOTAL for all
interfaces
TCAs based on an end-of-minute count:
Total number of flows
Total number of optimized flows
TCAs based on a one-minute average:
Tunnel loss post-FEC
Tunnel OOP post-POC
Tunnel OOP post-POC
Tunnel reduction
Tunnel utilization (based on percent of configured maximum [system] bandwidth)
This table lists the defaults of each type of threshold crossing alert:
Defaults values for Threshold Crossing Alerts

Default Default Values
[ON, [Rising Raise, Rising Clear, Falling Raise, allow allow
TCA Name OFF] Falling Clear] rising falling
Appliance Level
WAN-side transmit OFF 1 Gbps; 1 Gbps; 0; 0 4 4

throughput
LAN-side receive OFF 1 Gbps; 1 Gbps; 0; 0 4 4
throughput
Total number of OFF 256,000, 256,000; 0; 0 4 4
optimized flows
Total number of flows OFF 256,000, 256,000; 0; 0 4 4
File-system-utilization ONa 95%; 85%; 0%; 0% 4 --
Tunnel Level
Tunnel latency ON 1000; 850; 0; 0 4 --

Tunnel loss pre-FEC OFF 100%; 100%; 0%; 0% 4 --
Tunnel loss post-FEC OFF 100%; 100%; 0%; 0% 4 --
Tunnel OOP pre-POC OFF 100%; 100%; 0%; 0% 4 --
aCannot be disabled.
Default Default Values

[ON, [Rising Raise, Rising Clear, Falling Raise, allow allow
TCA Name OFF] Falling Clear] rising falling
Tunnel OOP post-POC OFF 100%; 100%; 0%; 0% 4 --

Tunnel utilization OFF 95%; 90%; 0%; 0% 4 4
Tunnel reduction OFF 100%; 100%; 0%; 0% -- 4
IP SLA Tab
Using a polling process, IP SLA (Internet Protocol Service Level Agreement) tracking provides the ability to generate
specific actions in the network that are completely dependent on the state of an IP interface or tunnel. The goal is to
prevent black-holed traffic. For example, associated IP subnets could be removed from the subnet table, and also
from subnet sharing, if the LAN-side interfaces on an appliance go down.
Four Monitors are available:
Interface Monitors the operational status of a specific local interface.

Ping Monitors the reachability of a specific IPv4 address.
HTTP/HTTPS Monitors the reachability of an HTTP/HTTPS endpoint.
VRRP Monitor Monitors the VRRP router state (TRUE if Master, FALSE if Backup) for a VRRP instance(s)
on an interface.
Based on the Monitor chosen, the Web UI displays the appropriate fields and options.
There are eight available Down Actions:
Remove Auto Subnet Remove from the subnet table an auto subnet for a port (including all VLAN &
subinterface subnets).
Increase VRRP Priority Increase the configured VRRP router priority by a delta amount.
Decrease VRRP Priority Decrease the configured VRRP router priority by a delta amount.
Enable Tunnel Enable a passthrough (internet breakout) tunnel Up for IP Tracking (SLA)
purposes.
Disable Tunnel Disable a passthrough (internet breakout) tunnel Up for IP Tracking (SLA)
purposes. The tunnel can no longer be used for load balancing purposes (when
load balancing traffic between multiple passthrough tunnels), although it can
still be used as a last resort for traffic forwarding.
Disable Subnet Sharing Disable subnet sharing of subnets to other Silver Peak peers on the appliance.
Modify Subnet Metric Add a metric delta to the metric of all subnets shared with Silver Peak peers.
Advertise Subnets Advertise subnets to Silver Peak peers.
There are two default Up Actions:
Default Subnet Action This reverts whatever was the Down Action back to the normal state. For example:
If Down Action = Disable Subnet Sharing, the Up Action is re-enable Subnet
Sharing.
If Down Action = Remove Auto Subnets, the Up Action re-adds the auto
subnet.
If Down Action = Modify Subnet Metric, the Up Action restores subnet
metrics to their original value.
VRRP Default Reverts the VRRP priority back to the configured value.
NOTE: If a default Up Action is used, it must match the Down Action.
Monitor Use Cases

Following are five basic use cases.
Example #1 – Ping via Interface
Two passthrough tunnels configured for Internet breakout and High Availability.
If the Primary passthrough tunnel goes down, traffic goes to Backup tunnel.
The IP SLA Rule would look like this, with the same tunnel specified for the Down and Up Actions.
Example #2 – HTTP/HTTPS via Interface
Two passthrough tunnels configured for Internet breakout and High Availability.
If the Primary passthrough tunnel goes down, traffic goes to Backup tunnel.
The IP SLA Rule would look like this, with the same tunnel specified for the Down and Up Actions.
In the URL(s) field, the protocol identifier is only required when specifying HTTPS, as in
https://www.google.com.
Example #3 – Monitor Interface (LAN0)
On Silver Peak - A, we want subnet advertising to be conditional on LAN0 being up.
Its IP SLA Rule would look like this, with the Default Subnet Action being to resume advertising subnets.
Example #4 – Monitor Interface (WAN0) to ensure High Availability
If WAN0 goes down on the VRRP Master, we want to decrease its Priority so that traffic goes to the VRRP
Backup.
Its IP SLA Rule would look like this, with the Default Subnet Action being to revert to the original Priority.
NOTE: In this instance, the WAN0 interface was given the label, MPLS, to match the service to which it
connected.
Example #5 – Monitor VRRP
To monitor the VRRP router state, use VRRP Monitor and specify the interface on which the VRRP instance is
configured.
In this example, it's LAN0.
Here, we're looking at an instance where the VRRP role changes, but priority doesn't, for whatever reason.
Its IP SLA Rule would look like this, with the Default Subnet Action being to revert to the original Priority.
NOTE: In this instance, the WAN0 interface was given the label, MPLS, to match the service to which it
connected.
Another option would be to specify Down Action = Modify Subnet Metric. The Web UI automatically
produces another field where you can add a positive value to the current subnet metric. Up Action = Default
Subnet Action would return the subnet metric to its original value.
Configuration Templates
This section describes the templates used for assigning common Configuration parameters across appliances.
Using Configuration Templates

A Template Group is a collection of templates used to configure settings across multiple appliances.
IMPORTANT: Templates will REPLACE all settings on the appliance with the template settings. Some
templates support a MERGE option; refer to the Help on those templates.
To edit a template, drag (or double-click) it from the Available Templates column to the Active Templates
column.
To save the edits as a new template group, click Save As.
To apply templates, click Apply Template Groups at the bottom of the page. This will bring you to the Apply
Templates tab where you can permanently associate appliances with specific template groups.
Associating an appliance with a template group makes Orchestrator automatically keep the templates in sync
with the appliance.
When returning to the Templates page, the Template Group field defaults to showing the last template group
viewed.
System Template
Use this page to configure system-level features.
Category Field Definition
Optimization IP Id auto optimization Enables any IP flow to automatically identify the

outbound tunnel and gain optimization
benefits. Enabling this option reduces the
number of required static routing rules (route
map policies).

TCP auto optimization Enables any TCP flow to automatically identify
the outbound tunnel and gain optimization
benefits. Enabling this option reduces the
number of required static routing rules (route
map policies).
Flows and tunnel failure If there are parallel tunnels and one fails, then
Dynamic Path Control determines where to
send the flows.There are three options:
fail-stick When the failed tunnel
comes back up, the flows
don’t return to the original
tunnel. They stay where
they are.
fail-back When the failed tunnel

comes back up, the flows
return to the original
tunnel.
disable When the original tunnel

fails, the flows aren’t
routed to another tunnel.
Category Field Definition
Subnet Sharing Use shared subnet information Enables Silver Peak appliances to use the
shared subnet information to route traffic to
the appropriate tunnel. Subnet sharing
eliminates the need to set up route maps in
order to optimize traffic.
Automatically include local LAN Adds the local LAN subnet(s) to the appliance
subnets subnet information.
Automatically include local WAN Adds the local WAN subnet(s) to the appliance
subnets subnet information.
Metric for local subnets Specifies a weight that is used for subnets of
local interfaces. When a peer has more than
one tunnel with a matching subnet, it chooses
the tunnel with the greater numerical value.
Redistribute learned BGP routes to SP Enables subnet sharing of routes (subnets)
peers learned from BGP peers.
Allow WAN to WAN routing Redirects inbound LAN traffic back to the WAN.
Network Memory Encrypt data on disk Enables encryption of all the cached data on
the disks. Disabling this option is not
recommended.
Excess Flow Excess flow policy Specifies what happens to flows when the
Handling appliance reaches its maximum capacity for
optimizing flows. The default is to bypass
flows. Or, you can choose to drop the packets.
NextHop Health Enable Health check Activates pinging of the next-hop router.
Check Retry count Specifies the number of ICMP echoes to send,
without receiving a reply, before declaring that
the link to the WAN next-hop router is down.
Interval Specifies the number of seconds between each
ICMP echo sent.
Hold down count If the link has been declared down, this
specifies how many successful ICMP echoes
are required before declaring that the link to
the next-hop router is up.
Miscellaneous SSL optimization for non-IPSec Specifies if the appliance should perform SSL
tunnels optimization when the outbound tunnel for SSL
packets is not encrypted (for example, a GRE or
UDP tunnel). To enable Network Memory for
encrypted SSL-based applications, you must

provision server certificates via the Unity

Orchestrator. This activity can apply to the
entire distributed network of Silver Peak
appliances, or just to a specified group of
appliances.

Bridge Loop Test Only valid for virtual appliances. When enabled,
the appliance can detect bridge loops. If it does
detect a loop, the appliance stops forwarding
traffic and raises an alarm. Appliance alarms
include recommended actions.
Always send pass-through traffic to If the tunnel goes down when using WCCP and
original sender PBR, traffic that was intended for the tunnel is
sent back the way it came.
Enable default DNS lookup Allows the appliance to snoop the DNS requests
to map domains to IP addresses. This mapping
can then be used in ACLs for traffic matching.
Enable HTTP/HTTPS snooping Enables a more granular application
classification of HTTP/HTTPS traffic, by
inspection of the HTTP/HTTPS header, Host.
This is enabled by default.
Quiescent tunnel keep alive time Specifies the rate at which to send keep alive
packets after a tunnel has become idle
(quiescent mode). The default is 60 seconds.
UDP flow timeout Specifies how long to keep the UDP session
open after traffic stops flowing. The default is
120 seconds (2 minutes).
Non-accelerated TCP Flow Timeout Specifies how long to keep the TCP session
open after traffic stops flowing. The default is
1800 seconds (30 minutes).
Maximum TCP MSS (Maximum Segment Size). The default value is
9000 bytes. This ensures that packets are not
dropped for being too large. You can adjust the
value (500 to 9000) to lower a packet's MSS.
NAT-T keep alive time If a device is behind a NAT, this specifies the
rate at which to send keep alive packets
between hosts, in order to keep the mappings in
the NAT device intact.
Tunnel Alarm Aggregation Threshold Set the amount of alarms you want before the
tunnel alarm is alerted.
Maintain end-to-end Overlay Mapping Enforces the same overlay to be used end-to-
end when traffic is forwarded on multiple
nodes.
IP Directed Broadcast Allows an entire network to receive data that
only the target subnet initially receives.
Auth/Radius/TACACS+ Template
Silver Peak appliances support user authentication and authorization as a condition of providing access rights.
Authentication is the process of validating that the end user, or a device, is who they claim to be.
Authorization is the action of determining what a user is allowed to do. Generally, authentication precedes
authorization.
Map order refers to the order in which the authorization servers are queried.
The configuration specified for authentication and authorization applies globally to all users accessing that
appliance.
If a logged-in user is inactive for an interval that exceeds the inactivity time-out, the appliance logs them out
and returns them to the login page. You can change that value, as well as the maximum number of sessions,
in the Session Management template.
Authentication and Authorization

To provide authentication and authorization services, Silver Peak appliances:
support a built-in, local database
can be linked to a RADIUS (Remote Authentication Dial-In User Service) server.
can be linked to a TACACS+ (Terminal Access Controller Access Control System) server.
Both RADIUS and TACACS+ are client-server protocols.
Appliance-based User Database

The local, built-in user database supports user names, groups, and passwords.
The two user groups are admin and monitor. You must associate each user name with one or the other.
Neither group can be modified or deleted.
The monitor group supports reading and monitoring of all data, in addition to performing all actions. This is
equivalent to the Command Line Interface's (CLI) enable mode privileges.
The admin group supports full privileges, along with permission to add, modify, and delete. This is equivalent
to the Command Line Interface's (CLI) configuration mode privileges.
RADIUS
RADIUS uses UDP as its transport.
With RADIUS, the authentication and authorization functions are coupled together.
RADIUS authentication requests must be accompanied by a shared secret. The shared secret must be the
same as defined in the RADIUS setup. Please see your RADIUS documentation for details.
Important: Configure your RADIUS server's priv levels within the following ranges:
admin = 7 - 15
monitor = 1 - 6
TACACS+
TACACS+ uses TCP as its transport.
TACACS+ provides separated authentication, authorization, and accounting services.
Transactions between the TACACS+ client and TACACS+ servers are also authenticated through the use of a
shared secret. Please see your TACACS+ documentation for details.
Important: Configure your TACACS+ server's roles to be admin and monitor.
What Silver Peak recommends

Use either RADIUS or TACACS+, but not both.
For Authentication Order, configure the following:
First = Remote first
Second = Local. If not using either, then None.
Third = None
When using RADIUS or TACACS+ to authenticate users, configure Authorization Information as follows:
Map Order = Remote First
Default Role = admin
SNMP Template
The Silver Peak appliance supports the Management Information Base (MIB) II, as described in RFC 1213, for cold
start traps and warm start traps, as well as Silver Peak proprietary MIBs. The appliance issues an SNMP trap during
reset when loading a new image, recovering from a crash, or rebooting.
It sends a trap every time an alarm is raised or cleared and traps contain additional information about the alarm,
including severity, sequence number, a text-based description of the alarm, and the time the alarm was created. For
additional information, see SILVERPEAK-MGMT-MIB.TXT in the MIBS directory.
Use this page to configure the appliance's SNMP agent, trap receiver(s), and forward appliance alarms as SNMP
traps to the receivers.
Complete the following steps to configure v1, v2, and v3 SNMP.
1. Check Enable SNMP. The SNMP v1/v2 and v3 appears, as well as the Trap Receivers box.
2. If you check Enable SNMP Traps, the SNMP agent (in the appliance) sends traps to the configured receiver(s).
3. Enter the Default Trap Community. This is the string the trap receiver uses to accept the traps being sent
to it. The default value is public.
Cnfigure the following fields for SNMP v1 and v2c.
Field Description
Enable SNMP Allows the SNMP application to poll this Silver Peak appliance.
Enable Allows the SNMP agent (in the appliance) to send traps to the receiver(s).
SNMP Traps
Read-Only he SNMP application needs to presents this text string (secret) to poll this appliance's SNMP
Community agent. The default value is public.
Default Trap This string the trap receiver uses to accept the traps being sent to it. The default value is
Community public, but you can change it.
For additional security when the SNMP application polls the appliance, you can select Enable Admin User for
SNMP v3, instead of using v1 or v2c. This provides a way to authenticate without using clear text:
To configure SNMP v3 admin privileges, you must be logged in as admin in Appliance Manager.
For SNMP v3, authentication between the user and the server acting as the SNMP agent is bilateral and
required. You can use either the MD5 or SHA-1 hash algorithm.
Using DES or AES-128 to encrypt for privacy is optional. If you don't specify a password, the appliance uses
the default privacy algorithm (AES-128) and the same password you specified for authentication.
You can configure up to 3 trap receivers:
Host = IP address where you want the traps sent
Community = The trap receiver needs to receive a specific string in order to accept the traps being sent to it.
By default, this field is blank because it uses the Default Trap Community string, which has the value, public.
If the trap receiver you're adding has a different Community string, enter the community string that's
configured on the trap receiver.
Version = Select either v1 (RFC 1157) or v2c (RFC 1901) standards. For both, authentication is based on a
community string that represents an unencrypted password.
Enabled = When selected, enables this specific trap receiver.
Flow Export Template

You can configure your appliance to export statistical data to NetFlow and IPFIX collectors.
The appliance exports flows against two virtual interfaces — sp_lan and sp_wan — that accumulate the total
of LAN–side and WAN–side traffic, regardless of physical interface.
These interfaces appear in SNMP and are therefore "discoverable" by NetFlow and IPFIX collectors.
Enable Flow Exporting allows the appliance to export the data to collectors (and makes the configuration
fields accessible).
The Collector's IP Address is the IP address of the device to which you're exporting the NetFlow/IPFIX
statistics. The default Collector Port is 2055.
In Traffic Type, you can select as many of the traffic types as you wish. The default is WAN TX.
DNS Proxy Policies

Configuration > Templates & Networking > Templates
If you select ON, Complete the following steps to configure and define your DNS Proxy policies.
NOTE This feature is only configurable if you have loopback interfaces configured.
1. Choose if you want the DNS Proxy enabled by selecting ON or OFF.
2. Select the name of the loopback interface or LAN-side label associated with your DNS proxy.
3. Enter the IP addresses for Server A in the Server A Addresses field.
4. Choose if you want Caching to be ON or OFF. If selected, the domain name to the IP address mapping is
cached. By default, caching is ON.
5. Enter the domain names of the Server A for the above IP addresses.
6. Enter Server B IP addresses in the Server B Addresses field. Server B will be used if there are no matches to
the Server A domains.
NOTE You can Clear DNS Cache. This will erase the domain name to the IP address mapping you had cached for
both Server A and B.
DNS Template
A Domain Name Server (DNS) stores the IP addresses with their associated domain names. It allows you to
reference locations by domain name, such as mycompany.com, instead of using the routable IP address.
You can configure up to three name servers.
Under Domain Names, add the network domains to which your appliances belong.
Logging Template
Use this template to configure local and remote logging parameters.
Each requires that you specify the minimum severity level of event to log.
Set up local logging in the Log Configuration section.
Set up remote logging by using the Log Facilities Configuration and Remote Log Receivers sections.
Minimum Severity Levels

In decreasing order of severity, the levels are as follows.
EMERGENCY The system is unusable.

ALERT Includes all alarms the appliance generates: CRITICAL, MAJOR, MINOR, and
WARNING
CRITICAL A critical event
ERROR An error. This is a non-urgent failure.
WARNING A warning condition. Indicates an error will occur if action is not taken.
NOTICE A normal, but significant, condition. No immediate action required.
INFORMATIONAL Informational. Used by Silver Peak for debugging.
DEBUG Used by Silver Peak for debugging
NONE If you select NONE, then no events are logged.
The bolded part of the name is what displays in Silver Peak's logs.
If you select NOTICE (the default), then the log records any event with a severity of NOTICE, WARNING,
ERROR, CRITICAL, ALERT, and EMERGENCY.
These are purely related to event logging levels, not alarm severities, even though some naming conventions
overlap. Events and alarms have different sources. Alarms, once they clear, list as the ALERT level in the
Event Log.
Configuring Remote Logging

You can configure the appliance to forward all events, at and above a specified severity, to a remote syslog
server.
A syslog server is independently configured for the minimum severity level that it will accept. Without
reconfiguring, it may not accept as low a severity level as you are forwarding to it.
In the Log Facilities Configuration section, assign each message/event type (System / Audit / Flow) to a
syslog facility level (local0 to local7).
For each remote syslog server that you add to receive the events, specify the receiver's IP address, along with
the messages' minimum severity level and facility level.
Banner Messages Template

The Login Message appears before the login prompt.
The Message of the Day appears after a successful login.
HTTPS Certificate Template

The VXOA software includes a self-signed certificate that secures the communication between the user's browser
and the appliance. You also have the option to install your own custom certificate, acquired from a CA certificate
authority.
For a custom certificate, to use with a specific appliance:
1. Consult with your IT security team to generate a certificate signing request (CSR), and submit it to your
organization's chosen SSL Certificate Authority (CA).
Examples of Certificate Authorities include GoDaddy, Verisign, Comodo, Symantec, Microsoft Entrust,
GeoTrust, etc.
For a list of what Silver Peak supports, see Silver Peak Security Algorithms.
All certificate and key files must be in PEM format.
2. After the Certificate Authority provides a CA-verified certificate:
If your IT security team advises the use of an Intermediate CA, then use an Intermediate Certificate
File. Otherwise, skip this file.
Load the Certificate File from the CA.
Upload the Private Key File that was generated as part of the CSR.
3. To associate the CA verified certificate for use with Orchestrator, click Add.
User Management Template

Use this page to manage the default users and, if desired, require a password with the highest user privilege level
when using the Command Line Interface.
Default User Accounts

Each appliance has two default users, admin and monitor, who cannot be deleted.
You can, however, assign a new password for either one, and apply it to any appliances you wish.
Command Line Interface privileges

The Command Line Interface (CLI) for Silver Peak physical (NX) appliances has three command modes. In
order of increasing permissions, they are User EXEC Mode, Privileged EXEC Mode, and Global Configuration
Mode.
When you first log into a Silver Peak appliance via a console port, you are in User EXEC Mode. This provides
access to commands for many non-configuration tasks, such as checking the appliance status.
To access the next level, Privileged EXEC Mode, you would enter the enable command. With this template,
you can choose to associate and enforce a password with the enable command.
Date/Time Setting
Configure an appliance's date and time manually, or complete the following steps to configure it to use an NTP
(Network Time Protocol) server.
1. From the Time Zone list, select the appliance's geographical location.
If you select Manual, the appliance is matched to your web client system when the template is applied.
This eliminates the delay between configuring time manually and applying the template.
To use an NTP server, select NTP Time Synchronization and complete the following steps.
1. Click Add.
2. Enter the IP address or host name of the server.
3. Select the version of NTP protocol to use.
NOTE The server is selected in the order listed when you list more than one NTP server.
Data Collection
Orchestrator collects and puts all stats in its own database in Coordinated Universal Time (UTC).
When a user views stats, the appliance (or Orchestrator server) returning the stats always presents the
information relative to the browser time zone.
SSL Certificates Template

Use this page for SSL Certificates when the server is part of your enterprise network and and has its own
enterprise SSL certificates and key pairs.
NOTE To decrypt SSL for SaaS (cloud-based) services, use the SSL for SaaS template.
By supporting the use of SSL certificates and keys, Silver Peak provides deduplication for Secure Socket Layer (SSL)
encrypted WAN traffic:
Silver Peak decrypts SSL data using the configured certificates and keys, optimizes the data, and transmits
data over an IPSec tunnel. The peer Silver Peak appliance uses configured SSL certificates to re-encrypt data
before transmitting.
Peers that exchange and optimize SSL traffic must use the same certificate and key.
Use this template to provision a certificate and its associated key across multiple appliances.
You can add either a PFX certificate (generally, for Microsoft servers) or a PEM certificate.
The default is PEM when PFX Certificate File is deselected.
If the key file has an encrypted key, enter the passphrase needed to decrypt it.
Before installing the certificates, you must do the following:
Configure the tunnels bilaterally for IPSec (or IPSec_UDP) mode.

