Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fwilliams
Staff & Editor
Staff & Editor

Created on ‎12-29-2023 06:32 AM Edited on ‎06-17-2025 09:16 PM By Community Manager

Article Id 291504

Technical Tip: Best practice when implementing SD-WAN over heterogeneous links

Description

This article briefly highlights the best ways to implement SD-WAN in an environment where MPLS, VPN and internet links (mixed) co-exist and all of them require SD-WAN.
Scope FortiGate v6.4.x and above.
Solution

It has been found in many reported cases that customers sometimes implement SDWAN over a mixture of links (MPLS, IPsec VPN tunnel, and Internet), but do not adequately segment them from one another.

 

The best thing to do in an environment with a mixture of links is to ensure the following:

 

  1. Static default routing is properly configured: Do not configure a single static default route through the SDWAN interface; instead, configure the static default route through individual zones or interfaces. In a situation where there is no internet breakout at the other side of the VPN tunnel, it is NOT necessary to configure a default route 0.0.0.0/0 over the VPN SD-WAN zone.

 

The configuration below, for example, will direct the default route to all SD-WAN member interfaces (Internet, MPLS, or VPN). This should be avoided in an environment with heterogeneous links. Instead, point the default route to individual interfaces that have internet access. The fact that the SD-WAN zone was not referenced in the static route does not mean SD-WAN will not work perfectly. There are more advantages to individual interfaces (as 2 links of capacity 256 Mbps and 1 Gbps will not be ECMP by default, as they would have been if an SD-WAN zone were used in the static routing).

 

sd1.JPG

 

The following should also be avoided:

 

sd3.JPG

 

Note:

Point the default route to only zone(s) with internet access.

 

  1. The SD-WAN zones are segmented: Do not add two unrelated or heterogeneous interfaces into the same zone. For example, allocating 'Internet' and “MPLS” links into the same zone is not following best practice (for example, a zone named 'WAN' should not house both Internet and MPLS links just because both are WAN links/interfaces). This is not common, but is sometimes seen.
  2. Do NOT use an 'all' source to an 'all' destination in any of the SD-WAN rules: Make sure the only SD-WAN rule with 'all' to 'all' in the deployment is the implicit SD-WAN ruleFortinet’s R&D team has warned that such a configuration could result in unexpected behavior, such as FortiGate will not follow the correct routing based on the routing-table since traffic that did not have an SD-WAN rule will hit this rule.

 

sd4.JPG
11770
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.