This article describes a commonly-observed situation regarding first-time setup of SD-WAN routing. When SD-WAN is set up, it is common to see administrators assign all of the SD-WAN-related member interfaces (IPsec tunnels, MPLS links, broadband Internet links, etc.) to a single SD-WAN zone (i.e. virtual-wan-link), followed by configuring a single default static route using that same SD-WAN zone.
The following is an example of what the routing table might look like in this scenario:
In the above screenshot, the interfaces have equal Administrative Distance and Priority, and this leads to an Equal Cost Multi-Path (ECMP) or load-balancing situation.
Unfortunately, this can lead to routing problems in two scenarios:
1) When the Implicit/load-balancing SD-WAN rule is utilized for user traffic.
2) When the FortiGate is self-originating traffic that needs to go out to the Internet (FortiGuard traffic, DNS queries, etc.)
The problem is that the FortiGate sees the above SD-WAN interfaces as all being equally capable of routing traffic to the Internet (due to the default route), but typically only some of the SD-WAN interfaces (WAN1 and WAN2) are actually Internet-connected.
This can result in the FortiGate sending Internet-bound traffic over a non-Internet link, which results in broken network connectivity.
FortiGate 7.2, 7.0, 6.4 and earlier
While there are a few approaches available to resolve this issue, one robust method is to set Priority values for each SD-WAN Member interface.
SD-WAN Priority works in a very similar fashion as Static Route Priority on the FortiGate, and it allows administrators to assign an order of preference to the FortiGate's SD-WAN members.
Priority is assigned on a per-SD-WAN member basis, with lower being better.
Note that Priority is not the same thing as Cost, and that each config option serves separate functions.
In FortiOS 7.0 and later, the Priority can be set in the Web GUI by editing the chosen member interface under Network -> SD-WAN -> SD-WAN Zones:
In the CLI, Priority can be assigned in the following manner under config system sdwan (or config system virtual-wan-link in older FortiOS versions):
# config system sdwan
edit <sequence number>
set priority <1 to 65535, default = 1>
Note that the Priority values are relative between each SD-WAN member, so there are no specific Priority values that must be used.
After setting the Priority on each SD-WAN member, the following is what the previously-shown routing table would now look like:
In the above screenshot, WAN1 and WAN2 would now be preferred for FortiGate's self-originated traffic, followed by the MPLS and IPsec1. Similarly, user traffic that utilizes the SD-WAN Implicit rule will now be load-balanced solely between WAN1 and WAN2 (as long as it is up and running).
Technically, Internet traffic can still be routed over MPLS and IPsec1 if both the WAN1 and WAN2 links are down, though this would be of little concern to an administrator given the circumstances.
In FortiOS 6.4.1, FortiOS added support for multiple SD-WAN zone interfaces, and later in FortiOS 7.0.1 the feature was expanded to allow SD-WAN zones to be used independently in static routes.
The above changes allow administrators to group their SD-WAN members into separate functional zones (e.g. Internet vs. IPsec) and then associate appropriate routes with these zones (e.g. default routes for Internet zone, private LAN routes for IPsec).
In case of new SD-WAN designs, separate functional zones can be an alternative method for avoiding routing issues.
However, the aforementioned Priority method is more-broadly available, particularly for older FortiOS versions, and it is also a good method for solving routing issues with minimal changes required.