To do so, access the Configuration - Tunnels page, select the tunnel, and for Mode, select ipsec.
Verify that TCP acceleration and SSL acceleration are enabled.

To do so, access the Configuration - Optimization Policies page, and review the Set Actions.
If you choose to be able to decrypt the flow, optimize it, and send it in the clear between appliances, then
access the System template and select SSL optimization for non-IPsec tunnels.
SSL CA Certificates Template

If the enterprise certificate that you used for signing substitute certificates is subordinate to higher level Certificate
Authorities (CA), then you must add those CA certificates here. If the browser can't validate up the chain to the root
CA, it will warn you that it can't trust the certificate.
SSL for SaaS Template

To fully compress SSL traffic for a SaaS service, the appliance must decrypt it and then re-encrypt it.
To do so, the appliance generates a substitute certificate that must then be signed by a Certificate Authority (CA).
There are two possible signers:
For a Built-In CA Certificate, the signing authority is Silver Peak.
The appliance generates it locally, and each certificate is unique. This is an ideal option for Proof of
Concept (POC) and when compliance is not a big concern.
To avoid browser warnings, follow up by importing the certificate into the browser from the client-side
appliance.
For a Custom CA Certificate, the signing authority is the Enterprise CA.
If you already have a subordinate CA certificate (for example, an SSL proxy), you can upload it to
Orchestrator and push it out to the appliances. If you need a copy of it later, just download it from
here.
If this substitute certificate is subordinate to a root CA certificate, then also install the higher-level SSL
CA certificates (into the SSL CA Certificates template) so that the browser can validate up the chain
to the root CA.
If you don't already have a subordinate CA certificate, you can access any appliance's Configuration
> SaaS Optimization page and generate a Certificate Signing Request (CSR).
Tunnels Template
NOTE If you're deploying an SD-WAN network, the Business Intent Overlays (BIOs) govern tunnel properties. In that
case, you don't need this template.
If you're not creating overlays, then use this template to assign and manage tunnel properties.
Tunnel templates can be applied to any appliances (with or without tunnels). However, only existing tunnels
can accept the template settings. To enable an appliance to apply these same settings to future tunnels,
select Make these the Defaults for New Tunnels.
Applying tunnel templates does not create new tunnels. To create tunnels, use the Tunnel Groups tab.
To view, edit, and delete tunnels, use the Tunnels tab. The Mode selected determines which tabs display.
Tunnels Template Settings

Admin State Indicates whether the tunnel has been set to admin Up or Down.
Auto Discover MTU Enabled Allows an appliance to determine the best MTU to use.
Auto Max BW Enabled When enabled, allows the appliances to auto-negotiate the maximum
tunnel bandwidth.
DSCP Determines which DSCP marking the keep-alive messages should use.

Fastfail Thresholds When multiple tunnels are carrying data between two appliances, this
feature determines how quickly to disqualify a tunnel from carrying data.

The Fastfail connectivity detection algorithm for the wait time from receipt
of last packet before declaring a brownout is:
Twait = Base + N * RTTavg
where Base is a value in milliseconds, and N is the multiplier of the
average Round Trip Time over the past minute.
For example, if:
Base = 200mS
N = 2
Then,
RTTavg = 50mS

The appliance declares a tunnel to be in brownout if it doesn’t see a reply
packet from the remote end within 300mS of receiving the most recent
packet.
In the Tunnel Advanced Options, Base is expressed as Fastfail Wait-
time Base Offset (ms), and N is expressed as Fastfail RTT
Multiplication Factor.

Fastfail Enabled – This option is triggered when a tunnel's keepalive
signal doesn't receive a reply. The options are disable, enable, and
continuous. If the disqualified tunnel subsequently receives a keepalive
reply, its recovery is instantaneous.
If set to disable, keepalives are sent every second, and 30 seconds
elapse before failover. In that time, all transmitted data is lost.
If set to enable, keepalives are sent every second, and a missed
reply increases the rate at which keepalives are sent from 1 per
second to 10 per second. Failover occurs after 1 second.
When set to continuous, keepalives are continuously sent at 10 per
second. Therefore, failover occurs after one tenth of a second.
Thresholds for Latency, Loss, or Jitter are checked once every second.
Receiving 3 successive measurements in a row that exceed the
threshold puts the tunnel into a brownout situation and flows will
attempt to fail over to another tunnel within the next 100mS.
Receiving 3 successive measurements in a row that drop below the
threshold will drop the tunnel out of brownout.
FEC (Forward Error Correction) can be set to enable, disable, and auto.

FEC Ratio Is an option when FEC is set to auto, that specifies the maximum ratio. The
options are 1:2, 1:5, 1:10, or 1:20.
IPSec Anti-replay window Provides protection against an attacker duplicating encrypted packets by
assigning a unique sequence number to each encrypted packet. The
decryptor keeps track of which packets it has seen on the basis of these
numbers. The default window size is 64 packets.
IPSec Preshared Key A shared, secret string of Unicode characters that is used for
authentication of an IPSec connection between two parties.
Mode Indicates whether the tunnel protocol is udp, gre, or ipsec.
MTU (bytes) (Maximum Transmission Unit) is the largest possible unit of data that can
be sent on a given physical medium. For example, the MTU of Ethernet is
1500 bytes. Silver Peak provides support for MTUs up to 9000 bytes. Auto
allows the tunnel MTU to be discovered automatically, and it overrides the
MTU setting.
Reorder Wait (ms) Maximum time the appliance holds an out-of-order packet when
attempting to reorder. The 100ms default value should be adequate for
most situations. FEC may introduce out-of-order packets if the reorder wait
time is not set high enough.
Retry Count The number of failed keep-alive messages that are allowed before the
appliance brings the tunnel down.
UDP destination port Used in UDP mode. Accept the default value unless the port is blocked by a
firewall.
UDP flows The number of flows over which to distribute tunnel data. Accept the
default.
VRRP Template
Use this template to distribute common parameters for appliances deployed with Virtual Router Redundancy
Protocol (VRRP).
In an out-of-path deployment, one method for redirecting traffic to the Silver Peak appliance is to configure VRRP on
a common virtual interface. The possible scenarios are:
When no spare router port is available, a single appliance uses VRRP to peer with a router (or Layer 3 switch).
This is appropriate for an out-of-path deployment where no redundancy is needed.
A pair of active, redundant appliances use VRRP to share a common, virtual IP address at their site. This
deployment assigns one appliance a higher priority than the other, thereby making it the Master appliance,
and the other, the Backup.
VRRP Template Settings

Admin The options are up (enable) and down (disable).
Advertisement Timer The default is 1 second.
Authentication String Clear text password for authenticating group members
Preemption Leave this selected/enabled so that after a failure, the appliance with the highest
priority comes back online and again assumes primary responsibility.
Priority The greater the number, the higher the priority. The appliance with the higher
priority is the VRRP Master.
Peer Priority Template

When an appliance receives a Subnet with the same Metric from multiple remote/peer appliances, it uses the Peer
Priority list as a tie-breaker.
If a Peer Priority is not configured, then the appliance randomly distributes flows among multiple peers.
The lower the number, the higher the peer’s priority.
Admin Distance Template

This table shows the values associated with various types of Admin Distance. Admin Distance (AD) is the route
preference value assigned to dynamic routes, static routes, and directly connected routes. When the appliance's
Routes table has multiple routes to the same destination, the appliance uses the route with the lowest administrative
distance.
Field Description
Local A manually configured route, or one learned from locally connected subnets.
Subnet Shared - Static A route learned from a Silver Peak peer.
Routes
Subnet Shared - BGP A route shared from a Silver Peak peer from an external network
Remote
Subnet Shared - A route shared from a Silver Peak peer within the same network.
OSPF Remote
BGP Branch (pre-8.1.9.4) A type of dynamic route learned from a local BGP branch peer prior to version
8.1.9.4.
BGP Transit (pre-8.1.9.4) A type of dynamic route learned from a local BGP branch-transit peer prior to
version 8.1.9.4.
EBGP (post-8.1.9.4) External BGP: exchanging routing information with a router outside the company-
wide network after version 8.1.9.4.
BGP PE (pre-8.1.9.4) A type of dynamic route learned from a local BGP PE (Provider Edge) router prior
to version 8.1.9.4.
OSPF A route learned from an OSPF (Open Shortest Path First) neighbor.
IBGP (post-8.1.9.4) Internal BGP: exchanging routing information with a router inside the company-
wide network after version 8.1.9.4.
Shaper Template
The Shaper template is a simplified way of globally configuring QoS (Quality of Service) on the appliances:
The Shaper shapes traffic by allocating bandwidth as a percentage of the system bandwidth.
The Shaper's parameters are organized into ten traffic classes. Four traffic classes are preconfigured and
named --- real-time, interactive, default, and best effort.
The system applies these QoS settings globally after compressing (deduplicating) all the outbound tunnelized
and pass-through-shaped traffic --- shaping it as it exits to the WAN.
Applying the template to an appliance updates its system-level wan Shaper. If the appliance has any added,
interface-specific Shapers, they are preserved.
For minimum and maximum bandwidth, you can configure traffic class values as a percentage of total
available system bandwidth and as an absolute value. The appliance always provides the larger of the
minimum values, and limits bandwidth to the lower of the maximum values.
You can rename or edit any traffic class.
To view any applied configurations, access the Configuration > Shaper page.
Dynamic Rate Control

Tunnel Max Bandwidth is the maximum rate at which an appliance can transmit.
Auto BW negotiates the link between a pair of appliances. In this example, the appliances negotiate each link down
to the lower value, 100 Mbps.
However, if A and B transmit at the same time, Hub could easily be overrun.
If Hub experiences congestion:
Select Enable Dynamic Rate Control. That allows Hub to regulate the tunnel traffic by lowering each
remote appliance's Tunnel Max Bandwidth. The smallest possible value is that appliance's Tunnel Min
(imum) Bandwidth.
Inbound BW Limit caps how much bandwidth the appliance can receive.
Shaper Settings
Add Interface Shaper Adds an interface-specific shaper for outbound or inbound traffic.
Enable Interface Shaper Enables a separate shaper for a specific WAN interface.
For WAN optimization, the interface shaper can be used but is
not recommended.
For SD-WAN, it should never be used because overlay traffic
isn't directed to an interface shaper; traffic is always shaped by
the default WAN shaper.
Excess Weighting If there is bandwidth left over after satisfying the minimum
bandwidth percentages, then the excess is distributed among the
traffic classes, in proportion to the weightings specified in the
Excess Weighting column. Values range from 1 to 10,000.
Interface Shaper The interface which is being shaped.
Max Bandwidth % This limits the maximum bandwidth that a traffic class can use to a
percentage of total available system bandwidth.
Max Bandwidth Absolute (kbps) This limits the maximum bandwidth that a traffic class can use to
an absolute value (kbps). You can specify a maximum absolute
value to cap the bandwidth for downloads and streaming.
Max Wait Time Any packets waiting longer than the specified Max Wait Time are
dropped.
Min Bandwidth % Refers to the percentage of bandwidth guaranteed to each traffic
class, allocated by priority. However, if the sum of the percentages
is greater than 100%, then lower-priority traffic classes might not
receive their guaranteed bandwidth if it's all consumed by higher-
priority traffic.
If you set Min Bandwidth to a value greater than Max Bandwidth,
then Max overrides Min.
Min Bandwidth Absolute (kbps) This guarantees a specific level of service when total system
bandwidth declines. This is useful for maintaining the quality of
VoIP, for example.
Priority Determines the order in which to allocate each class's minimum
bandwidth - 1 is first, 10 is last.
Rate Limit (kbps) You can set per-flow rate limit that a traffic class uses by
specifying a number in the Rate Limit column. For no limit, use 0
(zero).
Recalc on IF State Changes When an interface state changes to UP or DOWN, selecting this
recalculates the total bandwidth based on the configured
bandwidth of all UP interfaces. For example, when wan0 goes
down, wan0 bandwidth is removed from the total bandwidth when
recalculating.
Traffic Name The name assigned to a traffic class, either prescriptively or by the
user.
QoS Policies Template

The QoS Policy determines how flows are queued and marked.
The QoS Policy's SET actions determine two things:
what traffic class a shaped flow—whether optimized or pass-through—is assigned
whether to trust incoming DSCP markings for LAN QoS and WAN QoS, or to remark them as they leave for the
WAN
Use the Shaper to define, prioritize, and name traffic classes.
Think of it as the Shaper defines and the QoS Policy assigns.
Priority
With this template, you can create rules with priority from 1000 – 9999, inclusive. When you apply the
template to an appliance, Orchestrator deletes all appliance entries in that range before applying its policies.
If you access an appliance directly (via the WebUI or the command line interface), you can create rules with
higher priority than Orchestrator rules (1 – 999) and rules with lower priority (10000 – 65534).
Match Criteria

example, 10.136-137.*.64-95.
192.168.0.0/24 or 192.168.0.1-127.
ACLs.
Handling and Marking DSCP Packets

DSCP markings specify end-to-end QoS policies throughout a network.
The default values for LAN QoS and WAN QoS are trust-lan.
Applying DSCP Markings to Optimized (Tunnelized) Traffic

The appliance encapsulates optimized traffic. This adds an IP outer header to packets for travel across the
WAN. This outer header contains the WAN QoS DSCP marking.
LAN QoS – the DSCP marking applied to the IP header before encapsulation
WAN QoS – the DSCP marking in the encapsulating outer IP header. The remote appliance removes the
outer IP header.
Applying DSCP Markings to Pass-through Traffic

The appliance applies the QoS Policy's DSCP markings to all pass-through flows -- shaped and unshaped.
Pass-through traffic doesn't receive an additional header, so it's handled differently:
The Optimization Policy's LAN QoS Set Action is ignored.
The specified WAN QoS marking replaces the packet's existing LAN QoS DSCP marking.
When the packet reaches the remote appliance, it retains the modified QoS setting as it travels to its
destination.
Routes Template
Check the following boxes if you want to globally apply them to your routes in Orchestrator.
Automatically advertise to local LAN subnets: Enable if you want the system created LAN subnets of your
appliance advertised to your peers.
Automatically advertised local WAN subnets: Enable if you want the system created local WAN subnets of
your appliance advertised to your peers.
Redistribute learned BGP routes to Silver Peak Peers: Advertises BGP routes that your appliance has
learned to Silver Peak peers.
Enter specific values for the following:
Metric for automatically added 50 (default value)

routes
Route Map name to The name of the route map being redistributed to the SD-WAN.
Redistribute route to SD-WAN
Fabric
Include BGP Local ASN to Select: Don't Apply, Yes, or No.

routes sent to SD-WAN Fabric
Filter Routes From SD-WAN Select: Don't Apply, Yes, or No.

Fabric with Matching Local ASN
Tag BGP communities to Select

routes Don't Apply
Yes
No
If Yes is selected, enter the BGP communities you want to be

tagged in the field.
NOTE A community must be a combination of two number (0-65535) separated

by a colon. If there are multiple, you must use a comma to separate.
INFO If Don't Apply is selected, that field is ignored when applying the template to appliances.
Optimization Policies Template

Optimization templates apply Optimization policies to appliances.
Priority
Match Criteria

example, 10.136-137.*.64-95.
192.168.0.0/24 or 192.168.0.1-127.
ACLs.
Set Actions Fields

Set Action Definition
Network Memory Addresses limited bandwidth. This technology uses advanced fingerprinting
algorithms to examine all incoming and outgoing WAN traffic. Network Memory
localizes information and transmits only modifications between locations.
Maximize Reduction Optimizes for maximum data reduction at the potential
cost of slightly lower throughput and/or some increase
in latency. It is appropriate for bulk data transfers such
as file transfers and FTP, where bandwidth savings are
the primary concern.
Minimize Latency Ensures that Network Memory processing adds no

latency. This may come at the cost of lower data
reduction. It is appropriate for extremely latency-
sensitive interactive or transactional traffic. It's also
appropriate when the primary objective is to fully
utilize the WAN pipe to increase the LAN-side
throughput, as opposed to conserving WAN bandwidth.
Balanced Is the default setting. It dynamically balances latency

and data reduction objectives and is the best choice for
most traffic types.
Disabled Turns off Network Memory.
IP Header Compression The process of compressing excess protocol headers before transmitting them on a
link and uncompressing them to their original state at the other end. It's possible to
compress the protocol headers due to the redundancy in header fields of the same
packet, as well as in consecutive packets of a packet stream.
Payload Compression Uses algorithms to identify relatively short byte sequences that are repeated
frequently. These are then replaced with shorter segments of code to reduce the size
of transmitted data. Simple algorithms can find repeated bytes within a single packet;
more sophisticated algorithms can find duplication across packets and even across
flows.
TCP Acceleration Uses techniques such as selective acknowledgments, window scaling, and maximum
segment size adjustment to mitigate poor performance on high-latency links.
INFO Slow LAN alert goes off when the loss has fallen below 80% of the specified
value configured in the TCP Accel Options window.
For more information, see TCP Acceleration Options.

Protocol Acceleration Provides explicit configuration for optimizing CIFS, SSL, SRDF, Citrix, and iSCSI
protocols. In a network environment, it's possible that not every appliance has the
same optimization configurations enabled. Therefore, the site that initiates the flow
(the client) determines the state of the protocol-specific optimization.
Route Policies Template
INFO If you've deployed an SD-WAN network by using Business Intent Overlays (BIO), then Orchestrator uses BIOs
to automatically create the necessary Route Policies.
If you're creating a conventional WAN optimization network, then there may be occasions when you need to directly
configure Route Policies. Then, the following applies.
Only use the Route Policy template to create (and apply) rules for flows that are to be:
sent pass-through (shaped or unshaped)
dropped
configured for a specific high-availability deployment
routed based on application, ports, VLAN, DSCP, or ACL (Access Control List)
You may also want to create a Route Policy entry when multiple tunnels exist to the remote peer, and you want the
appliance to dynamically select the best path based on one of these criteria:
load balancing
lowest loss
lowest latency
a preferred interface
a specific tunnel
Why?
Each appliance's default routing behavior is to auto-optimize all IP traffic, automatically directing flows to the
appropriate tunnel. Auto-optimization strategies reduce the need to create explicit route map entries for
optimization. The three strategies that Silver Peak uses are TCP-based auto-opt, IP-based auto-opt, and subnet
sharing. By default, all three are enabled on the System template.
Priority
Match Criteria

example, 10.136-137.*.64-95.
192.168.0.0/24 or 192.168.0.1-127.
ACLs.
Set Actions Fields

The Route Policy template’s SET actions determines where to direct traffic and what the fallback is when a tunnel is
down.
Where the appliance directs traffic
In the Destination field, you specify how to characterize the flow. The options are a specific overlay, auto-
optimized, pass-through [shaped], pass-through-unshaped, or dropped.
When auto-optimized, a flow is directed to the appropriate tunnel. If you choose, you can specify that the
appliance use metrics to dynamically select the best path based on one of these criteria:
load balancing
lowest loss
lowest latency
When configuring the Route Policy for an individual appliance when multiple tunnels exist to the remote
peer, you can also select the path based on a preferred interface or a specific tunnel. For further information,
see the Appliance Manager Operator’s Guide.
How traffic is managed if a tunnel is down
The Fallback can be pass-through [shaped], pass-through-unshaped, or dropped.
When configuring the Route Policy for an individual appliance, the continue option is available if a specific
tunnel is named in the Destination column. That option enables the appliance to read subsequent entries in
the individual Route Policy in the event that the tunnel used in a previous entry goes down. For further
information, see the Appliance Manager Operator’s Guide.
NAT Policies Template

Use this template to add NAT map rules to all the appliances that support Network Address Translation.
When to NAT
Two use cases illustrate the need for NAT:
1. Inbound NAT. The appliance automatically creates a source NAT (Network Address Translation) map when
retrieving subnet information from the Silver Peak Cloud portal. This ensures that traffic destined to SaaS
servers has a return path to the appliance from which that traffic originated.
2. Outbound NAT. The appliance and server are in the cloud, and the server accesses the internet. As in the
example below, a Citrix thin client accesses its cloud-based server, and the server accesses the internet.
For deployments in the cloud, best practice is to NAT all traffic — either inbound (WAN-to-LAN) or outbound (LAN-
to-WAN), depending on the direction of initiating request. This avoids black-holing that can result from cloud-specific
IP addressing requirements.
Enabling NAT all applies NAT policies to pass-through traffic as well as optimized traffic, ensuring that black-
holing doesn't occur. NAT all on outbound only applies pass-through traffic.
If Fallback is enabled, the appliance moves to the next IP (if available) when ports are exhausted on the
current NAT IP.
In general, when applying NAT policies, configure separate WAN and LAN interfaces to ensure that NAT works
properly. You can do this by deploying the appliance in Router mode in-path with two (or four) interfaces.
Advanced Settings
The appliance can perform source network address translation (Source NAT or SNAT) on inbound or outbound
traffic.
There are two types of NAT policies:
Dynamic – created automatically by the system for inbound NAT when the SaaS Optimization feature is
enabled and SaaS service(s) are selected for optimization. The appliance polls the Silver Peak Unity Cloud
Intelligence service for a directory of SaaS services, and NAT policies are created for each of the subnets
associated with selected SaaS service(s), ensuring that traffic destined for servers in use by those SaaS
services has a return path to the appliance.
Manual – created by the administrator for specific IP addresses / ranges or subnets. When assigning priority
numbers to individual policies within a NAT map, first view dynamic policies to ensure that the manual
numbering scheme doesn't interfere with dynamic policy numbering (that is, the manually assigned priority
numbers cannot be in the range: 4000-5000). The default (no-NAT) policy is numbered 65535.
The NAT policy map has the following criteria and Set Actions:
Match Critera

example, 10.136-137.*.64-95.
192.168.0.0/24 or 192.168.0.1-127.
ACLs.
Set Actions
Set Action Option Definition
NAT Type no-nat Is the default. No IP addresses are changed.

