Category Archives: FortiOS 6.2

Using BGP tags with SD-WAN rules – FortiOS 6.2

Leave a reply

Using BGP tags with SD-WAN rules

SD-WAN rules can use Border Gateway Protocol (BGP) learned routes as dynamic destinations.

In this example, a customer has two ISP connections, wan1 and wan2. wan1 is used primarily for direct access to internet applications, and wan2 is used primarily for traffic to the customer’s data center.

The customer could create an SD-WAN rule using the data center’s IP address range as the destination to force that traffic to use wan2, but the data center’s IP range is not static. Instead, a BGP tag can be used.

For this example, wan2’s BGP neighbor advertises the data center’s network range with a community number of 30:5.

This example assumes that SD-WAN is enable on the FortiGate, wan1 and wan2 are added as SD-WAN members, and a policy and static route have been created. See Creating the SD-WAN interface on page 105 for details.

To configure BGP tags with SD-WAN rules:

  1. Configure the community list:

config router community-list edit “30:5” config rule edit 1 set action permit set match “30:5”

next

end

next

end

  1. Configure the route map:

config router route-map edit “comm1” config rule edit 1 set match-community “30:5” set set-route-tag 15

next

end

next

end

  1. Configure BGP:

config router bgp set as xxxxx set router-id xxxx config neighbor edit “10.100.20.2” set soft-reconfiguration enable set remote-as xxxxx set route-map-in “comm1”

next

end

end

  1. Configure a firewall policy:

config firewall policy edit 1 set name “1” set srcintf “dmz”

set dstintf “”virtual-wan-link”” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL”

set nat enable

next

end

  1. Edit the SD-WAN configuration:

config system virtual-wan-link set status enable config members edit 1 set interface “wan1” set gateway 172.16.20.2

next edit 2 set interface “wan2”

next

end config service edit 1 set name “DataCenter” set mode manual set route-tag 15 set members 2

next

end

end

Troubleshooting

Check the network community

Use the get router info bgp network command to check the network community:

# get router info bgp network

BGP table version is 5, local router ID is 1.1.1.1

Status codes: s suppressed, d damped, h history, * valid, > best, i – internal, S Stale

Origin codes: i – IGP, e – EGP, ? – incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path *> 0.0.0.0/0 10.100.1.5 32768 0 ?

*> 1.1.1.1/32 0.0.0.0 32768 0 ?

*> 10.1.100.0/24 172.16.203.2 32768 0 ?

*> 10.100.1.0/30 0.0.0.0 32768 0 ?

*> 10.100.1.4/30 0.0.0.0 32768 0 ?

*> 10.100.1.248/29 0.0.0.0 32768 0 ? *> 10.100.10.0/24 10.100.1.5 202 10000 15 20 e *> 172.16.200.0/24 0.0.0.0 32768 0 ?

*> 172.16.200.200/32

0.0.0.0 32768 0 ?

*> 172.16.201.0/24 172.16.200.4 32768 0 ? *> 172.16.203.0/24 0.0.0.0 32768 0 ?

*> 172.16.204.0/24 172.16.200.4 32768 0 ?

*> 172.16.205.0/24 0.0.0.0 32768 0 ?

*> 172.16.206.0/24 0.0.0.0 32768 0 ?

*> 172.16.207.1/32 0.0.0.0 32768 0 ?

*> 172.16.207.2/32 0.0.0.0 32768 0 ?

*> 172.16.212.1/32 0.0.0.0 32768 0 ?

*> 172.16.212.2/32 0.0.0.0 32768 0 ?

*> 172.17.200.200/32

0.0.0.0 32768 0 ? *> 172.27.1.0/24 0.0.0.0 32768 0 ?

*> 172.27.2.0/24 0.0.0.0 32768 0 ?

*> 172.27.5.0/24 0.0.0.0 32768 0 ?

*> 172.27.6.0/24 0.0.0.0 32768 0 ?

*> 172.27.7.0/24 0.0.0.0 32768 0 ?

*> 172.27.8.0/24 0.0.0.0 32768 0 ?

*> 172.29.1.0/24 0.0.0.0 32768 0 ?

*> 172.29.2.0/24 0.0.0.0 32768 0 ? *> 192.168.1.0 0.0.0.0 32768 0 ?

Total number of prefixes 28

# get router info bgp network 10.100.11.0

BGP routing table entry for 10.100.10.0/24

Paths: (2 available, best 1, table Default-IP-Routing-Table) Advertised to non peer-group peers:

172.10.22.2

20

10.100.20.2 from 10.100.20.2 (6.6.6.6)

Origin EGP metric 200, localpref 100, weight 10000, valid, external, best

Community: 30:5 <<<<===========================

Last update: Wen Mar 20 18:45:17 2019

Check dynamic BGP addresses

Use the get router info route-map-address command to check dynamic BGP addresses:

# get router info route-map-address

Extend-tag: 15, interface(wan2:16)

10.100.11.0/255.255.255.0

Check dynamic BGP addresses used in policy routes

Use the diagnose firewall proute list command to check dynamic BGP addresses used in policy routes:

# diagnose firewall proute list list route policy info(vf=root):

id=4278779905 vwl_service=1(DataCenter) flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sportt=0:65535 iif=0 dport=1-65535 oif=16 source wildcard(1): 0.0.0.0/0.0.0.0 destination wildcard(1): 10.100.11.0/255.255.255.0

Forward error correction on VPN overlay networks – FortiOS 6.2

Leave a reply

Forward error correction on VPN overlay networks

This topic shows an SD-WAN with forward error correction (FEC) on VPN overlay networks. FEC can be used to lower packet loss ratio by consuming more bandwidth. It uses six parameters in IPsec phase1/phase1-interface setting.

l fec-ingress. Disabled by default. l fec-egress. Disabled by default. l fec-base. <1-100>. Default=20. l fec-redundant. <1-100>. Default=10. l fec-send-timeout. <1-1000>. Default=8. l fec-receive-timeout.<1-10000>. Default=5000.

For example, a customer has tow ISP connections, wan1 and wan2. Using these two connections, create two IPsec VPN interfaces as SD-WAN members. Configure FEC on each VPN interface to lower packet loss ratio by retransmitting the packets using its backend algorithm.

