Basic SD-WAN setup – FortiOS 6.2

Basic SD-WAN setup

Creating the SD-WAN interface

This recipe provides an example of how to start using SD-WAN for load balancing and redundancy.

In this example, two ISP internet connections (wan1 and wan2) use SD-WAN to balance traffic between them at 50% each.

To configure SD-WAN using the GUI:

  1. On the FortiGate, enable SD-WAN and add interfaces wan1 and wan2 as members:
    1. Go to Network > SD-WAN.
    2. Set the Status to Enable.
    3. Click the plus icon to add members, using the ISPs’ proper gateways for each member.
    4. Click Apply to save your settings.
  2. Create a static route with virtual-wan-link enabled:
    1. Go to Network > Static Routes.
    2. Click Create New. The New Static Route page opens.
    3. From the Interface drop-down list, select SD-WAN.
    4. Click OK to save your changes.
  3. Create a firewall policy to allow the traffic:
    1. Go to Policy & Objects > IPv4 Policy.
    2. Click Create New. The New Policy page opens.
    3. For the Incoming Interface, select DMZ.
    4. For the Outgoing Interface, select SD-WAN.
    5. Configure the remaining settings as needed, then click OK to create the policy. Outgoing traffic will balance between wan1 and wan2 at a 50:50 ratio.

To configure SD-WAN using the CLI:

  1. On the FortiGate, configure the wan1 and wan2 interfaces:

config system interface edit “wan1” set alias to_ISP1 set ip 172.16.20.1 255.255.255.0

next edit “wan2” set alias to_ISP2 set ip 10.100.20.1 255.255.255.0

next

end

  1. Enable SD-WAN and add the interfaces as members:

config system virtual-wan-link set status enable config members edit 1 set interface “wan1” set gateway 172.16.20.2

next edit 2 set interface “wan2” set gateway 10.100.20.2

next

end

end

  1. Configure a static route:

config router static edit 1 set distance 1 set virtual-wan-link enable

next end

  1. Configure a firewall policy:

config firewall policy edit 2 set name “VWL” set srcintf “dmz” set dstintf “virtual-wan-link” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set nat enable

next

end

  1. Use a diagnose command to check the state of the SD-WAN:

# diagnose sys virtual-wan-link member

Member(1): interface: wan1, gateway: 172.16.20.2, priority: 0, weight: 0

Member(2): interface: wan2, gateway: 10.100.20.2, priority: 0, weight: 0

Using DHCP interface

This recipe provides a sample configuration for customer using the DHCP interface as SD-WAN members. SD-WAN members can be all static IP interfaces, all DHCP interfaces, or a mix of both IP and DHCP interfaces.

In this example, we’ll use a customer who has two ISP internet connections: wan1 and wan2. wan1 is a DHCP interface and wan2 is a static IP address interface.

Sample topology

To configure DHCP interface on the GUI:

  1. Enable SD-WAN and add wan1 and wan2 as SD-WAN members.
    1. Go to Network > SD-WAN and ensure Status is Enable.
    2. In the SD-WAN Interface Members section, click the + button and add two members: wan1 and wan2.

l For the static IP member, enter the Gateway address. l For the DHCP member, do not change the Gateway.

  1. Click Apply.
  1. Create static route and enable virtual-wan-link.
  2. Go to Network > Static Routes and click Create New.
  3. Click the Interface dropdown list and select SD-WAN.
  4. Click OK.
  5. Create policy for this traffic.
  6. Go to Policy & Objects > IPv4 Policy and click Create New.
  7. For the Incoming Interface, select dmz.
  8. For the Outgoing Interface, select SD-WAN
  9. Configure other options as needed.
  10. Click OK.

Outgoing traffic is balanced between wan1 and wan2 at about 50% each.

To configure the interface on the CLI:

config system interface edit “wan1” set alias to_ISP1 set mode dhcp

next edit “wan2” set alias to_ISP2 set ip 10.100.20.1 255.255.255.0

next

end

To configure SD-WAN on the CLI:

config system virtual-wan-link set status enable config members

edit 1 set interface “wan1”

next edit 2 set interface “wan2” set gateway 10.100.20.2

next

end

end

To configure static route on the CLI:

config router static edit 1

set distance 1 set virtual-wan-link enable

next end

To configure firewall policy on the CLI:

config firewall policy edit 2 set name “VWL” set srcintf “dmz” set dstintf “virtual-wan-link” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set nat enable

next

end

To use the diagnose command to check SD-WAN state:

# diagnose sys virtual-wan-link member

Member(1): interface: wan1, gateway: 172.16.20.2, priority: 0, weight: 0

Member(2): interface: wan2, gateway: 10.100.20.2, priority: 0, weight: 0 Implicit rule

SD-WAN supports five types of implicit rules (load-balance mode):

  • Source IP (CLI command: source-ip-based): SD-WAN will load balance the traffic equally among its members according to a hash algorithm based on the source IP addresses.
  • Session (weight-based): SD-WAN will load balance the traffic according to the session numbers ratio among its members.
  • Spillover (usage-based): SD-WAN will use the first member until the bandwidth reaches its limit, then use the second, and so on.
  • Source-Destination IP (source-dest-ip-based): SD-WAN will load balance the traffic equally among its members according to a hash algorithm based on both the source and destination IP addresses.
  • Volume (measured-volume-based): SD-WAN will load balance the traffic according to the bandwidth ratio among its members.

Examples

The following four examples demonstrate how to use the implicit rules (load-balance mode).

Example 1

Outgoing traffic is equally balanced between wan1 and wan2, using source-ip-based or source-dest-ip-based mode.

Using the GUI:

  1. On the FortiGate, enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static route. See Creating the SD-WAN interface on page 105 for details.
  2. Go to Network > SD-WAN Rules.
  3. Edit the sd-wan rule (the last default rule).
  4. For the Load Balancing Algorithm, select either Source IP or Source-Destination IP.
  5. Click OK.

Using the CLI:

  1. Enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static route. See Creating the SD-WAN interface on page 105 for details.
  2. Set the load balancing algorithm: Source IP based:

config system virtual-wan-link set load-balance-mode source-ip-based

end

Source-Destination IP based:

config system virtual-wan-link set load-balance-mode source-dest-ip-based

end

Example 2

Outgoing traffic is balanced between wan1 and wan2 with a customized ratio, using weight-based mode: wan1 runs 80% of the sessions, and wan2 runs 20% of the sessions.

Using the GUI:

  1. Go to Network > SD-WAN Rules.
  2. Edit the sd-wan rule (the last default rule).
  3. For the Load Balancing Algorithm, select Sessions.
  4. Enter 80 in the wan1 field, and 20 in the wan2
  5. Click OK.

Using the CLI:

config system virtual-wan-link set load-balance-mode weight-based config members edit 1 set interface “wan1” set weight 80

next edit 2 set interface “wan2” set weight 20

next

end

end

Example 3

Outgoing traffic is balanced between wan1 and wan2 with a customized ratio, using measured-volume-based mode: wan1 runs 80% of the volume, and wan2 runs 20% of the volume.

Using the GUI:

  1. Go to Network > SD-WAN Rules.
  2. Edit the sd-wan rule (the last default rule).
  3. For the Load Balancing Algorithm, select Volume.
  4. Enter 80 in the wan1 field, and 20 in the wan2
  5. Click OK.

Using the CLI:

config system virtual-wan-link set load-balance-mode measured-volume-based config members edit 1 set interface “wan1” set volume-ratio 80 next

edit 2 set interface “wan2” set volume-ratio 20

next

end

end

Example 4

Load balancing can be used to reduce costs when internet connections are charged at different rates. For example, if wan2 charges based on volume usage and wan1 charges a fixed monthly fee, we can use wan1 at its maximum bandwidth, and use wan2 for overflow.

In this example, wan1’s bandwidth is 10Mbps down and 2Mbps up. Traffic will use wan1 until it reaches its spillover limit, then it will start to use wan2. Note that auto-asic-offload must be disabled in the firewall policy.

Using the GUI:

  1. On the FortiGate, enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static route. See Creating the SD-WAN interface on page 105 for details.
  2. Go to Network > SD-WAN Rules.
  3. Edit the sd-wan rule (the last default rule).
  4. For the Load Balancing Algorithm, select Spillover.
  5. Enter 10000 in the wan1 Ingress SpilloverThreshold field, and 2000 in the wan1 Egress SpilloverThreshold
  6. Click OK.

Using the CLI:

config system virtual-wan-link set load-balance-mode usage-based config members edit 1 set interface “wan1” set spillover-threshold 2000 set ingress-spillover-threshold 10000

next

end end

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “Basic SD-WAN setup – FortiOS 6.2

  1. Eric

    Am I missing something? Why would you choose DMZ as the incoming interface and not the local internal network (LAN interface)?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.