source-nat Changes the source address and the source port in the IP
header of a packet.
NAT Direction inbound NAT is on the LAN interface.
outbound NAT is on the WAN interface.
none The only option if the NAT Type is no-nat.
NAT IP auto Select if you want to NAT all traffic. The appliance then picks
the first available NAT IP/Port.
tunnel Select if you only want to NAT tunnel traffic. Applicable only
for inbound NAT, as outbound doesn't support NAT on
tunnel traffic.
[IP address] Select if you want to make NAT use this IP address during
address translation.
Fallback If the IP address is full, the appliance uses the next available
IP address.
When you select a specific IP, then ensure that the routing is in place for NAT-ted return traffic.
Merge / Replace
At the top of the page, choose
Merge to use the values in the template, but keep any values set on the appliance as is (producing a mix of template
and appliance rules),
-OR-
Replace (recommended) to replace all values with those in the template.
Threshold Crossing Alerts Template

Threshold Crossing Alerts (TCAs) are preemptive, user-configurable alarms triggered when the specific thresholds
are crossed.
They alarm on both rising and falling threshold crossing events (i.e., floor and ceiling levels). For both levels, one
value raises the alarm, while another value clears it.
ON by default:
Appliance Capacity - triggers when an appliance reaches 95% of its total flow capacity. It is not configurable
and can only be cleared by an operator.
File-system utilization - percent of non-Network Memory disk space filled by the appliance. This TCA cannot
be disabled.
Tunnel latency - measured in milliseconds, the maximum latency of a one-second sample within a 60-
second span
OFF by default:
LAN-side receive throughput - based on a one-minute average, the LAN-side receive TOTAL for all
interfaces
WAN-side transmit throughput - based on a one-minute average, the WAN-side transmit TOTAL for all
interfaces
TCAs based on an end-of-minute count:
Total number of flows
Total number of optimized flows
TCAs based on a one-minute average:
Tunnel OOP post-POC
Tunnel OOP post-POC
Tunnel reduction
Tunnel utilization (based on percent of configured maximum [system] bandwidth)
TCA Metrics
Times to Trigger — A value of 1 triggers an alarm on the first threshold crossing instance. The default sampling
granularity (or rate or interval) is one minute.
This table lists the metrics of each type of threshold crossing alert:
Metrics for Threshold Crossing Alerts

TCA Name Unit Metric
Appliance Level
WAN-side transmit throughput kbps Minute average

WAN–side transmit
TOTAL for all interfaces
LAN-side receive throughput kbps Minute average
LAN–side receive TOTAL
for all interfaces
Total number of optimized flows flows End of minute count
Total number of flows flows End of minute count
File-system-utilization % (non–Network Memory) End of minute count
Tunnel Level
Tunnel latency msec Second-sampled

maximum latency during
the minute
Tunnel loss pre-FEC 1/10th % Minute average
Tunnel loss post-FEC 1/10th % Minute average
Tunnel OOP pre-POC 1/10th % Minute average
Tunnel OOP post-POC 1/10th % Minute average
Tunnel utilization % of configured bandwidth Minute average
Tunnel reduction % Minute average
SaaS Optimization Template

Use this template to select the SaaS applications/services you want to optimize.
To use this template, your Silver Peak appliance must be registered with an Account Name and Account Key for
the SaaS optimization feature.
SaaS optimization requires three things to work in tandem: SSL (Secure Socket Layer), subnet sharing, and
Source NAT (Network Address Translation).
Enable SaaS optimization enables the appliance to contact Silver Peak's Unity Cloud Intelligence Service and
download information about SaaS services.
If Advertise is selected for a service (for example, SFDC), the appliance will:
Ping active SaaS subnets to determine RTT/metric
Add subnet sharing entries locally for subnets within RTT threshold
Advertise subnets and their metric (within threshold) via subnet sharing to client-side
appliances
Upon seeing an SFDC flow, generate a substitute certificate for an SFDC SSL domain (one substitute
certificate per domain)
Auto-generate dynamic NAT rules for SFDC (but not for unchecked services)
When Optimize is selected for a service (for example, SFDC), the appliance will:
Ping active SFDC subnets to determine the RTT (metric)
Does not advertise metric via subnet sharing (unless Advertise is also selected)
Receives subnet sharing metric (RTT) from associated appliances
Compares its own RTT (local metric) with advertised metric
If its own RTT is lower, then the packet is sent pass-through (direct to the SaaS server).
If an advertised RTT it lower, then the packet is tunnelized.
Generate a substitute certificate for an SFDC SSL domain (one sub cert per domain)
No NAT rules created
When Optimize is not selected for a service (for example, SFDC), the appliance:
Receives subnet sharing advertisements for SFDC but doesn't use them
Does no RTT calc pinging
Does not participate in SSL
Creates no NAT rules
Sends all SFDC traffic as pass-through
The RTT Calculation Interval specifies how frequently Orchestrator recalculates the Round Trip Time for the
enabled Cloud applications.
The RTT Ping Interface specifies which interface to use to ping the enabled SaaS subnets for Round Trip Times. The
default interface is wan0.
TIPS
Initially, you may want to set a higher RTT Threshold value so that you can see a broader scope of reachable
data centers/servers for any given SaaS application/service.
If the Monitoring page shows no results at 50 ms, you may want to reposition your SaaS gateway
(advertising appliance) closer to the service.
Security Policies Template

Use this page to set up security policies, also known as zone-based firewalls.
Zones are created on the Orchestrator and applied to an Interface.
By default, traffic is allowed between interfaces labeled with the same zone. Any traffic between interfaces with
different zones is dropped. Users can create exception rules (Security Policies) to allow traffic between interfaces
with different zones.
When you create an interface, it is assigned Default zone.
If you create a new zone and assign that to an interface, all traffic between that interface and rest of the interfaces
(which are still in the Default zone) are dropped. This implies that zone creation and assignment to interfaces
should be performed during a planned network maintenance.
You can also assign a zone label to an Overlay. On a brand new system, all overlays are assigned the Default zone.
Traffic between an Interface and an Overlay follows the same rules as traffic between Interfaces or two Overlays;
traffic is allowed between zones with the same label, and any traffic between different zones is dropped. Users can
create Security Policies to allow traffic between different zones.
Implicit Drop Logging

Implicit Drop Logging allows you to configure implicit zone-based firewall drop logging levels. Implicit zone-based
firewall drop is for inter-zone traffic by default. For example, if all the zone_x to zone_y traffic is the default Deny All
(all the red cells from matrix), the traffic will be dropped by the zone-based firewall engine.
Select one of the following levels for the Implicit Drop Logging from the list: None, Emergency, Alert, Critical, Error,
Warning, Notice, Info, or Debug.
NOTE The default logging level is Alert.
Template
Complete the following steps to create a Security Policies Template:
1. Create zone names in Configuration > Overlays > Firewall Zones.
2. Create security policies to define exceptions.
To edit or add a rule, select the desired square in the matrix, and when the Edit Rules pop-up appears, make
the desired changes.
3. Select the edit icon in the Match Criteria column and the Match Criteria pop-up appears. Make the desired
changes.
You can select More Options to customize your rules. Check the box next to the specific match criteria and select
your desired changes from the list.
4. Select Save.

example, 10.136-137.*.64-95.
192.168.0.0/24 or 192.168.0.1-127.
ACLs.
CLI Template
Use this template to enter any sequence of Command Line Interface (CLI) commands.
Enter each CLI command on a new line.
Session Management Template

Use this page to configure access to the web server.
Auto Logout ends your web session after the specified minutes of inactivity.
If the number of Max Sessions is exceeded, there are two possible consequences:
You'll get a message that the browser can't access the appliance.
Since Orchestrator must create a session to communicate with the appliance, it won't be able to
access the appliance.
Although Web Protocol defaults to Both for legacy reasons, Silver Peak recommends that you select HTTPS
for maximum security.
Apply Template Groups

Use this page to add or remove templates from appliances.
If multiple template groups are applied to an appliance, the order in which they're applied determines which
template 'wins'. Templates applied later (lower on the apply order list) will overwrite any conflicting templates
applied earlier.
Drag templates up or down to reorder the list.
Orchestrator automatically applies any changed templates to the associated appliances.
Management Services Template

Use this template to globally apply the modifications made to your Management Services, if segmentation is enabled
or disabled. Any is used as the default Interface for the Source IP address, however you can change the interface
with any interfaces you have previously configured in the Management Services tab. To modify the interface, click
Any in the table. For more information regarding Management Service, refer to the Management Services tab.
Route Redistribution Template

To use this template, you must have your route maps configured for either SD-WAN, BGP, and OSPF. See the Routes
tab for more details regarding the configuration and defining rules for your route maps.
Merge and Replace
If you select Merge, new maps are added to the existing maps. If the map is already existing, the new map will match
appliance rules in the orchestrator range. If the configured rules do not match, the new map's rules are appended to
the existing rules. Replace will take the new maps and replace all esiting maps and not include the rules that match
outside of the configured range.
Complete the following steps to redistribute a route map.
1. Select the direction of traffic you want to redistribute your routes to: SD-WAN Fabric, BGP Inbound and
Outbound, and OSPF.
2. Once selected, click Add Map.
3. Enter a Map Name and click Add.
4. Select Add Rule. The Add Rule window opens.
In this window, you define the rules applied to your route map, which includes the Match Criteria and the Set
Actions. Each route map has a match command and set command. The match command verifies the
attributes of the original route the protocol supports and the set command modifies information that is
redistributed into the target protocol.
NOTE You can apply 128 rules per map.
5. Click Add.
Cloud Services
This section includes the various cloud services Silver Peak offers.
Microsoft Azure Virtual WAN

Microsoft Azure optimizes routing, automates large scale connectivity from various branches to Azure workloads,
and provides unified network and policy management within Orchestrator. Use Azure to deploy to a single
WAN circuit or for branch to branch connectivity by configuring virtual WANs to associated hubs.
Before you begin Microsoft Azure Virtual WAN configuration in Orchestrator, you need to use the Azure Virtual WAN
portal to authenticate and authorize Orchestrator in Azure. You need to create the service principal, which focuses
on single-tenant application to run within only one organization. Select the following link to get started:
https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal.
Azure Prerequisites
1. Create an Application in Azure and get the following Subscription details from the Azure Active Directory:
Subscription ID
Tenant (Directory) ID
Application (Client) ID
Client Secret Key
2. Create a storage account in Azure and get the following:
Storage Account Name
Storage Access Key
3. Create a resource group
4. Create Azure Virtual WANs with Hubs from your resource groups
Orchestrator Prerequisites
Complete the following tasks in Orchestrator:
1. Configure a VTI IP Pool
Enter a valid IPv4 Subnet
NOTE This is a unique address across the network. VTI interfaces created for Azure integration will
be selected from this pool.
INFO Azure VTI interface zone is set to WAN interface zone. Any change in deployment for the
WAN interface zone is applied to Azure VTI as well.
WARNING Any change in the VTI pool once configured is networking affecting. This operation should
be performed during a maintenance window as it can take several hours for some Cloud services to
complete.
2. Configure BGP ASN Global Pool
Enter the start and end ranges for ASNs
Add any reserved ASNs to exclude from being applied to appliances
NOTE If not previously enabled, Orchestrator enables BGP.
Orchestrator Configuration
Once the above configuration is complete, navigate to the Microsoft Azure Virtual WAN tab in Orchestrator. There
are four icons at the top of the table that complete the Azure and Orchestrator integration: Subscription, Interface
Labels, Appliance to Virtual WAN Associate, and Tunnel Settings.
To begin, select the Subscription icon.
Subscription
1. Enter the information in the Subscription fields that reflect your Azure portal account.
2. Select Save once you have completed entering the information in the table below. The Azure field should
reflect Connected.
The following table represents the values in the Subscription window from the Azure portal.
Field Definition
Azure Reachability This field displays the connection status of your account with Azure.
Subscription ID The ID of your subscription.
Tenant ID The name of your Azure AD tenant.
Client ID The client ID of your Azure application.
Client Secret Key The secret key of your Azure application.
Storage Account Name The name of your storage account.
Storage Account Key The storage account key.
Storage URL The storage account URL.*

Configuration Polling Interval The amount of time set that Azure data is updated. This is defaulted every one
minute.
*Storage URL
The Storage URL is present in the Storage Accounts tab in your Azure portal. Complete the following steps to obtain
your storage account URL.
1. Once your storage account is created in Azure, create a blob container.
2. Get the blob container URL.
3. Suffix the URL with a slash and add a file name in the Storage URL field.
NOTE Append the URL with a slash for the file name. Do not end the URL with a slash.
Interface Labels
Select the order you want your interface labels to be used.
1. Select the Interface Labels tab. The Build Tunnels Using These Interfaces displays.
2. Drag the Interface labels you want to use into the Preferred Interface Label Order column.
3. Select Save.
Associate Appliance to Virtual WAN
Each appliance is associated with one virtual WAN. Use this tab to add or remove specific sites to your virtual WANs.
1. Select the Associate Appliance to Virtual WAN icon.
2. Select an appliance from the tree in the left menu.
3. Check the box to Add or Remove the appliance to your virtual WAN in Azure.
4. Click Save.
Tunnel Settings
The Tunnel Settings tab defines the tunnels associated with Azure and Orchestrator. The tunnel settings are set
using the default VPN configuration parameters received from virtual WAN APIs located in your Azure portal
account.
In your Azure Portal Account, navigate to the Azure Configuration table. This table displays the VPN site created for
Orchestrator appliances associated to Azure virtual WANs. Additionally, manually associate sites to your hubs in
Azure.
1. Navigate to Azure Virtual WAN.
2. Select Azure VPN site.
3. Select New Hub Association.
Verification
The Tunnel page displays that Azure and Orchestrator have an established connection with Azure by displaying a
tunnel status of up - active.
For more information regarding Azure configuration, visit the following link: https://docs.microsoft.com/en-
us/azure/virtual-wan/virtual-wan-site-to-site-portal
Works with Office 365

Ensure your overlays have the following options configured to preserve the Works with Office 365 default
applications. The table below indicates the default overlays, applications, and preferred policy order configured in
the Business Intent Overlays tab within Orchestrator. The overlay name indicated in the table below is the default
that ships with Orchestrator. This can be modified with user configuration.
Use Cases
Single WAN circuit
Branch to Branch Connectivity
NOTE However, Skype for Business, SharePoint Online, and Office 365 Exchange must break out locally.
Overlay Application Preferred Policy Order (Breakout What it Matches

Traffic to Internet & Cloud Services)
Real-Time Skype for Business Microsoft Office 365

Optimize and Allow
categories for the
respective applications.
CriticalApps SharePoint Online, Office
365 Exchange
Default For everything Any policy order except "Drop" Matches Microsoft
Office 365 Default
categories
Office365Common
applications
NOTE Do not specify other

individual Office
applications in this group or
overlay.
For more information regarding Works with Office 365 applications, navigate to
https://techcommunity.microsoft.com and search for the Office 365 blog.
Zscaler Internet Access

Zscaler Internet Access is a cloud security service. Silver Peak EdgeConnect traffic can be service chained to Zscaler
for additional security inspection.
Field Definition
Appliance The name of the appliance you want to connect with Zscaler.
Interface Label The name of the interfaces you want to connect with Zscaler.
VPN Credentials and Location The VPN credentials and location status of your subscription with Zscaler.
Status
Gateway Options The optional add-on that allows you to configure sub-locations and various
rules for your sub-locations.
Zscaler ZENS Zscaler Enforcement Nodes: the Zscaler endpoints where the tunnels connect.
The discovered ZENs in this column are populated based on the appliance's
geographical location.
Before you begin Zscaler configuration, you need to create a Zscaler account and ensure you have an established
connection with Zscaler.
NOTE This section represents automated configuration of IPsec, IKE, and GRE tunnels from EdgeConnect to the
Zscaler cloud. Refer to the Zscaler-Silver Peak IPsec Integration Guide: Manual Mode and the Zscaler-Silver Peak
GRE Integration Guide: Manual Mode if you want to manually configure the tunnels with the Zscaler cloud.
Subscription
1. Go to https://help.zscaler.com/zia/sd-wan-api-integration.
2. Once you have completed the steps in the above URL to configure your Zscaler account, navigate to the
Zscaler Internet Access tab in Orchestrator.
3. Select the Subscription tab to get started with Zscaler.
4. Enter the information in the Subscription fields that reflect your Zscaler account.
5. Select Save once you have completed entering the information in the table below. The Zscaler field should
reflect Connected.
The following table represents the values in the Subscription window.
Field Definition
Zscaler This field displays if you are connected or not connected to your Zscaler
account.
Zscaler Cloud The Zscaler cloud URL. Ex: admin.zscalerthree.net
Partner Username The partner administrator user name you created when configuring Zscaler.
Partner Password The partner administrator password you created when configuring Zscaler.
Field Definition
Partner Key The partner key you created when configuring your Zscaler account. Select
Silver Peak from the list of partners.
Domain The domain provisioned in Zscaler for your enterprise.
Tunnel Settings
The Tunnel Settings tab helps you define the tunnels associated with Zscaler and Silver Peak EdgeConnect. Use the
Zscaler defaults for Tunnel Settings defined by the system.
NOTE You can configure General, IKE, and IPsec tunnel settings. The settings are automatically generated;
however, you can edit if you want to do so.
Interface Labels
Select the Primary label you want your traffic to go to. Backup labels will be used as the second option if the
primary is unreachable.
1. Select the Interface Labels tab. The Build Tunnels Using These Interfaces displays.
2. Drag the Interface labels you want to use into the Preferred Interface Label Order column.
3. Select Save.
WARNING This is service affecting. Any changes to the interface selection may cause previously tunnels to be
deleted and rebuilt.
ZEN Override
You can use the ZEN Override if you want to override the automatically selected ZEN pair for specific sites. You
have the option to add this exception to one or more sites within your network.
1. Select the ZEN Override tab.
2. Enter the appliance name, the interface label, and the Primary and Secondary IP addresses. Orchestrator will
build tunnels to those ZENS.
Field Definition
Appliance The appliance for which we override Zscaler ZENS.