Sample topology

To configure IPsec VPN:

config vpn ipsec phase1-interface edit “vd1-p1” set interface “wan1” set peertype any set net-device disable set proposal aes256-sha256 set dhgrp 14 set remote-gw 172.16.201.2 set psksecret ftnt1234 set fec-egress enable set fec-send-timeout 8 set fec-base 20 set fec-redundant 10 set fec-ingress enable set fec-receive-timeout 5000

next edit “vd1-p2” set interface “wan2” set peertype any set net-device disable set proposal aes256-sha256 set dhgrp 14 set remote-gw 172.16.202.2

set psksecret ftnt1234 set fec-egress enable set fec-send-timeout 8 set fec-base 20 set fec-redundant 10 set fec-ingress enable set fec-receive-timeout 5000

next

end

config vpn ipsec phase2-interface edit “vd1-p1”

set phase1name “vd1-p1”

next edit “vd1-p2”

set phase1name “vd1-p2”

next

end

To configure the interface:

config system interface

edit “vd1-p1”

set ip 172.16.211.1 255.255.255.255 set remote-ip 172.16.211.2 255.255.255.255

next edit “vd1-p2”

set ip 172.16.212.1 255.255.255.255 set remote-ip 172.16.212.2 255.255.255.255

next

end

To configure the firewall policy:

config firewall policy edit 1

set name “1” set srcintf “dmz” set dstintf “”virtual-wan-link”” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set nat enable

next

end To configure SD-WAN:

config system virtual-wan-link

set status enable config members

edit 1

set interface “vd1-p1” set gateway 172.16.211.2 next

edit 1 set interface “vd2-p2” set gateway 172.16.212.2

next

end

end

To use the diagnose command to check VPN FEC status:

# diagnose vpn tunnel list

list all ipsec tunnel in vd 0

—————————————————–name=vd1 ver=1 serial=1 172.16.200.1:0->172.16.200.2:0

bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/3600 options[0e10]=create_dev frag-rfc fec-egress fec-ingress accept_traffic=1

proxyid_num=1 child_num=0 refcnt=11 ilast=8 olast=8 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 fec-egress: base=20 redundant=10 remote_port=50000      <<<<<<<<<<<<<<<<<<<<<< fec-ingress: base=20 redundant=10    <<<<<<<<<<<<<<<<<<<<<< proxyid=demo proto=0 sa=1 ref=2 serial=1

src: 0:10.1.100.0/255.255.255.0:0 dst: 0:173.1.1.0/255.255.255.0:0

SA: ref=3 options=10226 type=00 soft=0 mtu=1390 expire=42897/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42899/43200

dec: spi=181f4f81 esp=aes key=16 6e8fedf2a77691ffdbf3270484cb2555 ah=sha1 key=20 f92bcf841239d15d30b36b695f78eaef3fad05c4

enc: spi=0ce10190 esp=aes key=16 2d684fb19cbae533249c8b5683937329 ah=sha1 key=20 ba7333f89cd34cf75966bd9ffa72030115919213

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

SDWAN Advanced – FortiOS 6.2.0

1 Reply

Per packet distribution and tunnel aggregation

This topic shows an example of how to aggregate IPSec tunnels. This example shows how to make per-packet loadbalancing among IPSec tunnels.

For example, a customer has two ISP connections, wan1 and wan2. Using these two connections, we create two VPN interfaces and configure traffic for per-packet load-balancing among IPSec tunnels.

This feature only allows static/DDNS tunnels to be members.

Dynamic (dialup) tunnels are not allowed because dialup instances tend to have different locations and hence different routings. This conflicts with the rule that all the members of an aggregate must have the same routing.

Sample topology

Sample configuration

On the FortiGate, first create two IPsec VPN interfaces. Then create an ipsec-aggregate interface and add this interface as an SD-WAN member.

FortiGate 1 configuration

To create two IPsec VPN interfaces on FortiGate 1:

config vpn ipsec phase1-interface edit “vd1-p1” set interface “wan1” set peertype any set net-device disable set proposal aes256-sha256 set dhgrp 14 set remote-gw 172.16.201.2 set psksecret ftnt1234

next edit “vd1-p2” set interface “wan2” set peertype any set net-device disable set proposal aes256-sha256 set dhgrp 14 set remote-gw 172.16.202.2 set psksecret ftnt1234

next

end

config vpn ipsec phase2-interface edit “vd1-p1” set phase1name “vd1-p1”

next edit “vd1-p2” set phase1name “vd1-p2”

next

end

To create an ipsec-aggregate interface on FortiGate 1:

config system ipsec-aggregate edit “agg1”

set member “vd1-p1” “vd1-p2” set algorithm L3

next

end config system interface edit “agg1”

set vdom “root” set ip 172.16.11.1 255.255.255.255 set allowaccess ping set remote-ip 172.16.11.2 255.255.255.255

end

To configure the firewall policy on FortiGate 1:

config firewall policy edit 1

set name “1” set srcintf “dmz” set dstintf “”virtual-wan-link”” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set nat enable

next

end

To configure SD-WAN on FortiGate 1:

config system virtual-wan-link

set status enable config members

edit 1

set interface “agg1” set gateway 172.16.11.2

next end

end

FortiGate 2 configuration

To create two IPsec VPN interfaces on FortiGate 2:

config vpn ipsec phase1-interface

edit “vd2-p1”

set interface “wan1” set peertype any set net-device disable set proposal aes256-sha256 set dhgrp 14 set remote-gw 172.16.200.1 set psksecret ftnt1234

next edit “vd2-p2” set interface “wan2” set peertype any set net-device disable set proposal aes256-sha256 set dhgrp 14 set remote-gw 172.16.203.1 set psksecret ftnt1234

next

end

config vpn ipsec phase2-interface edit “vd2-p1”

set phase1name “vd2-p1”

next edit “vd2-p2”

set phase1name “vd2-p2”

next

end

To create an ipsec-aggregate interface on FortiGate 2:

config system ipsec-aggregate

edit “agg2”

set member “vd2-p1” “vd2-p2” set algorithm L3

next

end config system interface edit “agg2”

set vdom “root” set ip 172.16.11.2 255.255.255.255 set allowaccess ping set remote-ip 172.16.11.1 255.255.255.255

next

end

To configure the firewall policy on FortiGate 2:

config firewall policy edit 1

set name “1” set srcintf “dmz” set dstintf “”virtual-wan-link”” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set nat enable

next

end

To configure SD-WAN on FortiGate 2:

config system virtual-wan-link

set status enable config members edit 1 set interface “agg2” set gateway 172.16.11.1

next

end

end

To use the diagnose command to display aggregate IPSec members:

# diagnose sys ipsec-aggregate list agg1 algo=L3 member=2 run_tally=2 members:

vd1-p1 vd1-p2

To use the diagnose command to check VPN status:

# diagnose vpn tunnel list

list all ipsec tunnel in vd 0

—————————————————–name=vd1-p1 ver=1 serial=2 172.16.200.1:0->172.16.201.2:0 dst_mtu=0

bound_if=10 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/520 options[0208]=npu frag-rfc run_state=1 accept_traffic=0

proxyid_num=1 child_num=0 refcnt=5 ilast=15 olast=676 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=vd1-p1 proto=0 sa=0 ref=1 serial=1

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

——————————————————

name=vd1-p2 ver=1 serial=3 172.16.203.1:0->172.16.202.2:0 dst_mtu=1500

bound_if=28 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/520 options[0208]=npu frag-rfc run_state=1 accept_traffic=1

proxyid_num=1 child_num=0 refcnt=12 ilast=1 olast=1 ad=/0 stat: rxp=1 txp=1686 rxb=16602 txb=111717

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=vd1-p2 proto=0 sa=1 ref=9 serial=1

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=4 options=10226 type=00 soft=0 mtu=1438 expire=42164/0B replaywin=2048 seqno=697 esn=0 replaywin_lastseq=00000002 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42902/43200

dec: spi=f6ae9f83 esp=aes key=16 f6855c72295e3c5c49646530e6b96002 ah=sha1 key=20 f983430d6c161d0a4cd9007c7ae057f1ff011334

enc: spi=8c72ba1a esp=aes key=16 6330f8c532a6ca5c5765f6a9a6034427 ah=sha1 key=20 e5fe385ed5f0f6a33f1d507601b15743a8c70187

dec:pkts/bytes=1/16536, enc:pkts/bytes=1686/223872

npu_flag=02 npu_rgwy=172.16.202.2 npu_lgwy=172.16.203.1 npu_selid=2 dec_npuid=1 enc_npuid=0

SD-WAN traffic shaping and QoS with SD-WAN

Leave a reply

SD-WAN traffic shaping and QoS with SD-WAN

Use traffic shaper in a firewall shaping policy to control traffic flow. You can use it to control maximum and guaranteed bandwidth, or put certain traffic to one of the three different traffic priorities: high, medium, or low.

An advanced shaping policy can classify traffic into 30 groups. Use a shaping profile to define the percentage of the interface bandwidth that is allocated to each group. Each group of traffic is shaped to the assigned speed limit based on the outgoing bandwidth limit configured on the interface.

For more information, see the online help on shared policy traffic shaping and interface-based traffic shaping.

Sample topology

Sample configuration

This example shows a typical customer usage where the customer’s SD-WAN has two member: wan1 and wan2 and each is 10Mb/s.

An overview of the procedures to configure SD-WAN traffic shaping and QoS with SD-WAN includes:

  1. Give HTTP/HTTPS traffic high priority and give FTP low priority so that if there are conflicts, FortiGate will forward HTTP/HTTPS traffic first.
  2. Even though FTP has low priority, configure FortiGate to give it a 1Mb/s guaranteed bandwidth on each SD-WAN member so that if there is no FTP traffic, other traffic can use all the bandwidth. If there is heavy FTP traffic, it can still be guaranteed a 1Mb/s bandwidth.
  3. Traffic going to specific destinations such as a VOIP server uses wan1 to forward, and SD-WAN forwards with an Expedited Forwarding (EF) DSCP tag 101110.

To configure SD-WAN traffic shaping and QoS with SD-WAN in the GUI:

  1. On the FortiGate, enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static route.

See Creating the SD-WAN interface on page 105.

  1. When you add a firewall policy, enable Application Control.
  2. Go to Policy & Objects > Traffic Shapers and edit low-priority.
    1. Enable Guaranteed Bandwidth and set it to 1000
  3. Go to Policy & Objects > Traffic Shaping Policy and click Create New.
    1. Name the traffic shaping policy, for example, HTTP-HTTPS.
    2. Click the Source box and select all.
    3. Click the Destination box and select all.
    4. Click the Service box and select HTTP and HTTPS.
    5. Click the Outgoing Interface box and select SD-WAN.
    6. Enable both Shared Shaper and Reverse Shaper and select high-priority for both options. Click OK.
  4. Go to Policy & Objects > Traffic Shaping Policy and click Create New.
    1. Name the traffic shaping policy, for example, FTP.
    2. Click the Source box and select all.
    3. Click the Destination box and select all.
    4. Click the Service box and select FTP, FTP_GET, and FTP_PUT.
    5. Click the Outgoing Interface box and select SD-WAN.
    6. Enable both Shared Shaper and Reverse Shaper and select low-priority for both options. Click OK
  5. Go to Network > SD-WAN Rules and click Create New.
    1. Enter a name for the rule, such as Internet.
    2. In the Destination section, click the Address box and select the VOIP server you created in the firewall address.
    3. For Strategy, select Manual.
    4. For Interface preference, select wan1.
    5. Click OK.
  6. Use CLI commands to modify DSCP settings. See the DSCP CLI commands below.

To configure the firewall policy using the CLI:

config firewall policy edit 1 set name “1” set srcintf “dmz” set dstintf “”virtual-wan-link”” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set nat enable

next

end

To configure the firewall traffic shaper priority using the CLI:

config firewall shaper traffic-shaper edit “high-priority” set maximum-bandwidth 1048576 set per-policy enable

next edit “low-priority” set guaranteed-bandwidth 1000 set maximum-bandwidth 1048576 set priority low set per-policy enable

next

end

To configure the firewall traffic shaping policy using the CLI:

config firewall shaping-policy edit 1 set name “http-https” set service “HTTP” “HTTPS” set dstintf “virtual-wan-link” set traffic-shaper “high-priority” set traffic-shaper-reverse “high-priority”

set srcaddr “all” set dstaddr “all” next edit 2 set name “FTP” set service “FTP” “FTP_GET” “FTP_PUT” set dstintf “virtual-wan-link” set traffic-shaper “low-priority” set traffic-shaper-reverse “low-priority”

set srcaddr “all” set dstaddr “all”

next

end

To configure SD-WAN traffic shaping and QoS with SD-WAN in the CLI:

config system virtual-wan-link set status enable config members edit 1 set interface “wan1” set gateway x.x.x.x

next edit 2 set interface “wan2” set gateway x.x.x.x

next

end config service edit 1 set name “SIP” set member 1 set dst “voip-server” set dscp-forward enable set dscp-forward-tag 101110

next

end

end

To use the diagnose command to check if specific traffic is attached to the correct traffic shaper:

# diagnose firewall iprope list 100015

policy index=1 uuid_idx=0 action=accept flag (0):

shapers: orig=high-priority(2/0/134217728) reply=high-priority(2/0/134217728) cos_fwd=0 cos_rev=0 group=00100015 av=00000000 au=00000000 split=00000000 host=0 chk_client_info=0x0 app_list=0 ips_view=0 misc=0 dd_type=0 dd_mode=0 zone(1): 0 -> zone(2): 36 38

source(1): 0.0.0.0-255.255.255.255, uuid_idx=6, dest(1): 0.0.0.0-255.255.255.255, uuid_idx=6, service(2):

[6:0x0:0/(1,65535)->(80,80)] helper:auto

[6:0x0:0/(1,65535)->(443,443)] helper:auto policy index=2 uuid_idx=0 action=accept

flag (0):

shapers: orig=low-priority(4/128000/134217728) reply=low-priority(4/128000/134217728) cos_fwd=0 cos_rev=0 group=00100015 av=00000000 au=00000000 split=00000000 host=0 chk_client_info=0x0 app_list=0 ips_view=0 misc=0 dd_type=0 dd_mode=0 zone(1): 0 -> zone(2): 36 38

source(1): 0.0.0.0-255.255.255.255, uuid_idx=6, dest(1): 0.0.0.0-255.255.255.255, uuid_idx=6, service(3):

[6:0x0:0/(1,65535)->(21,21)] helper:auto

[6:0x0:0/(1,65535)->(21,21)] helper:auto

[6:0x0:0/(1,65535)->(21,21)] helper:auto

FGT_A (root) #

To use the diagnose command to check if the correct traffic shaper is applied to the session:

# dia sys session list

session info: proto=6 proto_state=01 duration=11 expire=3599 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=5

origin-shaper=low-priority prio=4 guarantee 128000Bps max 1280000Bps traffic 1050Bps drops 0B reply-shaper= per_ip_shaper=

class_id=0 shaping_policy_id=2 ha_id=0 policy_dir=0 tunnel=/ helper=ftp vlan_cos=0/255 state=may_dirty npu npd os mif route_preserve

statistic(bytes/packets/allow_err): org=868/15/1 reply=752/10/1 tuples=2

tx speed(Bps/kbps): 76/0 rx speed(Bps/kbps): 66/0 orgin->sink: org pre->post, reply pre->post dev=39->38/38->39 gwy=172.16.200.55/0.0.0.0 hook=post dir=org act=snat 10.1.100.11:58241->172.16.200.55:21(172.16.200.1:58241) hook=pre dir=reply act=dnat 172.16.200.55:21->172.16.200.1:58241(10.1.100.11:58241) pos/(before,after) 0/(0,0), 0/(0,0) misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=4 serial=0003255f tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id = 00000000 dd_type=0 dd_mode=0 npu_state=0x100000

npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000 vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0 no_ofld_reason: offload-denied helper total session 1

To use the diagnose command to check the status of a shared traffic shaper:

# diagnose firewall shaper traffic-shaper list

name high-priority maximum-bandwidth 131072 KB/sec guaranteed-bandwidth 0 KB/sec current-bandwidth 0 B/sec priority 2 tos ff packets dropped 0 bytes dropped 0 name low-priority maximum-bandwidth 131072 KB/sec guaranteed-bandwidth 125 KB/sec current-bandwidth 0 B/sec priority 4 tos ff packets dropped 0 bytes dropped 0

name high-priority maximum-bandwidth 131072 KB/sec guaranteed-bandwidth 0 KB/sec current-bandwidth 0 B/sec priority 2 policy 1 tos ff packets dropped 0 bytes dropped 0

name low-priority maximum-bandwidth 131072 KB/sec guaranteed-bandwidth 125 KB/sec current-bandwidth 0 B/sec priority 4 policy 2 tos ff packets dropped 0 bytes dropped 0

WAN path control – FortiOS 6.2

Leave a reply

WAN path control

Performace SLA – link monitoring

Performance SLA link monitoring measures the health of links that are connected to SD-WAN member interfaces by sending probing signals through each link to a server and measuring the link quality based on latency, jitter, and packet loss. If a link is broken, the routes on that link are removed, and traffic is routed through other links. When the link is working again, the routes are reenabbled. This prevents traffic being sent to a broken link and lost.

In this example:

l Interfaces wan1 and wan2 connect to the internet through separate ISPs l The detection server IP address is 208.91.114.182

A performance SLA is created so that, if one link fails, its routes are removed and traffic is detoured to the other link.

To configure a Performance SLA using the GUI:

  1. On the FortiGate, enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static route. See Creating the SD-WAN interface on page 105 for details.
  2. Go to Network > Performance SLA.
  3. Click Create New. The Performance SLA page opens.
  4. Enter a name for the SLA and select a protocol.
  5. In the Server field, enter the detection server IP address (208.91.114.182 in this example).
  6. In the Participants field, select both wan1 and wan2.
  7. Configured the remaining settings as needed, then click OK.

To configure a Performance SLA using the CLI:

config system virtual-wan-link config health-check edit “server” set server “208.91.114.182”

set update-static-route enable

set members 1 2 next

end

end

To diagnose the Performance SLA status:

FGT # diagnose sys virtual-wan-link health-check Health Check(server):

Seq(1): state(alive), packet-loss(0.000%) latency(15.247), jitter(5.231) sla_map=0x0

Seq(2): state(alive), packet-loss(0.000%) latency(13.621), jitter(6.905) sla_map=0x0

Performace SLA – SLA targets

SLA targets are a set of constraints that are used in SD-WAN rules to control the paths that traffic take.

The available constraints are:

  • Latency threshold: Latency for SLA to make decision, in milliseconds (0 – 10000000, default = 5).
  • Jitterthreshold: Jitter for SLA to make decision, in milliseconds (0 – 10000000, default = 5). l Packet loss threshold: Packet loss for SLA to make decision, in percentage (0 – 100, default = 0).

