FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rahulkaushik-22
Article Id 334933
Description This article describes how to configure an ISP as an SD-WAN member without an SLA when the ISP charges for data.
Scope FortiGate.
Solution

Configure an ISP as an SD-WAN member without an SLA where the provider charges for data usage.

There are two service providers, wan1 and wan2. Wan1 is the primary link and Wan2 is the secondary link charge as per the data transfer.

 

Make sure there is no performance SLA on wan2, as probe traffic will also result in data usage. If there is at least some traffic on wan2, it is possible to use a Performance SLA that does not generate probes.
When using a 'Passive' probe, the FortiGate will look at traffic that is already going through the interface to determine whether it is up or not. See more details here: Passive WAN health measurement | FortiGate / FortiOS 7.0.0 | Fortinet Document Library  

 

Create an SD-WAN rule with an interface selection strategy as required and select both wan1 and wan2 as members of the SD-WAN rule.

In this example, the interface selection strategy is Cost.

SD-WAN performance SLA:

 

1.PNG

 

2.PNG

 

Wan1 is the outgoing interface as per the SD-WAN rule.

 

Discovery-kvm22 # diagnose sys sdwan service4 1

 

Service(1): Address Mode(IPV4) flags=0x4200 use-shortcut-sla use-shortcut

 Tie break: cfg

 Shortcut priority: 2

  Gen(1), TOS(0x0/0x0), Protocol(0): src(1->65535):dst(1->65535), Mode(sla), sla-compare-order

  Members(2):

    1: Seq_num(1 port1 ISP), alive, sla(0x1), gid(0), cfg_order(0), local cost(0), selected

    2: Seq_num(2 port2 ISP), alive, sla(0x1), gid(0), cfg_order(1), local cost(0), selected

  Src address(1):

        0.0.0.0-255.255.255.255

 

  Dst address(1):

        0.0.0.0-255.255.255.255

 

 

The Wan1 interface went down, so wan2 will be over as seen in the SD-WAN rule.

 

Discovery-kvm22 # dia sys sdwan service4 1

Service(1): Address Mode(IPV4) flags=0x4200 use-shortcut-sla use-shortcut

 Tie break: cfg

 Shortcut priority: 2

  Gen(2), TOS(0x0/0x0), Protocol(0): src(1->65535):dst(1->65535), Mode(sla), sla-compare-order

  Members(2):

    1: Seq_num(2 port2 ISP), alive, sla(0x1), gid(0), cfg_order(1), local cost(0), selected

    2: Seq_num(1 port1 ISP), dead, sla(0x0), gid(0), cfg_order(0), local cost(0)

  Src address(1):

        0.0.0.0-255.255.255.255

 

  Dst address(1):

        0.0.0.0-255.255.255.255