Interface Label The interface label from where tunnels are built.
Primary IP The IP address of the primary Zscaler ZEN.
Secondary IP The IP address of the secondary Zscaler ZEN.
Gateway Options
Use this tab to configure gateway options and rules for Zscaler sublocations. Orchestrator uses location and sub-
locations to better define a branch site in the Zscaler cloud. Sub-locations are LAN-side segments within each branch
and can be identified by LAN interfaces, zones, or a collection of LAN subnets. Click Gateway Options to begin
configuration, if you choose to enable this add-on.
Zscaler Gateway Options
This window allows you to configure sub-locations and their rules.
1. Click Add.
2. Enter a Rule Name in the Rule Name field.
WARNING If two rules have the same sub-location name or IP address, Orchestrator picks the first match
and considers the order of the rules.
3. Enter a location by entering an appliance name, region, or group in the Appliances field.
4. Enter the WAN label in the Location Label field.
If you check Sub-location:
1. Enter the sub-location name in the Name field.
2. Enter the subnet address (LAN label, Firewall Zone, or subnet) in the Subnets field.
3. Click Save.
NOTE Sub-locations can be applied to all WAN links chosen under Zscaler Internet Access > Interface setting.
Check Show Sub-Locations and the sub-locations configured in the Gateway options appear in the Zscaler table.
Enabling Zscaler
Lastly, you need to enable the Zscaler service.
1. Go to the Business Intent Overlay tab in Orchestrator.
2. Select the overlay that breaks out traffic to Zscaler.
3. Drag Zscaler Cloud from the Policies column to the Preferred Policy Order column.
Verification
You can first verify Zscaler has been deployed in the BIO (Business Intent Overlay) tab. Once the Zscaler Internet
Access is configured and the Zscaler policy is applied successfully in the BIO, deployment will begin automatically. Go
to the Zscaler Internet Access tab to verify deployment was successful.
You can also verify your Zscaler tunnels have been successfully deployed in the Tunnels tab. Zscaler tunnels should
be listed in the Passthrough Tunnel column with a green status of up - active.
Please note the following:
Zscaler is applied to all your EdgeConnect appliance's associated overlays that have the Zscaler policy
enabled.
Only IPsec mode is supported for Zscaler.
AWS Transit Gateway Network Manager

Orchestrator now supports association with Amazon Web Services and their Transit Gateway Network Manager.
Orchestrator builds AWS Site-to-Site VPN which enables you to securely connect your on-premises network or
branch office site to your Amazon Virtual Private Cloud (Amazon VPC).
Before you begin the AWS Transit Gateway Network Manager configuration in Orchestrator, you need to create an
AWS account to authenticate and authorize Orchestrator in the AWS application. After, complete the following
prerequisites for the AWS Transit Gateway Network Manager.
Prerequisites for AWS Transit Gateway Network Manager

Ensure you have completed the following tasks in AWS console prior to Orchestrator configuration:
Navigate to the Identity and Access Management (IAM) under Services to create a user profile with
permissions for Orchestrator
Navigate to the Virtual Private Cloud (VPC) Dashboard and configure your Transit Gateways for desired
regions
Navigate to Network Manager from the VPC Dashboard under Transit Gateways to create a Global
Network
Associate your Transit Gateways to your Global Network
Create a User Profile in AWS

Complete the following steps to create a user profile in AWS.
1. Sign in to AWS and navigate to the Identity and Access Management (IAM) service (Services > Security,
Identiity, & Compliance > IAM).
2. Click User in the left menu under Access Management.
3. Click Add User.
4. Enter a user name in the User name field.
5. Choose the Access Type: Either Programmatic Access or AWS Management Console Access.
NOTE For seamless integration with Orchestrator, you will need to choose Programmatic Access to obtain
the Access Key ID and the Secret Access Key.
6. Click Next: Permissions.
7. Set the Permissions for your user in this page. You can do this in one of three ways:
Adding a user to your group: The user will inherit the permissions assigned to the group.
Copying permissions from an existing user: Copy permissions from an existing user in AWS and
assign to the user you want.
Attaching existing policies directly: attach a file containing the permissions and assign to the user.
8. Assign optional tags for your user. If you choose to add a tag, complete the steps:
a. Enter a key: This represents the name of your tag.
b. Enter a value: Enter text that you want the key/tag to represent.
INFO Tags allow you to provide additional information regarding your user or group for tracking and
organizational purposes. You can have a total of 50 tags.
9. Select Next: Review. This page displays the review of the profile you just created for a user. The User
Details, Permissions Summary, and additional information such as tag, are shown.
10. Select Create User .The page should now show the following success message, along with Access Key ID
and the Secret Access Key associated with your configured user.
Create Transit Gateways

Next, you need to create transit gateways to associate with your AWS Network Manager. Transit Gateways
represent the tunnels in the various regions that allow connectivity to AWS. Complete the following steps below to
create your gateways.
1. Navigate to the Virtual Private Cloud (VPC) Dashboard (Services > Networking & Content Delivery).
2. Click Transit Gateways, under Transit Gateways in the left menu.
3. Click Create Transit Gateways. You will create transit gateways and apply them to the various regions in
AWS.
4. Fill in the following fields to create your transit gateways.
Field Description
Name Tag Enter a name that represents your transit gateway.
Description Enter a description to help identify your transit gateway. This is the description for the
above Name Tag.
Amazon side The Autonoums System Number that represents your transit gateways in AWS. You can use
ASN an existing ASN assigned to your global network or a private ASN. See the range limitations
in AWS.
DNS Support Check this box if you want to enable Domain Name System support for your VPC within your
Transit Gateways.
VPN ECMP Check this box if you want to enable Equal Cost Multi-Path routing support in your Transit
support Gateways. This will allow for traffic with the same source and destination to be sent across
the same multiple paths.
Default Route Check this box if you want to automatically associate other Transit Gateways to the route
Table table that this one is using.
Association
Default Route Check this box if you want to automatically create other Transit Gateways with this same
Propagation route table.
Auto-accept Check this box if you want your transit gateways to automatically accept attachments
shared associated with different accounts.
attachments
5. Click Create Transit Gateway and a success message should display along with your Transit Gateway ID.
Create a Network Manager

Once you have created your Transit Gateway and associated them to the required regions, you will need to create a
Global Network in AWS. A Global Network hosts your specified transit gateways and is managed by the AWS Network
Manager.
1. Navigate to the VPC Dashboard.
2. Click Network Manager under Transit Gateways.
3. Click Create Global Network.
4. Enter a Name and Description for your Global Network.
5. Click Create.
Orchestrator Configuration
When you have completed the AWS Prerequisites, navigate to the AWS Transit Gateway Network Manager tab in
Orchestrator. There are five icons at the top of the table that are used to complete the AWS and Orchestrator
integration: Subscription, Interface Labels, Appliance to Virtual WAN Associate, Tunnel Settings, and VTI
Subnet.
To begin, select the Subscription icon.
Subscription
1. Enter the Access Key ID and the Secret Access Key that reflect your AWS User..
2. Select Save once you have completed entering the information in the table below. The AWS Reachability
field should reflect Connected.
Field Description
AWS Reachability The connection status of the AWS Network Manager to Orchestrator: Connected or

Not Connected.
Access Key ID The Access Key given to you in AWS to log in to the AWS console.
Secret Access The Secret Access Key given to in AWS to log in to the AWS console.
Key
Polling Interval Tells hows often Orchestrator to check for configuration changes in the AWS transit
gateways or Network Manager. The default polling interval is ten minutes.
3. Click Save.
You now should have an established connection with Orchestrator to your AWS VPC.
Interface Labels
Select the Interface Labels icon to open the dialog to choose interface to build your tunnels to AWS.
1. Select the Interface Labels button. The Build Tunnels Using These Interfaces displays.
2. Drag the interface labels you want to apply from the column on the right into the Primary columns.
3. Select Save.
Network Manager Association
In this window, you can choose which appliances you want to connect or disconnect to the AWS Gateway Network
Manager. The appliances already in association with the Transit Network Manager appear on the right under
Transit Gateway.
1. Check or un-check the checkbox next to the appliance you want to connect to the Network Manager.
2. See the table below for the fields.
Field Description
Hostname The host name of the appliance you want to connect or disconnect from the
Network Manager.
Transit Gateways Lists the gateways in association with the Network Manager and Orchestrator.
Present
Transit Gateways Displays if the gateway has been added or removed from the Network Manager.
Changes
3. Click Save.
Tunnel Settings
The Tunnel Settings window defines the tunnels delivering traffic between AWS and Orchestrator. The tunnel
settings are set using the default VPN configuration parameters received from virtual WAN APIs located in AWS.
Use the default settings for General, IKE, and IPsec tunnels and click Save to apply. Please visit the following link for
more support tunnel options: https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNTunnels.html
AWS VTI Subnet Pool
In this window, set the Subnet IP address and the mask for the AWS subnet pool. Enter the subnet IP address and the
mask ID in the designated fields.
NOTE This is an AWS specific subnet pool, therefore every subnet IP address must start with 169.254 to be included
in this pool.
Verification
You can verify the stability and connectivity of your tunnels to the AWS Network Manager using the Connection
Status column in the AWS Network Manager Tab. This column shows the BGP Peer status. Additional details can be
found in the Tunnels, VTI, and BGP tabs.
Monitoring Status and Performance

These topics focus on reports related to performance, traffic, and appliance status.
Also helpful in monitoring, and the Threshold Crossing Alerts Tab are addressed in other chapters.
Dashboard
The Dashboard is a customizable collection of widgets for monitoring your network. Customizations persist for each
user account. See below for the various functionalities.
Select which widgets to show or hide in Settings [ ].
To move widgets, drag them by title.
To access more detail in its corresponding tab, click a widget's title.
To filter on various widgets, select Src or Dest, Overlay or Underlay, or Inbound or Outbound. The filter
varies depending on the widget you are selecting.
You can choose and change the grouping variable for Overlay-Transport and Overlay-Interface by clicking
Flip.
The Appliance Summary displays an inventory count by appliance model. It also displays license type,
availability, and usage.
The Health Map widget reflects the selections and settings configured on the Health Map tab.
To search for appliances in the tree, enter an appliance name and the tag will be displayed above the tree.
To filter collections of appliances, select Show Tags and select from among the tag options.
Topology Settings & Legend

The Topology tab provides a visual summary of your Silver Peak network.
When configuring a software-defined WAN (SD-WAN), you can view All Overlays, individual Business Intent
Overlays (BIOs), or the single and bonded Underlay tunnels that support them.
You can access it under Monitoring in the menu bar, or by clicking the widget title on the Dashboard tab.
Topology widget on Dashboard tab
The Legend details the appliances’ management and operational states.
The Topology map can dynamically geolocate an appliance when you enter a location [City, State, Country] in
an appliance Configuration Wizard, or when you modify the appliance by right-clicking to access its contextual
menu.
The map tile renders to support variable detail at different zoom levels.
You can use icon grouping to visually consolidate adjacent appliances. The status bubbles up, and you can
configure relative grouping distance in the map's legend. The grouping is also a function of how far you zoom
in or out.
Rolling over an individual appliance's icon displays basic system information.
When the icon is encircled by a ring, indicating an alarm, those also display.
Viewing Tunnels in the Topology Map

Clicking on a tunnel opens a table with access to information about that link.
Live View
From the table, you can access the link's Live View graph.
In real-time, LiveView shows how Silver Peak creates synergy to maintain coverage. The real-time chart shows the
SD-WAN overlay at the top and the underlay networks at the bottom. The overlay is green and delivering consistent
application performance while both underlays are in persistent brown-out state.
Historical Charts
These charts let you selectively view the tunnel's components and behavior.
Health Map
Monitoring > Summary > Health Map
The Health Map provides a high-level view of your network's health, based on real-time measurements of network
conditions between appliances.
View filters are available for alarms, packet loss, latency, jitter, MOS (mean opinion score), and Business
Intent Overlay.
The health map can be sorted by weekly, daily, hourly health, or tree (by group, and then alphabetical by
hostname).
Each block represents one hour and uses color coding to display the most severe event among the selected
filters. Color codes correspond to alarm severity and thresholds.
Green = normal operation.
Red = critical – steps must be taken immediately in order to restore the affected service.
Orange = major – steps must be taken as soon as possible because the affected service has degraded
drastically.
Yellow = minor – a problem that does not yet affect service, but may do so if the problem is not
corrected.
Aqua = warning – a potential problem that may affect service.
Grey = no data available.
Thresholds can be configured by clicking on the gear icon .
Clicking a color block displays a pop-up with specifics about that event, what value triggered it, and any
additional threshold breach for that appliance during the same hour.
While filter and sort order customizations persist for each user account, threshold settings apply globally.
Threshold settings are not retroactive – setting new thresholds does not redisplay historical data based on
newly edited values.
Deleting an appliance deletes its data.
If you are using overlays, note the following:
You can view each overlay's health individually.
If you remove an individual overlay, its data is not recoverable. However, its historical data remains
included in All Overlays.
Alarms Tab
This tab provides various details for appliance alarms in Orchestrator.
You can apply the following filters to an alarm.
Time: 1h, 4hr, 1d, 7d, or Custom. Custom allows you to select specified dates in the Range field.
Alarm Emails ON and Alarm Emails Paused: You can enable or disable if you want to receive an email if
there is an alarm that is on or paused.
Alarm Email Recipients: Each configured recipient can receive emails regarding either Appliance alarms or
Orchestrator alarms. Select Add Recipient in the Alarm Recipients window. Select the alarm type and
check the boxes that you want to receive emails for. Select Save or Reload.
Wait to Send Emails: You can customize the amount of time you want the system to wait to send you an
email notifying you of an alarm. Select this icon and enter the amount of minutes you want the system to wait
in the Wait to Send Emails window.
Disable Alarms
You can specify which alarms you want to disable by selecting Customize / Disable Alarms.
To disable alarms:
1. Select Disable All Alarms on Specific Appliances.
2. Enter the name of the appliance that has the alarms you want disabled.
3. Select Disable Alarms.
4. Select Save.
Customize Alarms
Complete the following steps to customize a pre-existing alarm.
1. Select the Edit icon next to the selected appliance in the Alarm Information window.
2. Choose Enable/Disable.
3. If selecting, Enable, specify the Custom Severity by choosing from the list: None, CRITICAL, MAJOR,
MINOR, WARNING.
If selecting Disable, the following message will display: *You are about to disable this alarm. Select Save.
Export: You can export a CSV file of your alarms.
Additional Filters:
Active - all uncleared alarms. Acknowledged alarms go to the bottom of this list.
History - filtered to show only cleared alarms.
All - all uncleared and cleared alarms.
NOTE Orchestrator keeps alarms for 90 days.
Alarm Severity
Alarms have one of four severity levels: None, Critical, Major, Minor, or Warning. Only Critical and Major alarms
are service-affecting.
None: no level of severity has been applied to the alarm.
Critical alarms require immediate attention, and reflect conditions that affect an appliance or the loss of a
broad category of service.
Major alarms reflect conditions which should be addressed in the next 24 hours -- for example, an
unexpected traffic class error.
Minor alarms can be addressed at your convenience -- for example, a degraded disk.
Warnings inform you of conditions that may become problems over time -- for example, the network
interface is admin down.
Alarm Recipients
Complete the following to add alarm recipients to receive an email notifying you of an alarm within your network.
1. Select Alarm Email Recipients.
2. Select Add Recipient.
3. Enter the following information in the correct fields.
The Hostname is Orchestrator for Orchestrator alarms, and <Appliance hostname> for appliance-
generated alarms.
Groups display in a drop-down list, based on the groups configured in the navigation pane.
By default, alarms are HTML formatted. However, you can choose Plain Text or Both.
Plain Text alarms are emailed as pipe-separated data. Users can create a script to parse the email and read
the fields.
Example:
Hostname|Alarm_Status|Time|Alarm_ID|Type_ID|Source|Severity|Description|Recommended_action
Orchestrator|1|1526341365000|94|6815775|orchestrator|MINOR|Backup configuration not set|
Orchestrator|1|1526341362000|93|6815762|orchestrator|MAJOR|Orchestrator is using the default SMTP

settings
The Alarm ID is the auto-incremented, primary key in the database.
Alarm Status: 1 - Raised | 2 - Cleared
Additional Alarm Indications

A cumulative (Orchestrator + appliances) alarm summary always displays at the right side of the header.
Clicking it opens a top-level summary and access to the Alarms tab.
Appliances are color-coded to indicate their severest alarms in the Topology tab and in the navigation pane.
Threshold crossing alerts are related to alarms. They are preemptive, user-configurable thresholds that
declare a Major alarm when crossed. For more information about their configuration and use, see Threshold
Crossing Alerts Template and Threshold Crossing Alerts Tab.
Schedule & Run Reports

Use the Schedule & Run Reports tab to create, configure, run, schedule, and distribute reports. Reports are used to
reflect statistics related to network and application performance. These provide visibility into the network, enabling
you to investigate problems, and address trends, and evaluate your WAN utilization. Reports related to status of the
network and appliances. For example, alarms, threshold crossing alerts, reachability between Orchestrator and the
appliances, scheduled jobs, etc.
Configure the following in this tab:
Global Report - By default, Orchestrator emails this preconfigured subset of charts every day. Clicking on a
chart's image opens the associated tab in the browser.
To access all reports residing on the Orchestrator server, click View Reports.
Name of the Report
Email Recipients: enter the email address you want to send the report to.
To send a test email and/or to configure another SMTP server instead, go to Orchestrator > [Setup]
SMTP Server Settings.
If a test email doesn't arrive within minutes, check your firewall.
Default range of reports: Daily = 14 days, Hourly = 24 hours. Increasing the scope uses additional memory.
A Scheduled or Single Report
Additionally, you can specify the following for a generated report:
Appliances in Report: Fill in the box or click Use Tree Selection to display appliances
Amount of Top Reports (10, 25, 50, 100, 1000)
Traffic Type
Check the boxes next to the following charts to be included in the report:
Application Charts
Tunnel Charts
Appliance Charts
Lock Scales for Local Trends: auto scales graphs for specified scheduled reports
TIP To specify the timezone for scheduled jobs and reports, go to Orchestrator > Timezone for Scheduled Jobs.
View Reports
Use this page to view and download reports in PDF form. Reports can be filtered by keywords or sorted by name,
size, or date last modified. These reports can also be emailed depending on the configuration set in the Schedule
& Run Reports tab.
Sample Report
Scheduled & Historical Jobs

This tab has two views:
It provides a central location for viewing and deleting scheduled jobs, such as appliance backup and any
custom reports configured for distribution.
It provides a central location for viewing historical jobs.
Appliance Bandwidth
The Appliance Bandwidth chart lists the top appliances based on the total volume of inbound and outbound traffic
before reduction. It shows how many bytes the Silver Peak appliance saved when transferring data, aggregated over
a selectable time period.
Appliance Max Bandwidth

The Appliance Max Bandwidth chart lists the top appliances by the peak throughput (in either direction), within a
selected time period. It compares the system bandwidth of the appliance to the effective bandwidth it's providing.
Appliance Bandwidth Utilization

The Appliance Bandwidth Utilization chart lists the top appliances by the average percent of available bandwidth
used. This helps you see if an appliance that is optimizing traffic is reaching its capacity.
Appliance Bandwidth Trends

The Appliance Bandwidth Trends chart shows bandwidth usage over time.
For each Business Intent Overlay, the Link Bonding Policy specified determines the bandwidth efficiency. To
guarantee service quality levels, High Availability requires the most overhead, and High Efficiency requires the least.
Charts display the total bandwidth used. The Payload option shows how much raw data is transmitted. At the same
time, it exposes the Peaks option, which enables the viewing of peak transmissions.
Appliance Packet Counts

The Appliance Packet Counts chart lists the top appliances according to the sum of the inbound and outbound LAN
packets, showing how much traffic was sent.
Application Bandwidth
The Application Bandwidth chart shows which applications have sent the most bytes.
Application Pie Charts

The Application Pie Charts show what proportion of the bytes an application consumes on the LAN and on the
WAN.
Mousing over the charts and the legends reveals additional information.
The WAN charts identify what percentage of the bandwidth the Silver Peak appliance saved by optimizing the
traffic.
Application Trends
This tab shows application trends over time.
Firewall Drops
You can use the Firewall Drops tab to see the statistics on various flows, packets, and bytes dropped or allowed by a
zone-based firewall for a given time range.
Monitoring> Bandwidth>Firewall Drops>Summary
You can select a range of time (in hours and days) to view the firewall drops. You can also select if you want to
view in Matrix or Table view.
Select Export to export the report to an excel spreadsheet.
In the charts column, you can select the chart icon.
In this pop-up, you can see packets, and bytes dropped or allowed by a zone-based firewall for a given
time range.
Top Talkers
This tab lists the IP addresses that use the most bandwidth.
You can also view each IP's destinations.
Domains
This tab lists the domains that use the most bandwidth.
The number of Subdomains selected determines how the table aggregates subdomains for display. An asterisk (*)
indicates that more subdomains would be displayed if a higher number were selected. This is not a filter, but rather a
grouping convenience.
Countries
This tab lists the countries that use the most bandwidth.
Ports
This tab lists the ports that use the most bandwidth.
Traffic Behavior
The Traffic Behavior report identifies and categorizes traffic based on low-level characteristics of the data streams.
The behavior types are:
Voice
Video Conferencing
Video Streaming
Bulk Data Transfer
Interactive
Undetermined
You can also specify these categories as match criteria when creating policies or ACLs (Access Control Lists).
Overlay-Interface-Transport
These charts display the distribution of traffic across three dimensions—overlays, interfaces, and transport. You can
view each option individually, or in relation to another.
For instance, for a given interface, you can see how the overlay traffic is distributed.
You can also view how much traffic is transported from one Silver Peak appliance to another on the SD-WAN fabric
(Overlays), versus how much is broken out locally, direct to the internet. The Underlay legend displays non-overlay
traffic.
Interface Bandwidth Trends

The Interface Bandwidth Trends tab shows interface statistics over time.
Interface Summary
This tab shows interface summary stats, including inbound and outbound Packets or Bytes per interface, as well as
Firewall Denies (Drops). The stats are summarized for the selected time period.
Tunnels Bandwidth
The Tunnel Bandwidth chart shows which tunnels are sending the most bytes — that is, the tunnels that are the
most active.
Show Underlays
Underlays are actual IPsec tunnels and physical paths taken (such as MPLS).
Overlays are logical tunnels created for different traffic types and policies (such as VoIP).
Traceroute
This shows trace route information between the tunnel source and destination IP addresses. It shows intermediate
hops, their IP addresses, and the latency between each hop.
Live View
Live View shows the live bandwidth, loss, latency, and jitter on all the tunnels. For an overlay, it also shows live tunnel
states — Up, Browned Out, or Down.
Tunnels Pie Charts

The Tunnel Bandwidth Pie Charts show what proportion of the bytes a tunnel consumes on the LAN and on the
WAN.
Mousing over the charts and the legends reveals additional information.
The WAN charts identify what percentage of the bandwidth the appliance saved by optimizing the traffic.
Tunnel Bandwidth Trends

The Tunnel Bandwidth Trends chart shows tunnel bandwidth usage over time.
For each Business Intent Overlay, the Link Bonding Policy specified determines the bandwidth efficiency.
To guarantee service quality levels, High Availability requires the most overhead, and High Efficiency requires
the least.
Charts display the total bandwidth used.
The Payload option shows how much raw data is transmitted. At the same time, it exposes the Peaks option,
which enables the viewing of peak transmissions.
NOTE Underlay tunnels are a shared resource among overlays. Therefore, underlay charts display aggregated
data.
Tunnel Packet Counts

The Tunnel Packet Counts chart shows which tunnels sent the most packets.
DRC Bandwidth Trends

The DRC Bandwidth Trends tab shows Dynamic Rate Control statistics over time.
Dynamic Rate Control allows the Hub to regulate the tunnel traffic by lowering each remote appliance's Tunnel Max
Bandwidth. The smallest possible value is that appliance's Tunnel Min(imum) Bandwidth.
Dynamic Rate Control

Tunnel Max Bandwidth is the maximum rate at which an appliance can transmit.
Auto BW negotiates the link between a pair of appliances. In this example, the appliances negotiate each link down
to the lower value, 100 Mbps.
However, if A and B transmit at the same time, Hub could easily be overrun.
If Hub experiences congestion:
Enable Dynamic Rate Control. That allows the Hub to regulate the tunnel traffic by lowering each remote
appliance's Tunnel Max Bandwidth. The smallest possible value is that appliance's Tunnel Min(imum)
Bandwidth.
Inbound BW Limit caps how much the appliance can receive.
Flows - Active & Recent