To configure Performance SLA targets using the GUI:

  1. On the FortiGate, enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static route. See Creating the SD-WAN interface on page 105 for details.
  2. Go to Network > Performance SLA.
  3. Create a new Performance SLA or edit an existing one. See Performace SLA – link monitoring on page 114.
  4. Under SLA Targets, click the plus icon to add a target.
  5. Turn on or off the required constraints, and set their values.
  6. Configured the remaining settings as needed, then click OK.

To configure Performance SLA targets using the GUI:

config system virtual-wan-link config health-check edit “server” set server “208.91.114.182”

set members 1 2 config sla edit 1 set link-cost-factor latency jitter packet-loss set latency-threshold 10 set jitter-threshold 10 set packetloss-threshold 1

next

end

next

end

end

The link-cost-factor variable is used to select which constraints are enabled.

SD-WAN rules – best quality

SD-WAN rules are used to control how sessions are distributed to SD-WAN members. Rules can be configured in one of five modes:

  • auto: Interfaces are assigned a priority based on quality. l Manual (manual): Interfaces are manually assigned a priority. l Best Quality (priority): Interface are assigned a priority based on the link-cost-factor of the interface.
  • Lowest Cost (SLA) (sla): Interfaces are assigned a priority based on selected SLA settings. See SD-WAN rules lowest cost (SLA) on page 119.
  • Maximize Bandwith (SLA) (load-balance): Traffic is distributed among all available links based on the selected load balancing algorithm. See SD-WAN rules – maximize bandwidth (SLA) on page 121.

When using Best Quality mode, SD-WAN will choose the best link to forward traffic by comparing the link-cost-factor, selected from one of the following:

GUI CLI Description
Latency latency Select a link based on latency.
Jitter jitter Select a link based on jitter.
Packet Loss packet-loss Select a link based on packet loss.
Downstream inbandwidth Select a link based on available bandwidth of incoming traffic.
Upstream outbandwidth Select a link based on available bandwidth of outgoing traffic.
Bandwidth bibandwidth Select a link based on available bandwidth of bidirectional traffic.
custom-profile-1 custom-profile-1 Select link based on customized profile. If selected, set the following weights: l packet-loss-weight: Coefficient of packet-loss. l latency-weight: Coefficient of latency. l jitter-weight: Coefficient of jitter.

l bandwidth-weight: Coefficient of reciprocal of available bidirectional bandwidth.

In this example, your wan1 and wan2 SD-WAN interfaces connect to two ISPs that both go to the public internet, and you want Gmail services to use the link with the least latency.

To configure an SD-WAN rule to use Best Quality:

  1. On the FortiGate, enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static route. See Creating the SD-WAN interface on page 105 for details.
  2. Create a new Performance SLA named google. See Performace SLA – link monitoring on page 114.
  3. Go to Network > SD-WAN Rules.
  4. Click Create New. The Priority Rule page opens.
  5. Enter a name for the rule, such as gmail.
  6. Configure the following settings:
Field Setting
Internet Service Google-Gmail
Strategy Best Quality
Interface preference wan1 and wan2
Measured SLA google (created in step 2).
Quality criteria Latency
  1. Click OK to create the rule.

To configure an SD-WAN rule to use priority:

config system virtual-wan-link config health-check edit “google”

set server “google.com”

set members 1 2 next

end config service

edit 1

set name “gmail” set mode priority set internet-service enable set internet-service-id 65646 set health-check “google” set link-cost-factor latency set priority-members 1 2

next

end

end

To diagnose the Performance SLA status:

FGT # diagnose sys virtual-wan-link health-check google Health Check(google):

Seq(1): state(alive), packet-loss(0.000%) latency(14.563), jitter(4.334) sla_map=0x0

Seq(2): state(alive), packet-loss(0.000%) latency(12.633), jitter(6.265) sla_map=0x0

FGT # diagnose sys virtual-wan-link service 1 Service(1):

TOS(0x0/0x0), protocol(0: 1->65535), Mode(priority), link-cost-facotr(latency), link-costthreshold(10), health-check(google) Members:

1: Seq_num(2), alive, latency: 12.633, selected

2: Seq_num(1), alive, latency: 14.563, selected

Internet Service: Google-Gmail(65646)

As wan2 has a smaller latency, SD-WAN will put Seq_num(2) on top of Seq_num(1) and wan2 will be used to forward

Gmail traffic.

SD-WAN rules – lowest cost (SLA)

SD-WAN rules are used to control how sessions are distributed to SD-WAN members. Rules can be configured in one of five modes:

  • auto: Interfaces are assigned a priority based on quality. l Manual (manual): Interfaces are manually assigned a priority.
  • Best Quality (priority): Interface are assigned a priority based on the link-cost-factor of the interface. See SDWAN rules – best quality on page 116.
  • Lowest Cost (SLA) (sla): Interfaces are assigned a priority based on selected SLA settings.
  • Maximize Bandwidth (SLA) (load-balance): Traffic is distributed among all available links based on the selected load balancing algorithm. See SD-WAN rules – maximize bandwidth (SLA) on page 121.

When using Lowest Cost (SLA) mode (sla in the CLI), SD-WAN will choose the lowest cost link that satisfies SLA to forward traffic.

In this example, your wan1 and wan2 SD-WAN interfaces connect to two ISPs that both go to the public internet. The cost of wan2 is less than that of wan1. You want to configure Gmail services to use the lowest cost interface, but the link quality must meet a standard of latency: 10ms, and jitter: 5ms.

To configure an SD-WAN rule to use Lowest Cost (SLA):

  1. On the FortiGate, enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static route. See Creating the SD-WAN interface on page 105 for details.
  2. Create a new Performance SLA named google that includes an SLA Target 1 with Latency threshold = 10ms and Jitterthreshold = 5ms. See Performace SLA – link monitoring on page 114.
  3. Go to Network > SD-WAN Rules.
  4. Click Create New. The Priority Rule page opens.
  5. Enter a name for the rule, such as gmail.
  6. Configure the following settings:
Field Setting
Internet Service Google-Gmail
Strategy Lowest Cost (SLA)
Interface preference wan1 and wan2
Required SLA target google#1 (created in step 2).
  1. Click OK to create the rule.

