Skip to main content
kylehouk
kylehouk
Visitor III
September 26, 2025
Solved

Implementing SD-WAN for Single WAN Connection

  • September 26, 2025
  • 1 reply
  • 1252 views

One of our remote offices has been having intermittent internet issues (thanks Comcast). From what I have been able to find, by default FortiGates don't do much health monitoring on WAN connections, and that if I want WAN health monitoring I need to configure SD-WAN.

 

I have never configured SD-WAN before and wanted to avoid any gotchas.

 

Some of the questions I have about SD-WAN

  • How does configuring SD-WAN affect any WAN firewall policies? Do these need to be updated to point to the SD-WAN instead of WAN?
  • We have a static IP, any concerns with SD-WAN and Static IPs?
  • Will configuring SD-WAN mess with any IPSEC or SSL VPNs?
  • We don't pay for FortiAnalyzer, without that will it make any Health Monitoring useless? 
Best answer by distillednetwork

If you only have 1 interface and are just looking to log the link going down, you are probably better off looking at just link monitor then instead of going through the trouble of sdwan.

 

https://docs.fortinet.com/document/fortigate/7.6.4/administration-guide/81096/enable-or-disable-updating-policy-routes-when-link-health-monitor-fails

 

set it up with "set update-policy-route disable" and this should just log a message when it fails.  

1 reply

distillednetwork
distillednetwork
Explorer II
September 26, 2025

Yes, SDWAN is the way to go.  

 

  • How does configuring SD-WAN affect any WAN firewall policies? Do these need to be updated to point to the SD-WAN instead of WAN? <== Yes, the policies will have the SD-WAN Zone as the destination instead of a single interface.
  • We have a static IP, any concerns with SD-WAN and Static IPs? <== No static IPs work just the same

  • Will configuring SD-WAN mess with any IPSEC or SSL VPNs? <== It will not, the want interface will still be an option for VPN setup instead of sdwan.

  • We don't pay for FortiAnalyzer, without that will it make any Health Monitoring useless?  <== You will have health monitoring in the firewall itself, but just not anything historical except for logs.  The graphs only show real-time.

    Keep in mind you will want to update your routes so the default route is your SDWAN zone instead of the WAN interfaces, and don't pick too aggressive of a load balancer for sdwan, depending on your needs.

    I also do not update static routes on health check failures for vpns, because this can sometimes lead to longer recovery times.

    There are a lot of good guides on sdwan now, and read up on the balancing and failover options for sure.
kylehouk
kylehoukAuthor
Visitor III
September 26, 2025

Hi @distillednetwork 

 

Thank you for the quick and thorough response. 

 

The remote office only has 1 internet connection, so no failover is possible, and with that being the case I don't think I have to worry about routes updating.

 

Do you have any guides you would recommend/link for setting up SD-WAN?

 

 

distillednetwork
distillednetworkAnswer
Explorer II
September 26, 2025

If you only have 1 interface and are just looking to log the link going down, you are probably better off looking at just link monitor then instead of going through the trouble of sdwan.

 

https://docs.fortinet.com/document/fortigate/7.6.4/administration-guide/81096/enable-or-disable-updating-policy-routes-when-link-health-monitor-fails

 

set it up with "set update-policy-route disable" and this should just log a message when it fails.  

Terms & ConditionsAccessibility statement