The Flows tab allows you to view, filter, and manage flows for all your appliances. This tab also generates the Active
& Recent Flows report, with or without filtering. This report retrieves the maximum number of most recent flows that
are evenly distributed among the selected appliances.
Field Definition
Application Includes built-in applications, custom applications, and user-created application

groups. Select the text field and a list displays. Choose the application you want
to apply to your flow or enter the exact application you want to apply.
App Group Includes the application group created by the user. Select the text field and a
list displays. Choose the application group you want to apply to your flow or
enter the exact application group you want to apply.
Domain Includes the domain you can specify to filter your flow. Use the format,
*.domain.* or *.domain.[com, info, edu, org, net, ...]. Select the text field and list
displays. Choose the domain you want to apply.
Protocol You can specify the protocol you want to apply to your filter. Select the text field
and a list displays. You can select all or specify an individual protocol to apply.
IP/Subnet This shows the flows that match both SRC IP and DEST IP as the two endpoints if
SRC:DEST is enabled. If not enabled, all sources will appear when the filter is
applied. You can apply this filter by clicking Enter, without selecting the Apply
button if you want to do so.
Port This displays ports with SRC and DEST as the two endpoints if SRC: DEST is
enabled. If not enabled, all ports will appear when the filter is applied.
Zone You can filter flows to the desired firewall zone. Select the text field and a list
displaysSelect the text field and a list displays. If From:To checkbox is not
enabled, flows are filtered from and to the specified zone. If the checkbox is
enabled, the flows are filtered from both the filtered From:To zones.
VLAN Identifies the Virtual Local Area Network of a packet. Enter the VLAN ID you
want to apply to your flow in the text field.
DSCP Select the desired DSCP from the list. You can choose any or a specified
DSCP from the list.
Overlay The overlay the flow are applied. Overlays are defined in the Business Intent
Overlay tab.
Transport Select any of the three transport types: SD-WAN , Breakout, and Underlay.
You can also apply a third-party service in this column if you have one
configured.
Flow Characteristics You can apply any of the following flow characteristics to your flow: Boosted,
Directly Attached, Pass-Through, Stale, Route Dropped, Firewall Dropped,
Asymmetric, and Slow Devices. Note: You can only select one flow
characteristic at a time.
Include EdgeHA If not selected, Edge HA flows are excluded (default). If selected, the flows
between Edge HA will be included.
Field Definition
Include Built-In Includes the built-in policy flows. If not selected, they are excluded (default). If
selected, they will be included.
Active/Ended You can select if you want to apply an active or ended flow to as a filter. If
selected, you can designate the started or ended time of the flow in the drop
down. If Custom is selected from the date widgets will be enabled to specify an
exact time frame.
Slow Devices For debugging. A slow device is one that cannot receive data quickly
enough from the Silver Peak appliance. This causes the appliance to
expend too many resources for this device, at the expense of accelerating
other devices. To counteract this, disable TCP acceleration for the slow
devices in the Optimization Policy.
Duration Shows flows that have lasted through a specific time frame. You can select <
(less than) or > (greater than), and enter a specific duration (in minutes).
Bytes You can specify whether you want to filter flows that have transferred their total
bytes or within the last five minutes.
Filter This list has all the saved filters. When selected, the filter configurations are
loaded. See more information below regarding the Filter option.
Filter
You can configure specific filters in this field. Select the drop-down menu to see a list of default filters you can apply
to your flows. Once configured, you can add, edit, or delete filters if you select the edit icon.
Complete the following steps to add a filter:
1. Select the Edit icon next to the Filter drop down.
2. Create a filter or select one from the list.
3. Select +Add.
4. Select Save.
You can also select the history tab with the two arrows next to the Filter field if you want to go back to a previously
applied filter. A maximum of 20 previously applied filters can be saved.
Reset or Reclassify Flows
You can Reclassify or Reset [Selected / All Returned / All] flows:
Resetting the flow kills it and restarts it. It is service-affecting.
Reclassifying the flow is not service-affecting. If a policy change makes a flow stale or inconsistent,
then reclassifying makes a best effort attempt to conform the flow to the change. If the flow can't be
successfully "diverted" to this new policy, then an Alert asks if you want to reset.
Selected flows are individually selected; All Returned results from filtering (up to the max number of
returnable flows); and All refers to all flows, visible or not.
To export the table as a .csv file, select Export.
Reduction (%) refers to reduced WAN traffic, relative to a specific appliance:
Reduction (%) for Outbound traffic = 100(Received from LAN – Transmitted to WAN)/Received from
LAN
Reduction (%) for Inbound traffic = 100(Transmitted to LAN – Received from WAN)/Transmitted to
LAN
Flow Details are primarily to assist Silver Peak in troubleshooting and debugging.
To set the column visibility, right-click any header in the Flows table. This will allow you to hide or unhide any
selected fields.
You can also select, drag, and drop any of the columns in the table to the order you want.
The following table represents the values in the Flows report.
Field Definition
Host Name Host name of the flow.
Detail Pop-up that gives more detail regarding the selected flow.
Chart Displays a real-time flow bandwidth chart with outbound/inbound traffic.
Uptime The amount of time the flow existed.
Overlay Name of the overlay to which the flow belongs.
Application Includes built-in applications, custom applications, and user-created
application groups.
Protocol For selecting an individual or All protocols.
IP1 The IP1 address.
Port 1 The Port 1 address.
IP2 The IP2 address.
Port 2 The Port 2 address.
Inbound Bytes Traffic received from the WAN.
Outbound Bytes Traffic received from the LAN.
Inbound Tunnel The name of the tunnel receiving traffic from the WAN.
Outbound Tunnel The name of the tunnel receiving traffic from the LAN.
From Zone The zone configured by the flow’s source endpoint.
To Zone The zone configured by the flow's destination endpoint.
DSCP LAN RX The DSCP marking traffic received from the LAN.
Appliance Flow Counts

The Appliance Flow Counts chart lists the top appliances according to which ones had the most flows within a
selected time period.
When you filter on All Traffic, the Created and Deleted columns display the number of new and ended flows for
that same time period. The Max column value is from a one-minute window within the time range.
Appliance Flow Trends

Monitoring > [Bandwidth > Flows] Trends
The Appliance Flow Trends charts shows the number of flows, packets, and bits/second through the appliance,
over time. It also differentiates among TCP (accelerated and unaccelerated) flows and non-TCP flows.
Tunnel Flow Counts

The Tunnel Flow Counts chart lists the tunnels with the most flows, on average. It differentiates flows into TCP
(accelerated and unaccelerated) and non-TCP, and also shows peak values.
DSCP Bandwidth
The DSCP Bandwidth chart shows which DSCP classes are sending the most data.
DSCP Pie Charts

The DSCP Pie Charts show the proportion of traffic in each DSCP class. Hovering over the charts and the legends
reveals additional information.
DSCP Trends
This tab shows DSCP usage over time.
Traffic Class Bandwidth

The Traffic Class Bandwidth chart shows which QoS traffic classes are sending the most data.
Traffic Class Pie Charts

The Traffic Class Pie Charts show the proportion of traffic in each Traffic class. Hovering over the charts and the
legends reveals additional information.
QoS (Shaper) Trends

This tab shows how much bandwidth any traffic class uses over time.
Works with Office 365

Ensure your overlays have the following options configured to preserve the Works with Office 365 default
applications. The table below indicates the default overlays, applications, and preferred policy order configured in
the Business Intent Overlays tab within Orchestrator. The overlay name indicated in the table below is the default
that ships with Orchestrator. This can be modified with user configuration.
Use Cases
Single WAN circuit
Branch to Branch Connectivity
NOTE However, Skype for Business, SharePoint Online, and Office 365 Exchange must break out locally.
Overlay Application Preferred Policy Order (Breakout What it Matches

Traffic to Internet & Cloud Services)
Real-Time Skype for Business Microsoft Office 365

Optimize and Allow
categories for the
respective applications.
CriticalApps SharePoint Online, Office
365 Exchange
Default For everything Any policy order except "Drop" Matches Microsoft
Office 365 Default
categories
Office365Common
applications
NOTE Do not specify other

individual Office
applications in this group or
overlay.
For more information regarding Works with Office 365 applications, navigate to
https://techcommunity.microsoft.com and search for the Office 365 blog.
Live View
Live View shows the live bandwidth, loss, latency, and jitter on all the tunnels. For an overlay, it also shows live tunnel
states — Up, Browned Out, or Down.
Loss
The Loss chart shows which tunnels have the most dropped packets.
Loss Trends
The Loss Trends chart shows tunnel packet loss over time, before and after Forward Error Correction (FEC).
data.
Jitter Summary
The Jitter chart shows which tunnels have the most Jitter. Jitter can be caused by congestion in the LAN, firewall
routers, bottleneck access links, load sharing, route flapping, routing table updates, and timing drifts.
Jitter Trends
This tab shows tunnel jitter time.
data.
Latency
The Latency chart shows which tunnels have the most transmission delay, generally as a result of congestion.
Latency Trends
The Latency Trends chart shows tunnel latency over time.
data.
Out of Order Packets

The Out of Order Packets chart shows which tunnels receive the most packets out of sequence relative to how they
were sent.
Out of Order Packets Trends

The Out of Order Packets Trends chart shows tunnel packets out of order over time, before and after Packet
Order Correction (POC).
data.
Mean Opinion Score (MOS) - Summary

The Mean Opinion Score (MOS) is a commonly used measure for video, audio, and audiovisual quality evaluation.
Perceived quality is rated on a theoretical scale of 1 to 5; the higher the number, the better the quality.
The value can be affected by loss, latency, and jitter. In practice, a value of 4.4 is considered an excellent quality
target.
Mean Opinion Score (MOS) Trends

The Mean Opinion Score (MOS) is a commonly used measure for video, audio, and audiovisual quality evaluation.
Perceived quality is rated on a theoretical scale of 1 to 5; the higher the number, the better the quality.
The value can be affected by loss, latency, and jitter. In practice, a value of 4.4 is considered an excellent
quality target.
The Min MOS value reports the worst score within a minute.
Tunnels Summary
This tab summarizes tunnel statistics, including reduction, throughput, latency, and packet loss.
For each Business Intent Overlay, the Link Bonding Policy specified determines the bandwidth efficiency. To
guarantee service quality levels, High Availability requires the most overhead, and High Efficiency requires the least.
The table shows the total bandwidth used. The Payload filter removes overhead from the displayed values.
Appliance Administration Tabs

These menus are related to appliance administration. They include general settings, software management, and
tools for troubleshooting and maintenance.
Appliance User Accounts Tab

This tab provides data about the user accounts on each appliance.
The Silver Peak appliance's built-in user database supports user names, groups, and passwords.
Each appliance has two default users, admin and monitor, who cannot be deleted.
Each User Name belongs to one of two user groups -- admin or monitor.
The monitor group supports reading and monitoring of all data, in addition to performing all actions.
This is equivalent to the Command Line Interface’s (CLI) enable mode privileges.
The admin group supports full privileges, along with permission to add, modify, and delete. This is
equivalent to the CLI’s configuration mode privileges.
Named user accounts can be added via Appliance Manager or the Command Line Interface (CLI).
User Names are case-sensitive.
The table lists all users known to the appliances, whether or not their accounts are enabled.
Auth/RADIUS/TACACS+ Tab
This tab displays the configured settings for authentication and authorization.
If the appliance relies on either a RADIUS or TACACS+ server for those services, then those settings are also
reported.
All settings are initially applied via the Auth/RADIUS/TACACS+ configuration template.
Authentication and Authorization

Authentication and Authorization Fields
Field Definition
Authentication The process of validating that the end user, or a device, is who they
claim to be.
Authorization The action of determining what a user is allowed to do. Generally,
authentication precedes authorization.
Authentication Order When it's possible to validate against more than one database (local,
RADIUS server, TACACS+ server), Authentication Order specifies
which method to try in what sequence.
Map Order The default—and recommended—value is remote-first.
Default Role The default—and recommended—value is admin.
RADIUS and TACACS+

RADIUS and TACACS+ Server Fields
Field Definition
Auth Port For RADIUS, the default value is 1812.

For TACACS+, the default value is 49.
Auth Type [TACACS+] The options are pap or ascii.
Enabled Whether or not the server is enabled.
Retries The number of attempts allowed before lockout.
Server Type RADIUS or TACACS+
Timeout If a logged-in user is inactive for an interval that exceeds the inactivity time-out, the
appliance logs them out and returns them to the login page. You can change that
value, as well as the maximum number of sessions, in the Session Management
template.
Date/Time Tab
This tab highlights significant time discrepancies among the devices recording statistics.
If the date and time of an appliance, the Orchestrator server, and your browser aren't all synchronized, then charts
(and stats) will inevitably have different timestamps for the same data, depending on which device you use to view
the reports.
Recommendation: For consistent results, configure the appliance, the Orchestrator server, and your PC to use an
NTP (Network Time Protocol) server.
DNS (Domain Name Servers) Tab

This tab lists the Domain Name Servers that the appliances reference.
A Domain Name Server (DNS) uses a table to map domain names to IP addresses. So, you can reference locations
by a domain name, such as mycompany.com, instead of using the IP address.
Each appliance can support up to three name servers.
SNMP Tab
This tab summarizes what SNMP capabilities are enabled and which hosts can receive SNMP traps.
The Silver Peak appliance supports the Management Information Base (MIB) II, as described in RFC 1213, for
cold start traps and warm start traps, as well as Silver Peak proprietary MIBs.
The appliance issues an SNMP trap during reset--that is, when loading a new image, recovering from a crash,
or rebooting.
The appliance sends a trap every time an alarm is raised or cleared. Traps contain additional information
about the alarm, including severity, sequence number, a text-based description of the alarm, and the time the
alarm was created.
SNMP Settings
Enable SNMP Allows the SNMP applicaton to poll this Silver Peak appliance. (For SNMP v1 and
SNMP v2c)
Enable SNMP Traps Allows the SNMP agent (in the appliance) to send traps to the receiver(s). (For
SNMP v1 and SNMP v2c)
Enable V3 User For additional security when the SNMP application polls the appliance, you can
use SNMP v3, instead of using v1 or v2c. This provides a way to authenticate
without using clear text.
Trap Receiver IP address of a host configured to receive SNMP traps
Flow Export Tab

This tab summarizes how the appliances are configured to export statistical data to NetFlow and IPFIX collectors.
Flow Exporting Enabled allows the appliance to export the data to collectors.The appliance exports flows against
two virtual interfaces — sp_lan and sp_wan — that accumulate the total of LAN–side and WAN–side traffic,
regardless of physical interface.
Select Edit and the Flow Export Configuration window opens.
Field Definition
Enable Flow Exporting Move the toggle to enable or disable flow exporting.
Active Flow Timeout The amount of time an active flow has been timed out (in minutes).
IPFIX Template Timeout The resending of templates based on a timeout.
Traffic Type Check as many of the traffic types as you want. The default is WAN TX.
Information Elements Check Firewall Zones, Application Performance, or both.
If you check Firewall Zones:
Orchestrator generates data based specifically on the zone-based firewalls associated with the
specified flow.
For example: Host Name, From Zone, To Zone, Tag, Action, Direction, etc.
If you check Application Performance:
Orchestrator generates data based specifically on the application performance associated with each
flow.
For example: clientIPv4Address, serverIPv4Address, connectionInitiator, applicationHttpHost, etc.
These interfaces appear in SNMP and are therefore "discoverable" by NetFlow and IPFIX collectors.
The Collector's IP Address is the IP address of the device to which you're exporting the NetFlow/IPFIX
statistics. The default Collector Port is 2055.
For more information regarding the IPFIX and the associated Custom IE's, please see the Silver Peak Custom
Information Elements section in the Orchestrator User Guide.
Silver Peak Custom Information Elements

Refer to the table below for the Silver Peak Custom Information Elements.
Field
Enterprise
Custom IE Name and Implementation Description Semantics Units Length
ID
(bytes)
Data Type: ipv4Address
clientIPv4Address: default 4 1
TCP: source ipv4 address of SYN initiator is the client.

UDP: source ipv4 address of the first packet is the client.
serverIPv4Address default 4 2
TCP: destination ipv4 address of SYN initiator is the client.

UDP: destination ipv4 address of the first packet is the client.
connectionInitiator default 4 7
TCP: source ipv4 address of SYN initiator is the connection

initiator.
UDP: source ipv4 address of the first packet is the connection
initiator.
Data Type: unsigned8
connectionNumberOfConnections totalCounter 1 9
Number of TCP connections (3-way handshake) or

UDP sessions established.
connectionServerResponsesCount totalCounter 1 10
Currently 1
connectionTransactionCompleteCount totalCounter 1 21
Currently 1
connectionServerResponseDelay MS 4 11
TCP: Round-trip time between SYN and SYN-ACK.

UDP: Round-trip time between first onward and return packet.
connectionNetworkToServerDelay MS 4 12
TCP, Round-trip time between SYN and SYN-ACK.

UDP, Round-trip time between first onward and return packet.
It is also called Server Network Delay (SND).
connectionNetworkToClientDelay MS 4 13
TCP: Round trip between SYN-ACK and ACK.

UDP: Round-trip time between first response and second
request packet. It is also called Client Network Delay (CND).
connectionClientPacketRetransmissionCount totalCounter 4 14
Currently 1
connectionClientToServerNetworkDelay MS 4 15
Network Time/Network Delay is known as the round-trip time

that is the summation of CND and SND. It is also called
Network Delay (ND).
connectionApplicationDelay MS 4 16
TCP: Round-trip time between SYN and SYN-ACK.

UDP: Round-trip time between first onward and return packet.
connectionClientToServerResponseDelay MS 4 17
The round-trip time that is the summation of CND and SND.
connectionTransactionDuration MS 4 18
The flow displays the time difference between the first and
last packet.
connectionTransactionDurationMin MS 4 19
last packet.
connectionTransactionDurationMax MS 4 20
last packet.
connectionServerOctetDeltaCount deltaCounter octets 8 3
Server initiated byte count. If flow is lan to wan, Lan-Tx byte

counter. If flow is wan to lan Lan-Rx byte counter.
connectionServerPacketDeltaCount deltaCounter packets 8 4

connectionClientOctetDeltaCount deltaCounter octets 8 5

connectionClientPacketDeltaCount deltaCounter packets 8 6

Data Type: String
applicationHttpHost default variable 8

length
http destination domain name
applicationCategory default variable 27

length
application group
from-zone default variable 22

length
(source zone) name for the flow when ZBF is configured
to-zone variable 23
length
(destination zone) name for the flow when ZBF is configured
tag default variable 24

length
the user specified readable string/tag that can be specified
when the ZBF rule is configured. If "tag" is not specified, an
automatic tag will be created and exported. The
automatic/default tag is constructed by concatenating <from-
zone>_<to-zone>_<rule priority> eg, "lan-zone_corp-zone_
10000"
overlay default variable 25

length
The overlay name the zone belongs to.
direction default variable 26

length
The direction of the flow: outbound or inbound.
Logging Tab
This tab summarizes the configured logging parameters:
Log Configuration refers to local logging.
Log Facilities Configuration refers to remote logging.
Severity Levels
In order of decreasing severity, the levels are as follows:
EMERGENCY The system is unusable.

ALERT Includes all alarms the appliance generates: CRITICAL, MAJOR,
MINOR, and WARNING
CRITICAL A critical event
WARNING A warning condition. Indicates an error will occur if action is not
taken.
NOTICE A normal, but significant, condition. No immediate action required.
NONE If you select NONE, then no events are logged.
Event Log.
Remote Logging
You can configure the appliance to forward all events, at and above a specified severity, to a remote syslog
server.
A syslog server is independently configured for the minimum severity level that it will accept. Without
reconfiguring, it may not accept as low a severity level as you are forwarding to it.
Each message/event type (System / Audit / Flow) is assigned to a syslog facility level (local0 to local7).
Banners Tab
This tab lists the banner messages on each appliance.
The Login Message appears before the login prompt.
The Message of the Day appears after a successful login.
HTTPS Certificate Tab

The VXOA software includes a self-signed certificate that secures the communication between the user's browser
and the appliance.
You also have the option to install your own custom certificate, acquired from a CA certificate authority.
For a custom certificate, to use with a specific appliance:
GeoTrust, etc.
Click the Edit icon next to the target appliance, and Upload the Certificate File from the CA.
3. To associate the CA verified certificate for use with Orchestrator, click Add.
Orchestrator Reachabililty Tab

Administration > [General Settings > Setup] Orchestrator Reachability
You can specify how each appliance connects to Orchestrator by designating one of its interface Labels.
System Information
Manage system information with templates, with the exception of the following appliance-specific parameters:
To edit System Bandwidth, use to Configuration > Shaper.
To change a Deployment Mode, use Configuration > Deployment.
When you click in the Edit column for a specific appliance, these two screens are available.
System Summary
System Settings
System Information Property Keys

Property Key Description
Active Release Specifies the software the appliance is running.

Always send pass-through traffic to If the tunnel goes down when using WCCP and PBR, traffic that was
original sender intended for the tunnel is sent back the way it came.
Appliance ID A unique identifier for the appliance.
Appliance Key Orchestrator assigns and uses this key to identify the appliance.
Appliance Model The specific EC, EC-V, NX, VX, or VRX model.
Auto Flow Reclassify Specifies how often to do a policy lookup.
Automatically establish tunnels Reduces configuration overhead by removing the need to manually
create tunnels.
Automatically include local [LAN | Adds the local subnet(s) to the appliance subnet information.
WAN] subnets If the appliance is deployed in Bridge mode, then no interface is
specified.
BIOS Version The version of BIOS firmware that the appliance is using.
Bridge Loop Test Only valid for virtual appliances. When enabled, the appliance can
detect bridge loops. If it does detect a loop, the appliance stops
forwarding traffic and raises an alarm. Appliance alarms include
recommended actions.