To configure an SD-WAN rule to use sla:

config system virtual-wan-link config members edit 1 set interface “wan1”

set cost 10 next edit 2 set interface “wan2”

set cost 5 next

end

config health-check edit “google” set server “google.com” set members 1 2 config sla edit 1 set latency-threshold 10

set jitter-threshold 5

next

end

next

end config service edit 1 set name “gmail” set mode sla set internet-service enable set internet-service-id 65646 config sla edit “google” set id 1

next

end

set priority-members 1 2

next

end

end

To diagnose the Performance SLA status:

FGT # diagnose sys virtual-wan-link health-check google Health Check(google):

Seq(1): state(alive), packet-loss(0.000%) latency(14.563), jitter(4.334) sla_map=0x0

Seq(2): state(alive), packet-loss(0.000%) latency(12.633), jitter(6.265) sla_map=0x0

FGT # diagnose sys virtual-wan-link service 1

Service(1): Address Mode(IPV4) flags=0x0

TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla)

Members:<<BR>>

1: Seq_num(2), alive, sla(0x1), cfg_order(1), selected

2: Seq_num(1), alive, sla(0x1), cfg_order(0), selected

Internet Service: Google.Gmail(65646)

When both wan1 and wan2 meet the SLA requirements, Gmail traffic will only use wan2. If only wan1 meets the SLA requirements, Gmail traffic will only use wan1, even though it has a higher cost. If neither interface meets the requirements, wan2 will be used.

If both interface had the same cost and both met the SLA requirements, the first link configured in set prioritymembers would be used.

SD-WAN rules – maximize bandwidth (SLA)

SD-WAN rules are used to control how sessions are distributed to SD-WAN members. Rules can be configured in one of five modes:

  • auto: Interfaces are assigned a priority based on quality. l Manual (manual): Interfaces are manually assigned a priority. l Best Quality (priority): Interface are assigned a priority based on the link-cost-factor of the interface. See SDWAN rules – best quality on page 116. l Lowest Cost (SLA) (sla): Interfaces are assigned a priority based on selected SLA settings. See SD-WAN rules lowest cost (SLA) on page 119.
  • Maximize Bandwidth (SLA) (load-balance): Traffic is distributed among all available links based on the selected load balancing algorithm.

When using Maximize Bandwidth mode (load balance in the CLI), SD-WAN will all of the links that satisfies SLA to forward traffic based on a round-robin load balancing algorithm.

In this example, your wan1 and wan2 SD-WAN interfaces connect to two ISPs that both go to the public internet. You want to configure Gmail services to use both of the interface, but the link quality must meet a standard of latency: 10ms, and jitter: 5ms. This can maximize the bandwidth usage.

To configure an SD-WAN rule to use Maximize Bandwidth (SLA):

  1. On the FortiGate, enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static route. See Creating the SD-WAN interface on page 105 for details.
  2. Create a new Performance SLA named google that includes an SLA Target 1 with Latency threshold = 10ms and Jitterthreshold = 5ms. See Performace SLA – link monitoring on page 114.
  3. Go to Network > SD-WAN Rules.
  4. Click Create New. The Priority Rule page opens.
  5. Enter a name for the rule, such as gmail.
  6. Configure the following settings:
Field Setting
Internet Service Google-Gmail
Strategy Maximize Bandwidth (SLA)
Interface preference wan1 and wan2
Required SLA target google#1 (created in step 2).
  1. Click OK to create the rule.

To configure an SD-WAN rule to use SLA:

config system virtual-wan-link config health-check edit “google” set server “google.com” set members 1 2 config sla edit 1 set latency-threshold 10 set jitter-threshold 5

next

end

next

end config service edit 1 set name “gmail” set mode load-balance set internet-service enable set internet-service-id 65646 config sla edit “google” set id 1

next

end

set priority-members 1 2

next

end

end

To diagnose the performance SLA status:

FGT # diagnose sys virtual-wan-link health-check google Health Check(google):

Seq(1): state(alive), packet-loss(0.000%) latency(14.563), jitter(4.334) sla_map=0x0

Seq(2): state(alive), packet-loss(0.000%) latency(12.633), jitter(6.265) sla_map=0x0

FGT # diagnose sys virtual-wan-link service 1

Service(1): Address Mode(IPV4) flags=0x0

TOS(0x0/0x0), Protocol(0: 1->65535), Mode(load-balance)

Members:<<BR>>

1: Seq_num(1), alive, sla(0x1), num of pass(1), selected

2: Seq_num(2), alive, sla(0x1), num of pass(1), selected

Internet Service: Google.Gmail(65646)

When both wan1 and wan2 meet the SLA requirements, Gmail traffic will use both wan1 and wan2. If only one of the interfaces meets the SLA requirements, Gmail traffic will only use that interface.

If neither interface meets the requirements, the rule is not matched and traffic will try to use a following rule, but if no rules match, traffic will still be processed with the implicit rule algorithm, see Implicit rule on page 110.

MPLS (SIP and backup) + DIA (cloud apps)

This topic covers a typical customer usage scenario where the customer’s SD-WAN has two members: MPLS and DIA. DIA is mostly used for direct Internet access to Internet applications, for example, Office365, Google applications, Amazon, Dropbox, etc. MPLS is mostly used for SIP and works as a backup when DIA is not working.

Sample topology

Sample configuration

This sample configures all SIP traffic to use MPLS while all other traffic uses DIA. If DIA is not working, the traffic will use MPLS.

To configure an SD-WAN rule to use SIP and DIA using the GUI:

  1. On the FortiGate, enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static route.

See Creating the SD-WAN interface on page 105.

  1. When you add a firewall policy, enable Application Control.
  2. Go to Network > SD-WAN Rules.
  3. Click Create New. The Priority Rule page opens.
  4. Enter a name for the rule, such as SIP.
  5. Click the Application box to display the popup dialog box; then select the applicable SIP applications.
  6. For Strategy, select Manual.
  7. For Interface preference, select MPLS.
  8. Click OK.
  9. Click Create New to create another rule.
  10. Enter a name for the rule, such as Internet.
  11. Click the Address box to display the popup dialog box and select all.
  12. For Strategy, select Manual.
  13. For Interface preference, select DIA.
  14. Click OK.