Configured Media Type Is either ram and disk (VX) or ram only (VRX). Can change for special
circumstances, if recommended by Silver Peak.
Connection Type The method that Orchestrator uses to communicate with the appliance.
Options are WEBSOCKET, PORTAL, and HTTP.
Contact Email Email address of whom to contact within your organization (optional)
Contact Name Whom to contact within your organization (optional)
Discovery Method Specifies how Orchestrator discovered the appliance:
PORTAL Orchestrator discovered the appliance through
the portal account.
MANUAL The appliance was added manually.
APPLIANCE Orchestrator's IP address was added to the

appliance. Portal was not involved.
Enable default DNS lookup Allows the appliance to snoop the DNS requests to map domains to IP
addresses. This mapping can then be used in ACLs for traffic matching.
Enable Health check Activates pinging of the next-hop router.
Enable HTTP/HTTPS Snooping Enables a more granular application classification of HTTP/HTTPS
traffic, by inspection of the HTTP/HTTPS header, Host. This is enabled
by default.
Enable IGMP Snooping IGMP snooping is a common Layer-2 LAN optimization that filters the
transmit of multicast frames only to ports where multicast streams
have been detected. Disabling this feature floods multicast packets to
all ports. IGMP snooping is recommended and enabled by default.
Enable SaaS optimization Enables the appliance to determine what SaaS applications/services it
can optimize. It does this by contacting Silver Peak's portal and
downloading SaaS IP address and subnet information.
Encrypt data on disk Enables encryption of all the cached data on the disks. Disabling this
option is not recommended.
Excess flow policy Specifies what happens to flows when the appliance reaches its
maximum capacity for optimizing flows. The default is to bypass flows.
Or, you can choose to drop the packets.
Flows and tunnel failure If there are parallel tunnels and one fails, then Dynamic Path Control
determines where to send the flows. There are three options:
fail-stick – When the failed tunnel comes back up, the flows don't
return to the original tunnel. They stay where they are.
fail-back – When the failed tunnel comes back up, the flows return
to the original tunnel.
disable – When the original tunnel fails, the flows aren't routed to
another tunnel.
Hair-pin traffic Redirects inbound LAN traffic back to the WAN
Hold down count If the link has been declared down, this specifies how many successful
ICMP echoes are required before declaring that the link to the next-hop
router is up.
Hub Site Specifies whether the appliance has been assigned the role, Hub, in
Orchestrator. Options are true or false.
Interval Specifies the number of seconds between each ICMP echo sent.
IP Id auto optimization Enables any IP flow to automatically identify the outbound tunnel and
gain optimization benefits. Enabling this option reduces the number of
required static routing rules (route map policies).
IPSec UDP Port Specifies the port that Orchestrator uses to build IPSec UDP tunnels. If
the field is blank, Orchestrator uses the default.
Location Appliance location, optionally specified during appliance setup.
Maximum TCP MSS (Maximum Segment Size). The default value is 9000 bytes. This ensures
that packets are not dropped for being too large. You can adjust the
value (500 to 9000) to lower a packet's MSS.
Media Type Displays the actual media being used.
Metric for local subnets A weight that is used for subnets of local interfaces. When a peer has
more than one tunnel with a matching subnet, it chooses the tunnel with
the greater numerical value.
Mode Specifies the appliance's deployment mode: Server, Router, or Bridge.
Model The specific EC, EC-V, NX, VX, or VRX model.
NAT-T keep alive time If a device is behind a NAT, this specifies the rate at which to send keep
alive packets between hosts, in order to keep the mappings in the NAT
device intact.
Quiescent tunnel keep alive time Specifies the rate at which to send keep alive packets after a tunnel has
become idle (quiescent mode). The default is 60 seconds.
Region A user-assigned name created for segmenting topologies and
streamlining the number of tunnels created. When regions contain at
least one hub, you can choose to connect Regions through hubs only.
Retry count Specifies the number of ICMP echoes to send, without receiving a reply,
before declaring that the link to the WAN next-hop router is down.
Serial Number Serial number of the appliance
Site / Site Name Orchestrator won't build tunnels between appliances with the same
user-assigned site name.
SSL optimization for non-IPSec Specifies if the appliance should perform SSL optimization when the
tunnels outbound tunnel for SSL packets is not encrypted (for example, a GRE or
UDP tunnel). To enable Network Memory for encrypted SSL-based
applications, you must provision server certificates via the Silver Peak
GMS. This activity can apply to the entire distributed network of Silver
Peak appliances, or just to a specified group of appliances.
System Bandwidth The appliance's total outbound bandwidth, determined by appliance
model or license.
TCP auto optimization Enables any TCP flow to automatically identify the outbound tunnel and
gain optimization benefits. Enabling this option reduces the number of
required static routing rules (route map policies).
UDP flow timeout Specifies how long to keep the UDP session open after traffic stops
flowing. The default is 120 seconds (2 minutes).
Uptime The time elapsed since the appliance became operational and
available.
Use shared subnet information Enables Silver Peak appliances to use the shared subnet information to
route traffic to the appropriate tunnel. Subnet sharing eliminates the
need to set up route maps in order to optimize traffic.
Software Versions
This report lists the software versions on each appliance.
Upgrading Appliance Software

Administration> [Software > Upgrade] Upgrade Appliances
You can download and store new appliance software from your network or computer to the Orchestrator server,
staging it for installation to the appliance(s).
Use the Upgrade Appliances page to upload appliance software to Orchestrator and to install appliance software
from the Orchestrator server into the appliance’s inactive partition.
Install and reboot installs the image into the appliance’s inactive partition and then reboots the appliance to
begin using the new software.
Install and set next boot partition installs the image into the appliance’s inactive partition and then points
to that partition for the next reboot.
Install only downloads the image into the inactive partition.
Appliance Configuration Backup

Administration> [Software > Backup & Restore] Backup Now
Orchestrator automatically creates a weekly backup of each appliance’s configuration to the Orchestrator server.
Additionally, you can create an immediate backup on demand.
After selecting the appliance(s) in the navigation tree, go to Administration > Backup Now and click Backup.
You cannot delete an appliance backup from Orchestrator.
Viewing Configuration History

Administration> [Software > Backup & Restore] Configuration History
You can view an appliance’s current or previous configuration.
You can compare any two appliance configuration files.
Restoring a Backup to an Appliance

Administration> [Software > Backup & Restore] Restore
You can restore an appliance configuration backup from Orchestrator to any other Silver Peak appliance(s) in your
network.
However, be careful to consider any potential conflicts when the backup specifies a static mgmt0 IP address, as
opposed to specifying DHCP.
Remove Appliance from Orchestrator

Administration > [Software > Remove Appliances] Remove from Orchestrator
Removing an appliance with this action returns the appliance to the Discovered Appliances list.
Additionally,
It deletes the appliance from the navigation tree.
Orchestrator will break all tunnels/overlays/etc. to this device.
Remove Appliance from Orchestrator and Account

Administration > [Software > Remove Appliances] Remove from Orchestrator and Account
Removing an appliance with this action places the appliance in the Denied Devices list, which is located as a link in
the Configuration - Discovered Appliances menu.
Additionally,
It deletes the appliance from the navigation tree.
Orchestrator will break all tunnels/overlays/etc. to this device.
It tells the Portal to "unlicense" the appliance.
Synchronizing Appliance Configuration

Administration> [Tools] Synchronize
Orchestrator keeps its database synchronized with the appliances’ running configurations.
When you use Orchestrator to make a configuration change to an appliances’ running configuration, the
appliance responds by sending an event back to the Orchestrator server to log, thereby keeping
Orchestrator and the appliance in sync.
Whenever an appliance starts or reboots, Orchestrator automatically inventories the appliances to resync.
Whenever Orchestrator restarts, it automatically resyncs with the appliances.
When an appliance is in an OutOfSync management state, the Orchestrator server resyncs with it as it
comes back online.
If your overall network experiences problems, then you can use this page to manually resync to ensure that
Orchestrator has an appliance’s current running configuration.
Putting the Appliance in System Bypass Mode

Administration > [Tools] Bypass
System Bypass mode is only available for certain models of Silver Peak physical appliances. Virtual appliances don't
support bypass mode.
In system bypass mode, the fail-to-wire (or fail-to-glass) card DOES NOT receive or process packets.
Fail-to-wire network interfaces mechanically isolate the appliances from the network in the event of a hardware,
software, or power failure. This ensures that all traffic bypasses the failed appliance and maximizes uptime.
In an in-line deployment (Bridge mode), the LAN interface is physically connected to the WAN interface.
In Server mode and any Router mode, the appliance is in an open-port state.
When the appliance is in Bypass mode, a message displays in red text at the upper right corner of the user interface.
Broadcasting CLI Commands

Administration > [Tools] Broadcast CLI
You can simultaneously apply CLI (Command Line Interface) commands to multiple, selected appliances.
The window automatically provides you the highest user privilege level.
INFO For more information, see the Silver Peak Command Line Interface Reference Guide.
Link Integrity Test

Used for debugging, the link integrity test lets you measure the throughput and integrity (amount of loss) of your
WAN link. You can run either iperf or tcpperf (Version 1.4.8).
These tests run on the two selected appliances, using user-specified parameters for bandwidth, duration,
DSCP marking, and type of traffic (tunnelized / pass-through-shaped / pass-through-unshaped).
Orchestrator runs the selected test twice -- once passing traffic from Appliance A to Appliance B, and the
second run passing traffic from Appliance B to Appliance A.
Custom Parameters are available for tcpperf and should be used cautiously, by advanced users.
TCPPERF Version 1.4.8

Basic Mode
Option Description
-h help
-s server: Run tcpperf in server mode (not applicable for file generation). Listens on TCP port 2153 by
default.
[server_port [server_port [server_port]..]]
-sr server range: <server_port_start:server_port_end>
-c client server_IP: TCPperf Server's IP address (not applicable for file generation).
[server_port [server_port [server_port]..]]
Option Description
-cr <server_port_start:server_port_end> <server_port_start:server_port_end>

-g generate basefilename. Dump generated data to a file.
-sw sgwrite conffilename
Notes:
1. The default server ports are 2153 and 2154.
2. You can specify multiple odd-numbered server ports.
3. The next even-numbered server ports will also be assigned automatically.
4. These even numbers are reserved for double connection testing (see -I, interface IP).
5. Generate mode generates a local file per flow with the same content that the client would have generated
with the specified parameters.
6. SG write mode is like generate mode except that it writes to an SG device.
General Parameters
Option Description
-6 ip6. Forces tcpperf to use IPv6 addresses only. Default is IPv4 addresses.
-I interface IP: Specify source interface IP address. Default is any.
-o outname: Output filename. Default is stdout.
-u update <secs>: Frequency of printed updates in seconds. Default is 1.
-d duration <secs>: Set maximum test duration in seconds. Default is infinite.
-w wait <secs>: Wait until <secs> since 1970 before transmitting data.
-z realtime: Elevate to realtime priority. Requires root privilege.
-cm cpu mask: Specify CPU affinity. Requires root privilege.
-q quiet <level>: Suppresses detail based on level:
0 - None. Print results when test is complete.
1 - Default. Periodic packet/byte statistics.
2 - Verbose. Adds connection state changes.
3 - Debug. Prints everything.
TCP Parameters
Option Description
-tw tcpwindow. TCP window_size. Default is OS default.

-tm tcpmss: TCP mss. Default is OS default.
-tn tcpnodelay: TCP nodelay option. Default is nagle enabled.
-tq tcpquickack: TCP quick ack option. Default is delayed acks.
-td tcpdscp <cp>: Sets IP DSCP to <cp> (decimal). Default is 0.
-tr tcpretries <n>: Sets number of times to retry TCP connections.
-tp tcppace <n> [mode]: Pace TCP connection setup rate. Limits number of half-open connections to <n>.
Valid <mode> types are:
preestablish. All connections are established prior to data transmission. Default.
simultaneous. Begin data transmission as soon as connection made
-ta tcpabort: Sends RSTs instead of FINs on close.
-tf tcpfindelay <secs>: Time to wait after all data sent before sending FIN/RST
Traffic Generation Parameters

Option Description
-f file. Source filename to load. Default is 10MB of random data.

-i test id <i>: Set test ID. The same test ID produces the same data set. User different test IDs to
generate unique data for each test run. Default is zero.
-n number <n>: Generate <n> flows. Default is one.
-b begin <byte>: First byte in transmission. Default is zero.
-e end <byte>: End byte in transmission (number of bytes to transmit). Default is file size.
Begin and end bytes can be greater than file size. The content is repeated to create extra
bytes.
Option Description
-a antipat <mode>: Antipattern mode: default is mutate:

none Repeats same content verbatim on all flows. Repeats content if end byte
exceeds content size.
mutate Ensures all flows and data repeats are unique. Preserves short range
patterns within flow. Destroys cross flow similarity. Destroys original byte
code distribution.
shuffle Ensures all flows and data repeats are unique. Preserves short range
patterns within flow. Preserves cross flow similarity. Preserves original byte
code distribution.
fast Ensures all flows and data repeats are unique. Does not preserve short
range patterns. Destroys cross flow similarity. Destroys original byte code
distribution. Uses less CPU than mutate or shuffle.
-l loopback [mode]: Loopback. Default is unidirectional.

uni Unidirectional client to server.
rev Unidirectional server to client.
bidir Bidirectional, client and server independently send data on the same TCP
connection.
bidir2 Bidirectional, client and server independently send data on secondary TCP
connections.
loop Bidirectional, server loops data back to client on the same TCP connection.
loop2 Bidirectional, server loops data back to client on a secondary TCP

connection.
bidir2 Bidirectional, transmists one transaction at a time. Client waits for previous
transaction to be echoed. Emulates transactionals data.
NOTES:
1. Content source for traffic originating at the server is determined by the server (not
client) command line.
2. loop2 and bidir2 modes 2 x <n> TCP connections and requires that the server has
even-numbered ports available.
-r rate <bps>: Limits aggregate transmission rate to <bps>. Default is no rate limit.
-t trans <min> [max]: Sets size of each socket transaction. Default is 64000.
If <min> and <max> are specified, client generates transactions with random sizes between
<min> and <max>. This feature is often used with -l and -r. Set the minimum transaction size
to 100000 to improve single-flow performance.
Option Description
-v verify <mode>: Verify integrity of received data. Default is global.

none No verification. Fastest/least CPU load.
global Single global hash per flow. Fast, but cannot isolate an errored block.
literal Literal comparison of data upon reception. Fast, can isolate errors to the
byte level. Requires that server has same content as client. Use random
data gen or same -f file at server.
embedded Embedded hashes every 4096 bytes. Slower, can isolate errors to 4096
byte block.
-p repeat <n>: Repeat each content byte n times. Default is 1 (no repeats).
Works for both random data and file content.
-k corrupt <n> <m> <s> [<%change>[<%insert>[<%delete>]]] : Corrupt 0 to n bytes of data every m
bytes using seed s. Delta bytes will require 0.5*n/m percent overhead. Each corrupt may be a
change, insert or delete with the probability of each being specifiable. The default is 33.3%
changes, 33.3% inserts, and 33/3% deletes.
-x excerpts <b> <e> <l> [s]: Send random excerpts of average <l> length bytes from content
between <b>egin and <e>nd bytes. The -b and -e options still specify total bytes to send. Uses
random seed s.
-y defred <s% > <m%> <l%> <sb> <smin> <smax> <mb> <mmin> <mmax> <lb> <lmin lmax> :
Generate content based on defined reduction model.
Content is drawn from three data sets: s, m, and l:
s% Specifies fraction [50%] of s-type content (short term reducible).
m% Specifies fraction [30%] of m-type content (medium term reducible).
l% Specifies fraction [20%] of l-type content (long term reducible).
Short term content comes from data set of sb Mbytes [100MB] with excerpts uniformly
distributed between smin and smax bytes [10K-1M].
Medium term content comes from data set of mb Mbytes [100GB] with excerpts uniformly
distributed between lmin and lmax bytes [10K-1M].
Long term content comes from data set of lb Mbytes [100TB] with excerpts uniformly
distributed between smin and smax bytes [10K-1M].
The -b and -e options still specify total bytes to send.
Performance is best if -b is 0.
Uses random seed s.
Option Description
-ssl Enable SSL on connection with optional parameters.

[param=value ...] version=2|3|t10|t11|t12. Set the protocol version.
cipher=OPENSSL-CIPHER-DESC. Set the choice of ciphers.
ticket=yes|no. Enable/disable session ticket extension.
cert=FILENAME. Use this certificate file.
key=FILENAME. Use this private keyfile.
compression=none|any|deflate|zlib|rle. Set the compression method.
sslcert. Print the SSL certificate in PEM format.
sslkey. Print the SSL key in PEM format.
Disk Management
The Disk Management tab lists information about physical and virtual appliance disks.
The progress bar shows what percentage of the polling is complete.
Physical appliances use RAID arrays with encrypted disks.
Disk failure results in a critical alarm.
If a row shows that a disk has failed, click Edit to access the appliance, and follow directions in the local help
for replacing the failed disk.
You can view the SMART [Self-Monitoring Analysis and Reporting Technology] data from physical appliance
disks.
To replace a failed disk:

1. Log into your Support portal account, and click Open a Self Service RMA for disk replacement.
2. Complete the wizard, using the serial number of the appliance (not the disk).
3. After you receive the new disk, access Appliance Manager by clicking any Edit icon that belongs to the
appliance in question.
4. Follow the instructions in that page’s on-line help.
Erasing Network Memory

Administration > [Tools] Erase Network Memory
Erasing Network Memory removes all stored local instances of data.
No reboot required.
Rebooting or Shutting Down an Appliance

Administration > [Tools > Reboot] Appliance Reboot / Shutdown
The appliance supports three types of reboot:
Reboot. Reboots the appliance gracefully. This is your typical "vanilla" restart.
Use case: You're changing the deployment mode or other configuration parameters that require a reboot.
Erase Network Memory and Reboot. Erases the Network Memory cache and reboots the appliance.
Use case: You need to restart the appliance with an empty Network Memory cache.
Shutdown. Shuts down the appliance and turns the power off. To restart, go to the appliance and physically
turn the power on with the Power switch.
Use case:
You're decommissioning the appliance.
You need to physically move the appliance to another location.
You need to recable the appliance for another type of deployment.
Behavior During Reboot

A physical appliance enters into one of the following states:
hardware bypass, if deployed in-line (Bridge mode), or
an open-port state, if deployed out-of-path (Router mode or Server mode).
Unless a virtual appliance is configured for a high availability deployment, all flows are discontinued during reboot.
Scheduling an Appliance Reboot

Administration > [Tools > Reboot] Schedule Appliance Reboot
You can schedule an appliance for any of three types of reboot:
Reboot. Reboots the appliance gracefully. This is your typical "vanilla" restart.
Use case: You're changing the deployment mode or other configuration parameters that require a reboot.
Erase Network Memory and Reboot. Erases the Network Memory cache and reboots the appliance.
Use case: You need to restart the appliance with an empty Network Memory cache.
Shutdown. Shuts down the appliance and turns the power off. To restart, go to the appliance and physically
turn the power on with the Power switch.
Use case:
You're decommissioning the appliance.
You need to physically move the appliance to another location.
You need to recable the appliance for another type of deployment.
Behavior During Reboot

A physical appliance enters into one of the following states:
hardware bypass, if deployed in-line (Bridge mode), or
an open-port state, if deployed out-of-path (Router/Server mode).
Unless a virtual appliance is configured for a high availability deployment, all flows are discontinued during
reboot.
INFO To specify the timezone for scheduled jobs and reports, go to Orchestrator > [Software & Setup > Setup]
Reachability Status Tab

This page summarizes the status of communications in two directions – Orchestrator to Appliances and
Appliances to Orchestrator.
Admin Username is the username that an Orchestrator server uses to log into an appliance.
An Orchestrator can use the web protocols, HTTP, HTTPS, or Both to communicate with an appliance.
Although Both exists for legacy reasons, Silver Peak recommends using HTTPS for maximum security.
An appliance's State can be Normal, Unknown, Unsupported, or Unreachable.
Normal indicates that all is well.
Unknown is a transitional state that appears when first adding an appliance to the network.
Unsupported indicates an unsupported version of appliance software.
Unreachable indicates a problem in your network. Check your ports, firewalls, and deployment
configuration.
Active Sessions Tab

Administration > [Tools > Monitoring] Active Sessions
These tables display which users are logged in to Orchestrator and which appliances Orchestrator is managing.
Orchestrator Administration
This section describes items related to managing Orchestrator itself. These activities do not relate to managing
appliances.
Role Based Access Control

Orchestrator > Orchestrator Server > Users & Authentication > Role Based Access Control (RBAC)
The Role Based Access Control allows for a more specified experience of your Orchestrator UI. You can assign roles
and customize appliance access to a user, as well as specify the menu per user in the Orchestrator UI tree.
Assign Roles & Appliance Access

Complete the following steps to assign roles and appliance access.
1. In the Role Based Access Control tab, select Assign Roles & Appliance Access.
2. Select the User field and enter a name for the user.
3. Select the Appliance field and select the name of the reference to the group's appliance that you created in
the Appliance Access tab.
4. Check the roles you want to apply to your user.
5. Select Save.
The following table defines each default role you can select in step 4.
Field Definition
ConfigAdmin You can backup and restore appliance configuration and view the
configuration history.
OrchestratorAdmin Allows you to only perform Orchestrator operations, such as
settings, tools, user management, and Orchestrator upgrades.
Appliance operations are not allowed.
OverlayAdmin A global role for managing SD-WAN overlays.
NOTE Overlay management cannot be specific to a site or region.
SiteMonitor Read-only permissions equivalent to SiteAdmin.