To configure the firewall policy using the CLI:

config firewall policy edit 1 set name “1” set srcintf “dmz” set dstintf “”virtual-wan-link”” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set utm-status enable set fsso disable set application-list “g-default” set ssl-ssh-profile “certificate-inspection”

set nat enable

next

end

To configure an SD-WAN rule to use SIP and DIA using the CLI:

config system virtual-wan-link set status enable config members edit 1 set interface “MPLS” set gateway x.x.x.x

next edit 2 set interface “DIA” set gateway x.x.x.x

next

end config service edit 1 set name “SIP” set member 1 set internet-service enable

set internet-service-app-ctrl 34640 152305677 38938 26180 26179 30251

next edit 2 set name “Internet” set input-device “dmz” set member 2 set dst “all”

next

end end

All SIP traffic uses MPLS. All other traffic goes to DIA. If DIA is broken, the traffic uses MPLS. If you use VPN instead of MPLS to run SIP traffic, you must configure a VPN interface, for example vpn1, and then replace member 1 from MPLS to vpn1 for SD-WAN member.

To use the diagnose command to check performance SLA status using the CLI:

FGT_A (root) # diagnose sys virtual-wan-link service 1

Service(1): Address Mode(IPV4) flags=0x0

TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual) Members:<<BR>>

1: Seq_num(1), alive, selected

Internet Service: SIP(4294836224 34640) SIP.Method(4294836225 152305677) SIP.Via.NAT

(4294836226 38938) SIP_Media.Type.Application(4294836227 26180) SIP_Message(4294836228 26179) SIP_Voice(4294836229 30251)

FGT_A (root) # diagnose sys virtual-wan-link service 2

Service(2): Address Mode(IPV4) flags=0x0

TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual) Members:<<BR>>

1: Seq_num(2), alive, selected

Dst address: 0.0.0.0-255.255.255.255

FGT_A (root) #

FGT_A (root) # diagnose sys virtual-wan-link internet-service-app-ctrl-list

Ctrl application(SIP 34640):Internet Service ID(4294836224)

Ctrl application(SIP.Method 152305677):Internet Service ID(4294836225)

Ctrl application(SIP.Via.NAT 38938):Internet Service ID(4294836226)

Ctrl application(SIP_Media.Type.Application 26180):Internet Service ID(4294836227)

Ctrl application(SIP_Message 26179):Internet Service ID(4294836228)

Ctrl application(SIP_Voice 30251):Internet Service ID(4294836229)

FGT_A (root) #

Basic SD-WAN setup – FortiOS 6.2

1 Reply

Basic SD-WAN setup

Creating the SD-WAN interface

This recipe provides an example of how to start using SD-WAN for load balancing and redundancy.

In this example, two ISP internet connections (wan1 and wan2) use SD-WAN to balance traffic between them at 50% each.

To configure SD-WAN using the GUI:

  1. On the FortiGate, enable SD-WAN and add interfaces wan1 and wan2 as members:
    1. Go to Network > SD-WAN.
    2. Set the Status to Enable.
    3. Click the plus icon to add members, using the ISPs’ proper gateways for each member.
    4. Click Apply to save your settings.
  2. Create a static route with virtual-wan-link enabled:
    1. Go to Network > Static Routes.
    2. Click Create New. The New Static Route page opens.
    3. From the Interface drop-down list, select SD-WAN.
    4. Click OK to save your changes.
  3. Create a firewall policy to allow the traffic:
    1. Go to Policy & Objects > IPv4 Policy.
    2. Click Create New. The New Policy page opens.
    3. For the Incoming Interface, select DMZ.
    4. For the Outgoing Interface, select SD-WAN.
    5. Configure the remaining settings as needed, then click OK to create the policy. Outgoing traffic will balance between wan1 and wan2 at a 50:50 ratio.

To configure SD-WAN using the CLI:

  1. On the FortiGate, configure the wan1 and wan2 interfaces:

config system interface edit “wan1” set alias to_ISP1 set ip 172.16.20.1 255.255.255.0

next edit “wan2” set alias to_ISP2 set ip 10.100.20.1 255.255.255.0

next

end

  1. Enable SD-WAN and add the interfaces as members:

config system virtual-wan-link set status enable config members edit 1 set interface “wan1” set gateway 172.16.20.2

next edit 2 set interface “wan2” set gateway 10.100.20.2

next

end

end

  1. Configure a static route:

config router static edit 1 set distance 1 set virtual-wan-link enable

next end

  1. Configure a firewall policy:

config firewall policy edit 2 set name “VWL” set srcintf “dmz” set dstintf “virtual-wan-link” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set nat enable

next

end

  1. Use a diagnose command to check the state of the SD-WAN:

# diagnose sys virtual-wan-link member

Member(1): interface: wan1, gateway: 172.16.20.2, priority: 0, weight: 0

Member(2): interface: wan2, gateway: 10.100.20.2, priority: 0, weight: 0

Using DHCP interface

This recipe provides a sample configuration for customer using the DHCP interface as SD-WAN members. SD-WAN members can be all static IP interfaces, all DHCP interfaces, or a mix of both IP and DHCP interfaces.

In this example, we’ll use a customer who has two ISP internet connections: wan1 and wan2. wan1 is a DHCP interface and wan2 is a static IP address interface.

Sample topology

To configure DHCP interface on the GUI:

  1. Enable SD-WAN and add wan1 and wan2 as SD-WAN members.
    1. Go to Network > SD-WAN and ensure Status is Enable.
    2. In the SD-WAN Interface Members section, click the + button and add two members: wan1 and wan2.

l For the static IP member, enter the Gateway address. l For the DHCP member, do not change the Gateway.

  1. Click Apply.
  1. Create static route and enable virtual-wan-link.
  2. Go to Network > Static Routes and click Create New.
  3. Click the Interface dropdown list and select SD-WAN.
  4. Click OK.
  5. Create policy for this traffic.
  6. Go to Policy & Objects > IPv4 Policy and click Create New.
  7. For the Incoming Interface, select dmz.
  8. For the Outgoing Interface, select SD-WAN
  9. Configure other options as needed.
  10. Click OK.

Outgoing traffic is balanced between wan1 and wan2 at about 50% each.

To configure the interface on the CLI:

config system interface edit “wan1” set alias to_ISP1 set mode dhcp

next edit “wan2” set alias to_ISP2 set ip 10.100.20.1 255.255.255.0

next

end

To configure SD-WAN on the CLI:

config system virtual-wan-link set status enable config members

edit 1 set interface “wan1”

next edit 2 set interface “wan2” set gateway 10.100.20.2

next

end

end

To configure static route on the CLI:

config router static edit 1

set distance 1 set virtual-wan-link enable

next end

To configure firewall policy on the CLI:

config firewall policy edit 2 set name “VWL” set srcintf “dmz” set dstintf “virtual-wan-link” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set nat enable

next

end

To use the diagnose command to check SD-WAN state:

# diagnose sys virtual-wan-link member

Member(1): interface: wan1, gateway: 172.16.20.2, priority: 0, weight: 0

Member(2): interface: wan2, gateway: 10.100.20.2, priority: 0, weight: 0 Implicit rule

SD-WAN supports five types of implicit rules (load-balance mode):

  • Source IP (CLI command: source-ip-based): SD-WAN will load balance the traffic equally among its members according to a hash algorithm based on the source IP addresses.
  • Session (weight-based): SD-WAN will load balance the traffic according to the session numbers ratio among its members.
  • Spillover (usage-based): SD-WAN will use the first member until the bandwidth reaches its limit, then use the second, and so on.
  • Source-Destination IP (source-dest-ip-based): SD-WAN will load balance the traffic equally among its members according to a hash algorithm based on both the source and destination IP addresses.
  • Volume (measured-volume-based): SD-WAN will load balance the traffic according to the bandwidth ratio among its members.

Examples

The following four examples demonstrate how to use the implicit rules (load-balance mode).

Example 1

Outgoing traffic is equally balanced between wan1 and wan2, using source-ip-based or source-dest-ip-based mode.

Using the GUI:

  1. On the FortiGate, enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static route. See Creating the SD-WAN interface on page 105 for details.
  2. Go to Network > SD-WAN Rules.
  3. Edit the sd-wan rule (the last default rule).
  4. For the Load Balancing Algorithm, select either Source IP or Source-Destination IP.
  5. Click OK.

Using the CLI:

  1. Enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static route. See Creating the SD-WAN interface on page 105 for details.
  2. Set the load balancing algorithm: Source IP based:

config system virtual-wan-link set load-balance-mode source-ip-based

end

Source-Destination IP based:

config system virtual-wan-link set load-balance-mode source-dest-ip-based

end

Example 2

Outgoing traffic is balanced between wan1 and wan2 with a customized ratio, using weight-based mode: wan1 runs 80% of the sessions, and wan2 runs 20% of the sessions.

Using the GUI:

  1. Go to Network > SD-WAN Rules.
  2. Edit the sd-wan rule (the last default rule).
  3. For the Load Balancing Algorithm, select Sessions.
  4. Enter 80 in the wan1 field, and 20 in the wan2
  5. Click OK.

Using the CLI:

config system virtual-wan-link set load-balance-mode weight-based config members edit 1 set interface “wan1” set weight 80

next edit 2 set interface “wan2” set weight 20

next

end

end

Example 3

Outgoing traffic is balanced between wan1 and wan2 with a customized ratio, using measured-volume-based mode: wan1 runs 80% of the volume, and wan2 runs 20% of the volume.

Using the GUI:

  1. Go to Network > SD-WAN Rules.
  2. Edit the sd-wan rule (the last default rule).
  3. For the Load Balancing Algorithm, select Volume.
  4. Enter 80 in the wan1 field, and 20 in the wan2
  5. Click OK.

Using the CLI:

config system virtual-wan-link set load-balance-mode measured-volume-based config members edit 1 set interface “wan1” set volume-ratio 80 next

edit 2 set interface “wan2” set volume-ratio 20

next

end

end

Example 4

Load balancing can be used to reduce costs when internet connections are charged at different rates. For example, if wan2 charges based on volume usage and wan1 charges a fixed monthly fee, we can use wan1 at its maximum bandwidth, and use wan2 for overflow.

In this example, wan1’s bandwidth is 10Mbps down and 2Mbps up. Traffic will use wan1 until it reaches its spillover limit, then it will start to use wan2. Note that auto-asic-offload must be disabled in the firewall policy.

Using the GUI:

  1. On the FortiGate, enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static route. See Creating the SD-WAN interface on page 105 for details.
  2. Go to Network > SD-WAN Rules.
  3. Edit the sd-wan rule (the last default rule).
  4. For the Load Balancing Algorithm, select Spillover.
  5. Enter 10000 in the wan1 Ingress SpilloverThreshold field, and 2000 in the wan1 Egress SpilloverThreshold
  6. Click OK.

Using the CLI:

config system virtual-wan-link set load-balance-mode usage-based config members edit 1 set interface “wan1” set spillover-threshold 2000 set ingress-spillover-threshold 10000

next

end end

SD-WAN – FortiOS 6.2

1 Reply

SD-WAN

SD-WAN is a software-defined approach to managing Wide-Area Networks (WAN). It allows you to offload internetbound traffic, meaning that private WAN services remain available for real-time and mission critical applications. This added flexibility improves traffic flow and reduces pressure on the network.

SD-WAN platforms create hybrid networks that integrate broadband and other network services into the corporate WAN while maintaining the performance and security of real-time and sensitive applications.

SD-WAN with Application Aware Routing can measure and monitor the performance of multiple services in a hybrid network. It uses application routing to offer more granular control of where and when an application uses a specific service, allowing better use of the overall network.

Some of the key benefits of SD-WAN include:

  • Reduced cost with transport independence across MPLS, 3G/4G LTE, and others. l Improve business application performance thanks to increased availability and agility.
  • Optimized user experience and efficiency with SaaS and public cloud applications.

SD-WAN has 3 objects:

  • SD-WAN interface

Also called members, SD-WAN interfaces are the ports and interfaces that are used to run traffic. At least one interface must be configured for SD-WAN to function; up to 255 member interfaces can be configured. See Creating the SD-WAN interface on page 105.

  • Performance-SLA

Also called health-check, performance SLAs are used to monitor member interface link quality, and to detect link failures. They can be used to remove routes, and to reroute traffic when an SD-WAN member cannot detect the server. They can also be used in SD-WAN rules to select the preferred member interface for forwarding traffic. See Performace SLA – link monitoring on page 114.

  • SD-WAN rule

Also called service, SD-WAN rules are used to control path selection. Specific traffic can be dynamically sent to the best link, or use a specific route. There are five modes: l auto: Assign interfaces a priority based on quality. l manual: Assign interfaces a priority manually. l priority: Assign interfaces a priority based on the link-cost-factor quality of the interface. l sla: Assign interfaces a priority based on selected SLA settings. l load-balance: Distribute traffic among all available links based on the load balance algorithm.