SiteOperator Allows for appliance or site specific operations, such as configure
appliance specific policies, ACLs, TCAs, SSL certificate; however,
this role does not allow you to upgrade or remove an appliance
from the network. You also cannot perform global, SD-WAN
functions such as overlay management or Zscaler orchestration.
SiteUpgradeAdmin Allows you to upgrade appliance(s) and remove them from the
network.
SuperAdmin Allows for Read-Write level access to all the menus.
Field Definition
SiteAdmin Allows for appliance or site-specific operations, such as configure

appliance specific policies, ACLs, TCAs, SSL certificates, and
upgrade. You cannot perform global SD-WAN functions like
overlay management, Zscaler orchestration, or remove the
appliance from the network.
Support Allows for all support operations.
Monitor Provides Read-Only level access to all the menus.
Roles
There is a set of default roles you can use. You can also create your own role or modify an existing one.
Field Definition
Role The name of the default role or the role you created.
Permission The permission you selected for a given user. Read-Write or Read-Only.
Features The accessible features for a given user.
To add a role:
1. Select Create Roles.
2. Select Add or the Edit icon from the Roles window.
3. Enter the name for your role.
4. Select a category you want to assign to your user from the following tabs: Monitoring, Configuration,
Administration, Orchestrator, Support, or Miscellaneous.
5. Assign an access level to any of the categories: Select Read Only or Read & Write.
6. Check any of the boxes you want to apply to your role within the designated categories.
NOTE You can Select All or Unselect All.
7. Select Save.
Appliance Access
You can also add specific versions of appliances to a user. Complete the following steps to customize appliance
access.
1. Select Create Appliance Access Groups in the Role Based Access Control tab. The Appliance Access
Group window opens.
2. Select Add or the Edit icon to modify or create an existing appliance rule.
3. Select the name field and enter the name of the appliance.
4. Select whether you want to Select By Groups or Select By Region. You can add all groups or regions or just
select a few.
5. Select Save.
WARNING If you are an RBAC user with appliance access only (i.e. without any assigned roles, you will have access
to the Appliance Manager, CLI Session, and Broadcast CLI. If you are an RBAC user with any role assigned, access to
the Appliance Manager, CLI Session, and Broadcast CLI will be denied.
User Appliance Roles? Menu Options

Access
RBAC User Yes None assigned Appliance Manager,

CLI Session, Broadcast CLI
RBAC User (non- No None assigned Appliance Manager,

RBAC User) CLI Session, Broadcast CLI
RBAC User No Any Appliance Manager, CLI

Session, and Broadcast
will be denied.
Viewing Orchestrator Server Information

Orchestrator [Orchestrator Server > Server Management] Server Information
This page provides data specific to this Orchestrator server.
Restart, Reboot, or Shutdown

Orchestrator [Orchestrator Server > Server Management] Restart Orchestrator
Orchestrator [Orchestrator Server > Server Management] Reboot Server
Orchestrator [Orchestrator Server > Server Management] Shutdown Server
Orchestrator provides these three convenient actions in the Orchestrator menu:
Restart Orchestrator Application quickly restarts the Orchestrator software.
Reboot Orchestrator Server is a more thorough restart, accomplished by rebooting the Orchestrator server.
Shutdown Orchestrator Server results in the server being unreachable. You will have to manually power on
the server to restart.
Managing Orchestrator Users

Orchestrator > [Orchestrator Server > Users & Authentication] User Management
The User Management page allows you to manage who has Read-Write or Read-Only access to Orchestrator.
Adding a User
Users can have either Read-Write or Read-Only privileges. These provide prescribed access to Orchestrator
menus.
To further limit the what users can see, you can assign them to customized menu groups in Orchestrator >
User Menu Access.
Multi-Factor Authentication (MFA) is a recommended option for each Orchestrator user.
You cannot modify a Username. You must delete it and create a new user.
Multi-Factor Authentication
Silver Peak Orchestrators support Multi-Factor Authentication (MFA). This is available on all platforms of the Silver
Peak Orchestrator, including on-premise and cloud versions.
The first step in authentication is always username/password. For added security, users can choose between
Application or Email based authentication, as described below.
NOTE Currently, only admin users can only configure Multi-Factor Authentication, and only for themselves.
Configuring Multi-Factor Authentication through an Application

Orchestrator supports applications that provide time-based keys for two-factor authentication and are compliant
with RFC 4226 / RFC 6238. Google Authenticator is one such app. The example below uses Google Authenticator on a
mobile phone. You can also use a desktop version.
1. To enable Multi-Factor Authentication, go to Orchestrator > User Management and click on your username.
2. For Two Factor, click Application. Orchestrator generates a time-limited QR code.
3. With the Google Authenticator app, use the Scan barcode function to read the QR code. You will also be
prompted to enter your Orchestrator username and password.
Here you can see Google Authenticator with the new admin account added for the Orchestrator, silverpeak-
gxv.
Configuring Multi-Factor Authentication through Email

1. To enable Multi-Factor Authentication, go to Orchestrator > User Management and click on your username.
2. For Two Factor, click Email and enter your email address.
If an invalid email address is entered, the account could be locked out and would require password reset
procedures.
3. After you click Add at the bottom of the dialog, Orchestrator sends you a time-limited authentication code via
email. To verify your email address, click that link.
Orchestrator then opens a browser window telling you that your email address has been verified.
Using Multi-Factor Authentication

After Multi-Factor Authentication is configured, every login requires two steps—entering the username/password
and entering the current token.
Based on which authentication method you chose, do one of the following:
Use the current token from the Google Authenticator (or other) app.
Use the code you receive in email.
In both cases, the codes have a specific expiry time.
Modify User
User Name is the identifier the user uses to log in.
First Name, Last Name, and Phone Number are optional information.
Email is required if two factor authentication is enabled.
Two Factor Authentication
This is a second step in the login process, where an authentication code is required.
The code can be obtained in two ways:
Using an Authentication Application that generates time based authentication codes. If this is
activated a Barcode will be generated that can be scanned to set up an authentication app like Google
Authenticator for your mobile device.
Using your Email to receive authentication codes every time you log in. This requires access to your
email every time you log in.
Password is used at login.
Status determines whether the user can log in.
Role determines the user's permissions.
User Menu Access

Orchestrator > [Orchestrator Server > Users & Authentication] User Menu Access
Use the User Menu Access page to create groups that have customized menu access privileges. Use these when
you want to limit which menus users can see.
For each group you create, select which menus will be visible to assigned users.
To assign a group to a specific user, click Add User. The following popup appears.
Remote Authentication
Orchestrator > Orchestrator Server > Users & Authentication > Authentication
The Remote Authentication page lets you manage different remote authentication methods for Orchestrator
users.
To add a new remote authentication method, click +Add New Server.
To view or modify the settings for an existing remote authentication method, click the edit icon for in the row
of the existing method.
Orchestrator supports the following for remote authentication:
RADIUS
TACACS+
OAuth
JWT
SAML
Configuring a RADIUS or TACACS+ Server

You will need to configure the following when adding or modifying a RADIUS or TACACS+ server:
Field Description
Read-Write RADIUS only: The lowest value at which a user has Read-Write privileges. This value must
Privilege be the same as the value configured in the RADIUS server.
Read-Only RADIUS only:The lowest value at which a user has Read-Only privileges. This value must be
Privilege the same as the value configured in the RADIUS server.
Authentication Select the authentication type that matches what is configured on the RADIUS or TACACS+
Type server.
Primary/Secondary For each server in use, enter the IP address or hostname, port, and secret key of the
Server RADIUS or TACACS+ server.
Configuring an OAuth Server

Orchestrator supports remote authentication via the OAuth 2.0 framework. Before configuring an OAuth server in
Orchestrator, you will need to register Orchestrator as an application with your OAuth provider.
Prerequisites
The OAuth server must support OAuth 2.0 authorization codes, ID tokens, and optionally refresh tokens.
The ID token is used to get username, RBAC roles, and RBAC appliance access groups.
The refresh token can be checked periodically to ensure the user is still authorized/valid.
Depending on the OAuth server configuration, refresh tokens may be permanent or they may expire. If a
token is revoked or expires, the user will be forced to authenticate again.
Register Orchestrator as an App
Before adding an OAuth server in Orchestrator, register a new app on your OAuth server for Orchestrator. You will
need to provide the following details when registering the app:
Application Type Register Orchestrator as a web app
Allowed Grant Types Authorization code (required)

Refresh token (optional)
Redirect URL The Orchestrator endpoint to which the user will be redirected after successful
authentication, which should be https://<Orchestrator_domain_or_IP_
address>/gms/rest/authentication/oauth/redirect
Configure OAuth Server Properties in Orchestrator
When adding a new OAuth server or modifying an existing server, you will need to configure the following fields in
the Remote Authentication Server dialog:
Field Description
Name A name to identify the server. This name will be displayed in a button on the Orchestrator login
page as an alternative method of authentication.
Client ID The client ID for the Orchestrator application that you created in your OAuth provider.
Client Secret The client secret for the Orchestrator application that you created in your OAuth provider.
Scopes OAuth 2.0 uses scope values, as defined in RFC6749, to specify which access privileges are
being requested for in Access Tokens. The default scopes for Orchestrator are openid, offline_
access, and email.
Authentication This is the Issuer Identifier URL with the authentication request path appended. For example:
URL https://<your-oauth-domain>/oauth2/v1/authorize
Token URL This is the Issuer Identifier URL with the token path appended. For example: https://<your-oauth-
domain>/oauth2/v1/token
Username key This is the OAuth attribute to be sent as the username. Use email if username is an email
address. If any other key is used, ensure that it is mapped to the correct scope in the oauth
server.
Roles key This field can be left with the default value, sp-roles, or you can enter a new key name, but the
(optional) 1 key name must match what is configured in your OAuth provider.
This is a user claim sent in the ID token that maps to Silver Peak Orchestrator roles defined in
Role Based Access Control (RBAC). For example, the OAuth server attribute userType maps to
sp-roles, and the OAuth user in Orchestrator has userType = OverlayAdmin.
Appliance This field can be left with the default value, sp-aag, or you can enter a new key name, but the key
Access Group name must match what is configured in your OAuth provider.
key (optional) This is a user claim sent in the ID token that maps to Silver Peak Orchestrator Appliance Access
1 Groups defined in Role Based Access Control (RBAC). For example, the OAuth server attribute
department maps to sp-aag, and the OAuth user in Orchestrator has department = Asia-Admin.
1 If roles and appliance access group keys are not provided, Orchestrator inspects its own
configuration to determine the role and appliance access group for the user. If it does not find
that information, the user is not allowed to log in.
To authenticate using RADIUS or TACACS+

1. Select the access control protocol you want to use.
2. Under Servers, enter the information for a Primary server of that type.
Entering a Secondary server is optional.
Field Description
Authentication Order Whether to use the remote map or the local map first. The
default is Remote first.
Primary/Secondary Server The IP address or hostname of the RADIUS or TACACS+
server.
Secret Key The string defined as the shared secret on the server.
Read-Write Privilege The lowest value at which a user has Read-Write privileges.
This value must be the same as the value configured in the
RADIUS server.
Read-Only Privilege The lowest value at which a user has Read-Only privileges.
This value must be the same as the value configured in the
RADIUS server.
Authentication Type When configuring to use the TACACS+ server, select the
type from the drop-down list that matches what's
configured on the TACACS+ server.
Configuring a JWT Server
If you are adding JWT to Orchestrator through an SSO service (for example, through Okta) you will need to complete
the following:
Generate the id_token with the following fields:
Issuer 'iss'
Auditor 'aud'
expiration 'exp
signature
user, role and AAG
NOTE Please see the following definitions in the table below.
Redirect URL based on successful authentication: https://<orchestrator_domainName>?access_

token=<token>&id_token=<token>&state=<state>&token_type=Bearer&expires_in=3596
Then, complete the following steps in Orchestrator:
1. Navigate to the Authentication tab in Orchestrator.
2. Click +Add New Server. The Remote Authentication Server window opens.
3. Select JWT from the Type drop-down menu and complete the following fields.
Field Description
Name The name of your JWT provider.
Cert/Signing The HMAC or RSA public key used to verify the id_token.

Key
JWK URL The URL that hosts the public certification.
Validation The maximum amount of time in minutes that the expiration is found for the id_token,
Window before a new id_token is created.
Issuer The issuer claim found in the id_token.
Auditor The auditor claim found in the id_token.
Username This attribute is sent as the username. Use email if username is an email address. If any
Key other key is used, ensure that it is mapped to the correct scope in the oauth server.
Roles Key1 This field can be left with the default value, sp-roles, or you can enter a
new key name, but the key name must match what is configured in your
JWT provider.
This is a user claim sent in the ID token that maps to Silver Peak
Orchestrator roles defined in Role Based Access Control (RBAC). For
example, the OAuth server attribute userType maps to sp-roles, and the
OAuth user in Orchestrator has userType = OverlayAdmin.
Appliance This field can be left with the default value, sp-aag, or you can enter a new
Access
key name, but the key name must match what is configured in your
Group Key2
JWT provider.
This is a user claim sent in the ID token that maps to Silver Peak
Orchestrator Appliance Access Groups defined in Role Based Access
Control (RBAC). For example, the JWT server attribute department maps to
sp-aag, and the JWT user in Orchestrator has department = Asia-Admin.
JWT token This is the URL of Orchestrator that remains the same.
consuming
URL
Configuring a SAML Server
Orchestrator supports SAML 2.0 integration, providing authentication and authorization of your credentials through
an IdP (Identity Provider), SP (Service Provider), and a Principal. Refer to the list below for the represented meanings:
IdP: Okta
SP: Orchestrator
Principal: Principal end user
SAML and Orchestrator Configuration

Complete the following instructions to complete SAML and Orchestrator integration.
It is recommended to have Orchestrator open next to your Okta window while completing
these instructions.
1. Sign in to your Okta account.
2. Select Add Application and select SAML 2.0.
3. Click Create New App.
4. Sign in to Orchestrator and navigate to the Authentication tab (Orchestrator > Users & Authentication >
Authentication).
5. Click +Add New Server.
6. Select SAML from the Type field.
7. In Orchestrator, copy the ACS URL and the SP SLO Endpoint by clicking the icon next to the fields.
8. Navigate back to your SAML application configuration window.
9. Enter the copied URLs in the following fields in the Step 2: Configure SAML section:
a. Paste the ACS URL in the Single Sign On URL and Audience URL (SP Entity ID) fields.
10. Specify the attributes and their corresponding values in the SAML Settings page. These are configured and
assigned in the RBAC tab in Orchestrator.
a. sp-name: user.email
b. sp-role: user.usertype
c. sp-aag: user.department
11. Click Next.
12. Click Finish.
13. Click the View Setup Instructions box on the completed SAML Application Settings page and enter the
following URLs in the corresponding Orchestrator fields:
SAML Field Orchestrator Field
Identity Provider Single Sign-On URL SSO Endpoint
Identity Provider Issuer Issuer URL
X.509 Certificate IdP X.509 Cert
Refer to the table below for more details regarding the fields in Orchestrator.
Field Description
Name Any text value for your SAML account for identification purposes.
Username This attribute is used to retrieve the username from the SAML XML response.
Attribute
Issuer URL The unique identifier of the issuer (for example: Okta, OneLogin).
SSO Endpoint The unique endpoint for the SAML application created on the IdP server.
IdPX.509 cert A certificate issued by IdP to verify and validate the response received
from the IdP (Okta) server.
ACS URL The Orchestrator endpoint needed for configuration on the IdP server. This is provided
as a redirect URL once you are authenticated on the IdP server.
SP This endpoint is used by IdP to initiate the logout request from Orchestrator to the IdP
SLO Endpoint server.
(Optional)
IdP SLO This endpoint is used by IdP to initiate the logout request from
Endpoint
Orchestrator to the IdP server.
(Optional)
The endpoint used by Orchestrator (Silver Peak) to initiate the logout
request to IdP.
SP X.509 Cert A certificate used by IdP to verify the Single Logout request initiated by Orchestrator to
SLO (Optional) logout the IdP.
Cloud Portal
Configuration> [Overlays > Licensing] Cloud Portal
Orchestrator > [Orchestrator Server > Licensing] Cloud Portal
The Cloud Portal is used to register cloud-based features and services, such as SaaS optimization and
EdgeConnect.
When you purchase one of these services, Silver Peak sends you an Account Name and instructions to
obtain your Account Key.You will use these to register your appliance(s).
The cloud portal populates the Contact field from information included in your purchase order.
Use of these services requires that your appliance(s) can access the cloud portal via the Internet.
Orchestration Settings
The Orchestration Settings manage Business Intent Overlays (BIOs) and the properties used to control them. It
builds new tunnels and fixes existing ones.
Field Definition
Apply Overlays When selected, updates all associated appliances when overlay
changes are saved.
Reset All Flows When selected, Orchestrator will automatically reset all flows
whenever you edit overlays or change policies or priorities. When
deselected, the flows can only be reset manually.
Auto Save Appliance Selected by default, this automatically saves any changes made to an
appliance. If you need a time delay for troubleshooting or testing, you
can deselect this option to suspend automatic saving of configuration
changes.
Apply Templates When selected, updates all associated appliances when template
changes are saved.
Idle Time The amount of time Orchestrator sleeps or is idle between checking
for any configuration changes. For normal size networks, the
recommended idle time is 60 seconds. For smaller networks, 30
seconds is the recommended idle time.
Auto Flow Re-Classify Specifies how the Overlay Manager waits before surveying the
network when configuration changes are not being made.
IPSec UDP Settings
Default Port By default, Business Intent Overlays create IPSec UDP tunnels.
Default Port is 10002. If necessary, you can configure this for an
individual appliance on its System Information page, under System
Settings. This is accessible from the appliance's context-sensitive
menu in Orchestrator's navigation pane.
Increment Port By Referenced when configuring an Edge HA (High Availability) pair.
When the value is 1000, the second appliance's default port would
become 11002.
Audit Logs
The Audit Logs tab list actions from a user or the system itself, initiated by Orchestrator.
You can apply the following filters to your audit logs.
You can select Completed, In Progress, or Queued filters to determine which actions you want to display in
the table.
You can select the following different log levels: Debug, Info, Error to apply to your filter.
You can choose either Auto Refresh or Pause to refresh or pause the table. By default, the table refreshes
automatically.
You can enter in the Record Count. This limits the filtering criteria. The default value is 500 and 10,000 is the
maximum amount you can filter.
You can choose the name of the Appliance from the lists to apply as a filter.
You can also search a wild card character (*) as a user name and all user logs will display. If you enter any
value in the user field, there will be no filter applied to the search. The following are true for audit log wild
cards:
x*= anything that starts with the entered value
*x= anything that ends with the entered value
Field Definition
Username You can filter/search for an audit log by the user name of the appliance.
IP Address The IP address of the selected appliance.
Host Name The host name of the appliance the audit log is coming from.
Action What you want the audit log to do.
Task Status The status of the audit log task.
Results The results of the audit log being searched.
Start Time The time the search of the audit log started.
End Time The time the search of the audit log ended.
Queued Time The time the process/task was requested or scheduled in the queue.
Percent Completed The percent completed of the audit log task.
Completion Status Whether the task has been completed.
Pause Orchestration List

Orchestrator > [Orchestrator Server > Tools] Pause Orchestration List
When troubleshooting, you can pause Orchestration for the appliances in question.
Tunnel Settings Tab

Use this page to manage the properties for those tunnels created by Orchestrator. This tab provides tunnel settings
for General, IKE, and IPsec for MPLS, Internet, and LTE WAN Interface labels.
Tunnel Settings for Overlays and Tunnel Groups

General
Mode Indicates whether the tunnel protocol is ipsec, ipsec_udp, udp, or gre.
If you select IPSec, you can specify the IKE version in the IKE tab.
Auto Max BW Enabled Allows the appliances to auto-negotiate the maximum tunnel bandwidth.
Auto Discover MTU Enabled Allows the appliances to auto-negotiate the maximum tunnel bandwidth.
MTU (Maximum Transmission Unit) is the largest possible unit of data that can be
sent on a given physical medium. For example, the MTU of Ethernet is 1500
bytes. Silver Peak provides support for MTUs up to 9000 bytes. Auto allows
the tunnel MTU to be discovered automatically, and it overrides the MTU
setting.
Packet
Reorder Wait The maximum time the appliance holds an out-of-order packet when
attempting to reorder. The packets can come from either the same or
different path, or from the FEC correction engine. 100ms is the default value
and should be adequate for most situations. If the reorder wait time exceeds
100ms (or the set value), the packet will be delivered out of order.
FEC (Forward Error Correction) can be set to enable, disable, and auto.
FEC Ratio When FEC is set to auto, this specifies the maximum ratio. The options are 1:2,
1:5, 1:10, or 1:20.
Tunnel Health
Retry Count Number of failed keep-alive messages that are allowed before the appliance
brings the tunnel down.
DSCP Determines which DSCP marking the keep-alive messages should use.
Fastfail Thresholds

Fastfail Thresholds Fastfail thresholds determine how quickly to disqualify a tunnel from carrying
data when multiple tunnels are carrying data between two appliances.

The Fastfail connectivity detection algorithm for the wait time from receipt of
last packet before declaring a brownout is:
Twait = Base + N * RTTavg
where Base is a value in milliseconds, and N is the multiplier of the average
Round Trip Time over the past minute.
For example, if:
Base = 200mS
N = 2
Then,
RTTavg = 50mS

The appliance declares a tunnel to be in brownout if it doesn’t see a reply
packet from the remote end within 300mS of receiving the most recent packet.
In the Tunnel Advanced Options, Base is expressed as Fastfail Wait-time
Base Offset (ms), and N is expressed as Fastfail RTT Multiplication Factor.

Fastfail Enabled – This option is triggered when a tunnel's keep-alive
signal doesn't receive a reply. The options are disable, enable, and
continuous. If the disqualified tunnel subsequently receives a keep-alive
reply, its recovery is instantaneous.
If set to disable, keep-alives are sent every second, and 30 seconds
elapse before failover. In that time, all transmitted data is lost.
If set to enable, keep-alives are sent every second, and a missed reply
increases the rate at which keep-alives are sent from 1 per second to
10 per second. Failover occurs after 1 second.
When set to continuous, keep-alives are continuously sent at 10 per
second. Therefore, failover occurs after one tenth of a second.
Thresholds for Latency, Loss, or Jitter are checked once every second.
Receiving 3 successive measurements in a row that exceed the
threshold puts the tunnel into a brownout situation and flows will
attempt to fail over to another tunnel within the next 100mS.
Receiving 3 successive measurements in a row that drop below the
threshold will drop the tunnel out of brownout.
IPsec Encryption Algorithm For encrypting tunnel data. Choose from auto, AES-256, or AES-128.
Latency The amount of latency measure in MS.
Loss The amount of data lost measured in percent.
Jitter The amount of jitter measured in MS.
FastFail Wait-Time Base The base time used when you calculate the fastfail timeout.
Offset
FastFail RTT Multiplication The multiplier in the formula used to calculate the fastfail timeout.
Factor

IKE
Authentication Algorithm This is for setting tunnel authentication. Choose from SHA-1,
SHA2-256, SHA2-384, or SHA2-512.
Encryption Algorithm Specifies the encryption algorithm used for the Phase 1
negotiation. Choose from AES-256, AES-128, or auto.
Diffie-Hellman Group The Diffie-Hellman group used for IKE SA negotiation.
Lifetime The lifetime of IKE SA.
Dead Peer Detection Delay time: the amount of time, in seconds, to wait for traffic
from the destination IKE peer.
Retry Count: the number of times to retry the connection before
determining that the connection is dead.
NOTE: Dead Peer Detection is only supported on EdgeConnect

appliances running VXOA software version 8.2.1 and higher.
Phase 1 Mode Defines the exchange mode for Phase 1. The options are Main
or Aggressive. If IKEv2 is selected, the default mode is
aggressive.
IKE Version The IKE major version. Select either IKEv1 or IKEv2.

IPSec
Authentication Algorithm The authentication algorithm used by IPSec SA.
Choose from SHA-1, SHA2-256, SHA2-384, or
SHA2-512.
Encryption Algorithm Specifies the encryption algorithm used for the
Phase 1 negotiation. Choose from AES-256, AES-
128, or auto.
Enable IPsec Anti-replay Window Select if you want to enable the IPSec anti-replay
window. If selected, protection is provided against
an attacker duplicating encrypted packets by
assigning a unique sequence number to each
encrypted packet. The default window size is 64
packets.
Lifetime The lifetime of IKE SA.
Perfect Forward Secrecy Group Specifies the Diffie Hellman Group exponeniations
used for IPSec SA negotiation.
Orchestrator Blueprint Export

Orchestrator > [Orchestrator Server > Tools] Orchestrator Blueprint Export
Use this page to create and export a configuration that Orchestrator-SP can use as a template for other
Orchestrators.
Brand Customization
Orchestrator > [Orchestrator Server > Tools] Brand Customization
Use this menu to customize the branding elements of Orchestrator's user interface.
Maintenance Mode
You can put one or more appliances in maintenance mode by selecting the specific appliance in the tree. Upon
approval, the appliances are added to the maintenance list. You can also put an appliance in maintenance mode by
searching "Maintenance Mode" in the search bar or by right-clicking on any appliance and selecting Maintenance
Mode. Complete the following steps to add an appliance to maintenance mode.
1. Navigate to Maintenance Mode in Orchestrator.
2. Select Add. The Configure Maintenance Mode window opens.
3. Check Pause Orchestration if you want to pause orchestration.
4. Check Suppress Alarms if you want to suppress alarms associated with this appliance while in maintenance
mode.
5. Select OK.
6. Select Save.
NOTE The appliance goes into maintenance mode if you pause orchestration and/or suppress all alarms.
Field Definition
Host Name The host name of the appliance you are adding to maintenance mode.
Alarms Whether you chose to suppress or not suppress your alarms while the
appliance is in maintenance mode.
Orchestration If paused, all orchestration is paused on the selected appliance, except IPSec
UDP Tunnel Key material.
IP The IP address of the appliance in maintenance mode.
Version The current version of the appliance.
Upgrading Orchestrator Software

If you are already using Orchestrator 8.6.0 or later and want to upgrade to a newer version, complete the following
procedure.
WARNING An upgrade that fails can put Orchestrator into a corrupt state. Be sure to back up Orchestrator before
you start the upgrade process.
1. Open an SSH session to the Orchestrator.
2. Log in as admin or a user with administrative privileges.
3. Switch to root:
su - root
4. Enter the root password when prompted. Contact Silver Peak TAC if you don't know your root password.
5. Change to the /home directory:
cd /home
Depending on your environment, you can upgrade Orchestrator in one of two ways:
Upgrade via HTTP
Upgrade via SCP
Upgrade via HTTP
If you have an HTTP URL to the Orchestrator installation file, enter the following in the existing SSH console to run the
install script and point it to the hosted installation file:
/home/gms/gms/setup/install_orchestrator.sh <HTTP URL of the Orchestrator Installation File>
NOTE The upgrade process can take several hours to complete.

Upgrade via SCP
If you don't have an HTTP server, copy the installation file to Orchestrator via using SCP, then run the install script
and point it to the local installation file:
1. From your local PC console, enter the following:
scp <Orchestrator Installation file> admin@<orchestrator_ip_address>:/home/gms
2. From the Orchestrator SSH console, enter the following:
/home/gms/gms/setup/install_orchestrator.sh /home/gms/<Orchestrator Installation file>
NOTE The upgrade process can take several hours to complete.
Checking for Orchestrator and Appliance Software Updates

Orchestrator > [Software & Setup > Upgrade] Check for Updates
These pages show what appliance and Orchestrator server software is available for download.
Backing Up on Demand
Orchestrator > [Software & Setup > Backup] Backup Now
Use this page to backup the Orchestrator database on demand.
Scheduling Orchestrator Database Backup

Orchestrator > [Software & Setup > Backup] Schedule Backup
Use this page to schedule a backup the Orchestrator database.
TIP To specify the timezone for scheduled jobs and reports, go to Orchestrator > [Software & Setup > Setup]
SMTP Server Settings

Orchestrator > [Software & Setup > Setup] SMTP Server Settings
For permanent, private email delivery, change the SMTP (Simple Mail Transfer Protocol) server and settings to your
company’s SMTP settings.
If a test email doesn't arrive within minutes, check your firewall.
After configuring the SMTP settings, you can specify email recipients for:
alarms (Monitoring > Alarms > Alarm Recipients), and
reports (Monitoring > [Reporting] Schedule & Run Reports)
Proxy Configuration
Orchestrator > [Software & Setup > Setup] Proxy Configuration
If necessary (for example, because of firewall issues), you can configure a proxy for reaching the Silver Peak portal.
Orchestrator's HTTPS Certificate

Orchestrator > [Software & Setup > Setup] HTTPS Certificate
Orchestrator includes a self-signed certificate that secures the communication between the user's browser and
Orchestrator. You also have the option to install your own custom certificate, acquired from a CA authority.
For a custom certificate, to use with Orchestrator:
GeoTrust, etc.
Load the Certificate File from the CA.
3. To associate the CA verified certificate for use with Orchestrator, click Upload.
Timezone for Scheduled Jobs

Orchestrator > [Software & Setup > Setup] Timezone for Scheduled Jobs
Use this page to set the timezone for scheduled jobs and reports.
Orchestrator Statistics Configuration

Use this tab to specify which types of statistics you want the Orchestrator to collect from the appliances.
Appliance Statistics Configuration

This screen displays the default values for appliance properties.
IMPORTANT: Changing the default values of these settings is not recommended without consulting Silver Peak.
Orchestrator Advanced Properties

Orchestrator > [Software & Setup > Setup] Advanced Properties
IMPORTANT: Changing the default values of these settings is not recommended without consulting Silver Peak.
Changing Orchestrator's Log Level

Orchestrator > [Software & Setup > Setup] Change Log Level
Use this form to change what level of server-side Orchestrator logs are retained.
The default is INFO.
Minimum Severity Levels

In decreasing order of severity, the levels are as follows.
Level Definition

WARNING A warning condition. Indicates an error will occur if action is not taken.
If you select INFO (the default), then the log records any event with a severity of INFO, WARNING, and ERROR.
Event Log.
IP Whitelist
Orchestrator > [Software & Setup > Setup] IP Whitelist
IP Whitelist is a feature that restricts access to Orchestrator to a specified list of source subnets.
If a source IP address changes (for example, with NAT IP), then users can get locked out Orchestrator.
To view a list of traffic that's been dropped because of these restrictions, click IP Whitelist Drops.
Orchestrator's Getting Started Wizard

Orchestrator > [Software & Setup > Setup] Configuration Wizard
When you first install Orchestrator and use a web browser to access the IP address you’ve assigned it, Orchestrator's
Getting Started Wizard appears.
This takes you through the basics of configuring the following:
Orchestrator Name, management IP address, and password
The default for username and password is admin.
License and Registration
EdgeConnect registration is required for Cloud-based features and products, including CPX and SaaS.
The associated Account Name and Account Key enable Orchestrator to discover EdgeConnect
appliances via the Silver Peak Cloud Portal, as they’re added to your network.
If you have NX, VX, and VRX appliances, you will also have an Orchestrator License.
Date/Time
Silver Peak strongly recommends using an NTP server so that data across Orchestrator and the
appliances is synchronized.
Email
Change the default settings to your Company’s SMTP server, and then test.
Separate fields are provides for Global Report recipients and Alarm recipients.
Add Appliances
[Optional] You can use this now to add NX, VX, and VRX appliances that are already up and running in
your network. Or you can add them later.
Backup
Specifies the database backup destination, transfer protocol, and backup schedule.
If you don’t Apply the configuration after you complete the last page, Orchestrator’s wizard reappears at your next
login.
To access the Orchestrator wizard again after initial configuration, go to Orchestrator Administration > Getting
Started Wizard.
Customer and Technical Support

When working with Customer Support, these tabs facilitate your opening a support case. They also provide Customer
Support with data and reports needed for troubleshooting network issues.
Tech Support - Appliances

Use this tab to open/create cases, upload files to Silver Peak Support, and download selected files to Orchestrator.
You can filter between the five different file types: All, Logs, Sys Dump, Snapshot, and TCP Dump. The table in this tab
displays the following:
Field Description
Appliance Name The name of the appliance that the logs are coming from
File type The type of file.
File Name The name of the file.
Last Modified The date the file was modified last.
File Size The size of the file.
Download to Orchestrator
Complete the following steps if you want to download selected files to your local Orchestrator server.
1. Go to the Tech Support - Appliance tab in Orchestrator.
2. Select a file in the in the table you want to download.
3. Select Download to Orchestrator.
The Monitor Transfer Progress window openss that provides a status of the file downloads. You can also cancel a
download at any time by selecting Cancel.
Field Definition
Source The source where the files are coming from.

Files The files selected to download.
Start Time The start time the files were downloaded.
End Time The end time the files were downloaded.
Transferred The percentage representing how much the files have been downloaded.
Status The status of the download (in progress or download finished).
Cancel Select cancel at any time to interrupt and stop the download.
Tech Support - Orchestrator

Use this tab to view and manage logs for Orchestrator, create cases, and upload files to Silver Peak Support. On this
page, you can also select files you want to download to your local desktop and can filter between the five different
file types: All, Logs, Sys Dump, and Appliances.
1. Select a file you want to download to your local under File Type in the table.
2. Select Download Selected Files.
3. The Download Selected Files window appears. Select Download.
Logging into the Support Portal

Support > [Technical Assistance] Support Portal Log-in
When you have a Silver Peak account and need technical assistance or customer support, select Support > Tech
Support. The following page opens in a separate browser tab.
You can also access this page directly by going Silver Peak’s web page and selecting Support > Customer Login
from the menu bar.
Monitoring Uploads
Support > [Technical Assistance] Monitor Uploads
This table displays the current status of any files being uploaded to Support.
Packet Capture
Support > [Technical Assistance] Packet Capture
When requested by Support, use this screen to capture packets from one to five appliances, selected in the
navigation pane.
Upload Local Files

Support > [Technical Assistance] Upload Local Files
Use this dialog to upload files related to your Support case from your computer.
Create a Support Case

Support > [Technical Assistance] Create Case
Use this file to create an Support case.
You'll receive a case number and instructions for what to do next.
Remote Access
When working with Silver Peak Support to troubleshoot, you may be asked to allow access to you EdgeConnect
devices during the online support session.
Partition Management
You can use this table to regain Orchestrator disk space by selectively eliminating stats you no longer need.
Remote Log Receivers

This table lists all configured remote log receivers that are sent and managed by Orchestrator. You can choose
between sending your data between the following different types of receivers: HTTP, HTTPS, KAFKA, SYSLOG, and
WEBSOCKET. Each receiver employs a different mechanism for supporting asynchronous notifications. After you
determine which remote receiver you want to use to send your data, you can configure specific settings for that
receiver.
Complete the following instructions for adding a receiver.
1. Select Add Receiver.
2. Select the type of receiver you want to use from the list.
3. Depending on which receiver you choose, a settings pop-up will appear. Enter the appropriate information for
each receiver. See the following tables below for each receiver's settings.
4. Select Save.
HTTP Receiver Settings
Field Definition
Enable Receiver Check this box to enable the selected receiver.

Name The name of the receiver the logs are going to.
Log type Select the type of log from the list you want to apply.
URL The URL served by HTTP/HTTPS log server that Orchestrator will send log
data with POST REST calls.
User name The user name used in Basic Authentication when making REST calls (Optional)
Password Password used in Basic Authentication when making REST calls (Optional)
Repeat Password Your password repeated.
HTTPS Receiver Settings

Field Definition

URL The URL of the HTTPS Receiver.
User name The user name used in Basic Authentication when making REST calls (Optional).
Password The password used in Basic Authentication when making REST calls (Optional).
Repeat Password Your password repeated.
KAFKA Receiver Settings

Field Definition

Topic The topic name on KAFKA Receiver
Bootstrap Servers The domain name served by KAFKA Receiver. e.g. “xxx.com:9092”,
“1.1.1.1:9092”
Acks Defines the amount of KAFKA servers that acknowledge a message before
considering the message delivered.
acks=0: expect no acknowledge
acks=1: only leader server must acknowledge
ack=all: all servers must acknowledge.
Retries The amount of times KAFKA will try before returning an error.

Batch Size The multiple messages KAFKA will produce until the batch size is exceeded.
Buffer Size The maximum memory size that can be used for buffering messages.
When buffer size is exceeded, a message will be blocked.
Linger Time The amount of time that KAFKA will wait before sending next message
batch.
SYSLOG Receiver Settings
Field Definition

General Settings
Log Type The type of log being sent to the SYSLOG receiver.
Protocol The protocol being used between devices.
Hostname The hostname of the SYSLOG receiver to identity the device.
Port The port number of the SYSLOG receiver that accepts incoming events.
Custom Data The custom data embedded inside the SYSLOG message.
Facility Settings The facility code defined in the RFC5424 protocol.
Audit Log The type of audit log.
Audit Log Severity Settings
Error The severity level of the error: select from the drop-down menu.
Info The severity level of the information: select from the drop-down menu.
Debug The severity level of the debug: select from the drop-down menu.
WEBSOCKET Receiver Settings
Field Definition
Name The name of the Websocket receiver.

Log Type The type pf log being sent to the Websocket receiver.
IP Whitelist A list of source IP address that are allowed access from Websocket to
Orchestrator.
Routing Peers Table

Support > Technical Assistance > Routing Peers Table
The Routing Peer Table page can be used to track the communication between multiple peers within a network and
for troubleshooting purposes. This page also reflects the details of the subnet information being shared between
each set of peers.
The following table describes the values for the Routing Peers table.

Peer ID The ID of the peer.
Peer Name The name of the peer.
Role Whether the hub or spoke topology is being used for the specified
peer.
Last Transmission Count The last transaction count the peer was sent.
Time since Last Transmission How many seconds have elapsed since the last subnet update was
sent to the peer.
Last Received Count The last transaction count from the peer that was received.
Time since Last Received The amount of time since the last received update.
MainVer and Region The main version and the region of the designated peer.
Message Peer information to assist in troubleshooting for Silver Peak
Support.
RMA Wizard
Support > [Technical Assistance] RMA
Use this screen as instructed by Support to prepare a Return Merchandise Authorization.
RMA Wizard
The RMA (Return Merchandise Authorization) Wizard automates the RMA process for an exchange or replacement
of your appliance, if needed. It includes appliance discovery, the version of the appliance, and a backup selection.
Please note the following before you begin the RMA process.
Upgrade or downgrade the new appliance to the same software version before shipping to the site. This will
save time.
Perform a backup of the Orchestrator and EdgeConnect appliances.
Install the new EdgeConnect onsite.
When Orchestrator discovers the new device, do not approve it. Start the following RMA process to move the
license to the new EdgeConnect.
Complete the following steps to RMA your appliance.
1. Navigate to the RMA tab in the Orchestrator UI.
2. Select the appliance you want to replace from the menu.
NOTE The IP address, appliance model, hostname, serial number and software version will auto-populate
once you select the appliance.
3. Select the incoming discovered appliance you are going to use to replace the previous appliance.
NOTE The IP address, appliance model, hostname, serial number and software version will auto-populate
once you select the appliance.
4. Select Next >.
5. If you do not choose to add a backup appliance, select Apply.
6. The Applying Configuration page will open if you This page lists the status of the upgrading appliance and
restore configuration.
If you choose to add a backup appliance from the table, complete the following steps.
1. Select the backup appliance from the table.
2. Select the version you want the backup appliance to have from the drop down menu.
NOTE If your selection results in a software downgrade, a backup must be provided.
Upgrade and Downgrade

If the software version you selected for your backup appliance is higher than that of the discovered appliance, you
will need to do the following:
Upgrade to the new version on Orchestrator
Backup the appliance from a restore, if applicable
If the software version you selected for your backup appliance is lower than that of the discovered appliance, you will
need to do the following:
Install the desired version as a next boot on the appliance
Restore from backup
Built-in Policies
This table displays read-only built-in policies, which are executed before any other policies.
Realtime Charts
As an aid to troubleshooting, Realtime Charts are useful for monitoring the performance of individual appliances.
You can save sets of charts as dashboards.
1. Select the filters you want, then click Plot.
The chart appears at the bottom of the page.
2. To save as a dashboard, click Save As, then enter a name for your dashboard. Don't include spaces in your
name. Click Save.
If successful, a green Success bar appears and the dashboard name shows up in the Dashboard field.
To retrieve it later, go to this page and choose the dashboard from the drop down list.
Historical Charts
As an aid to troubleshooting, Historical Charts are useful for reviewing the performance of individual appliances.
You can save sets of charts as dashboards.
Appliance Charts
Support > [Reporting] Appliance Charts
Use this screen to access an individual appliance's realtime and historical charts.
Internal Drop Trends

This tab shows internal packet drops over time.
Appliance Memory Trends

The System view shows appliance daily memory usage.
The Process view is for individual appliances.
System Performance
This tab shows Orchestrator metrics.
Orchestrators located in the cloud cannot display useful information about host memory, file descriptors, sockets, or
pipes.
Appliance Crash Report

Support > [Reporting] Appliance Crash Report
This report lists appliance crashes, which you can forward to Silver Peak.
Orchestrator Debug
Support > [Reporting] Orchestrator Debug
This screen contains the various debugging tools available to Support for troubleshooting and debugging issues with
Orchestrator.
IPSec UDP Status

This tab displays IPSec UDP key and activation status.
Unverified Emails
Support > [Reporting] Unverified Emails
When you add an email address to either the Alarms or the Reports distribution, Orchestrator sends the recipient an
email containing a link, asking them to click to provide verification.
If Orchestrator doesn't receive a verification, then either the recipient hasn't responded or the email address is
invalid.
An unverified email address remains inactive and doesn't generate an alarm.
You can retest an address with Resend.
You can only correct an email address in the Alarm or Reports email distribution list.
Orchestrator General Settings and Reference

The topics in this section provide additional information about general Orchestrator settings and configuration, such
as default configurations, password guidelines, and so on.
Guidelines for Creating Passwords

Passwords should be a minimum of 8 characters.
There should be at least one lower case letter and one upper case letter.
There should be at least one digit.
There should be at least one special character.
Consecutive letters in the password should not be dictionary words.

Orchestrator User Guide 9.0.x 2020 08 03

Uploaded by

Copyright:

Available Formats

Orchestrator User Guide 9.0.x 2020 08 03

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Orchestrator User Guide 9.0.x 2020 08 03

Uploaded by

Copyright:

Available Formats

Silver Peak Unity Orchestrator

Copyright and Trademarks

Warranties and Disclaimers

Silver Peak Systems, Inc.

1.877.210.7325 (toll-free in USA)

Copyright © 2020 Silver Peak Systems, Inc. All rights reserved 2

1.877.210.7325 (toll-free in USA)

Copyright © 2020 Silver Peak Systems, Inc. All rights reserved 3

Overview of SD-WAN Prerequisites 14

Network Configuration Tabs 52

Copyright © 2020 Silver Peak Systems, Inc. All rights reserved 4

DHCP Failover State 54

Copyright © 2020 Silver Peak Systems, Inc. All rights reserved 5

Policy Configuration Tabs 115

Copyright © 2020 Silver Peak Systems, Inc. All rights reserved 6

Configuration Templates 161

Copyright © 2020 Silver Peak Systems, Inc. All rights reserved 7

Match Criteria 207

Route Redistribution Template 224

Cloud Services 225

Monitoring Status and Performance 240

Copyright © 2020 Silver Peak Systems, Inc. All rights reserved 8

Viewing Tunnels in the Topology Map 244

Copyright © 2020 Silver Peak Systems, Inc. All rights reserved 9

QoS (Shaper) Trends 294

Appliance Administration Tabs 308

Copyright © 2020 Silver Peak Systems, Inc. All rights reserved 10

Active Sessions Tab 353

Orchestrator Administration 354

Customer and Technical Support 401

Copyright © 2020 Silver Peak Systems, Inc. All rights reserved 11

Tech Support - Orchestrator 403

Orchestrator General Settings and Reference 430

Copyright © 2020 Silver Peak Systems, Inc. All rights reserved 12

Copyright © 2020 Silver Peak Systems, Inc. All rights reserved 13

Overview of SD-WAN Prerequisites

Interface Labels associate each interface with a use.

LAN labels refer to traffic type, such as VoIP, data, or replication.

This diagram shows the basic architecture and capabilities of Overlays.

Copyright © 2020 Silver Peak Systems, Inc. All rights reserved 14

Figure 1. The process of installing and provisioning an appliance for SD-WAN.

Copyright © 2020 Silver Peak Systems, Inc. All rights reserved 15

Copyright © 2020 Silver Peak Systems, Inc. All rights reserved 16

Business Intent Overlays

SD-WAN traffic to internal subnets

Complete the following steps to configure your overlay.

4. Select Save.

Copyright © 2020 Silver Peak Systems, Inc. All rights reserved 17

Mesh: Choose Mesh if you want to make a local network.

1. At the top of the page, select Regions.

Building SD-WAN using these interfaces

Service Level objective

Link Bonding Policy

Copyright © 2020 Silver Peak Systems, Inc. All rights reserved 18

QoS, Security, & Optimization

Breakout Traffic to Internet & Cloud Services

Hub versus branch breakout settings

1. Clear the check box for Use Branch Settings.

2. Configure the now accessible parameters.