FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Shilpa1
Staff
Staff
Article Id 198257

Description

 

This article describes how to entirely configure SD-WAN from CLI.

 

Scope

 

FortiGate.

Solution

 

To configure SD-WAN in the CLI.

Configure the WAN1 and WAN2 interfaces.

 

config system interface
    edit "wan1"
        set alias to_ISP1
        set mode dhcp
        set distance 10
    next
    edit "wan2"
        set alias to_ISP2
        set ip 10.100.20.1 255.255.255.0
    next
end

 

Enable SD-WAN, create a new zone if it is needed (virtual-wan-link is created by default, and cannot be removed), and add the interfaces as members.
If there is no zone specified for a member, it will be included in the virtual-wan-link zone.

 

config system sdwan
    set status enable
        config zone
            edit "virtual-wan-link"
            next
            edit "SDWAN-zone"
            next
        end
        config members
            edit 1
                set interface "wan1"
             set zone "SDWAN-zone"
            next
            edit 2
                set interface "wan2"
                set gateway 10.100.20.2
             set zone "SDWAN-zone"
            next
        end
end

 

Create a static route for SD-WAN.

 

config router static
    edit 1
        set sdwan-zone "SDWAN-zone"
    next
end

 

If needed, select the implicit SD-WAN algorithm. By default, the "source-ip-based" is selected.

 

config system virtual-wan-link
    set load-balance-mode {source-ip-based | weight-based | source-dest-ip-based | measured-volume-based}
end

 

Create a firewall policy for SD-WAN. Only SD-WAN zones can be used as source or destination interfaces. Individual members can not be selected.

 

config firewall policy
    edit <policy_id>
        set name <policy_name>
        set srcintf internal
        set dstintf SDWAN-zone
        set srcaddr all
        set dstaddr all
        set action accept
        set schedule always
        set service ALL
        set utm-status enable
        set ssl-ssh-profile <profile_name>
        set av-profile <profile_name>
        set webfilter-profile <profile_name>           
        set dnsfilter-profile <profile_name>
        set application-list <app_list>
        set logtraffic all
        set nat enable
        set status enable
    next
end

 

Configure a performance SLA.

 

config system sdwan
    config health-check
        edit "server"
            set server "208.91.112.53"
            set update-static-route enable
            set members 1 2
        next
    end
end

 

Results.

To view the routing table in the CLI.

 

get router info routing-table all
 
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default
 
S*      0.0.0.0/0 [1/0] via 172.16.20.2, wan1
                  [1/0] via 10.100.20.2, wan2
C       10.100.20.0/24 is directly connected, wan2
C       172.16.20.2/24 is directly connected, wan1
C       192.168.0.0/24 is directly connected, internal

 

To diagnose the Performance SLA status.

 

diagnose sys sdwan health-check
Health Check(server):
Seq(1): state(alive), packet-loss(0.000%) latency(15.247), jitter(5.231) sla_map=0x0
Seq(2): state(alive), packet-loss(0.000%) latency(13.621), jitter(6.905) sla_map=0x0

 

Notes:
Before 6.4.1 there were no configurable SD-WAN zones. The only zone available was the virtual-wan-link. 
Also, before 6.4.1, the commands used for configuration and troubleshooting were different. From 6.4.1, the word 'virtual-wan-link' in the commands has been replaced with 'sdwan'. For example, in FortiOS 6.2 the command to enter SD-WAN configuration was 
'config system virtual-wan-link', from 6.4.1 it is 'config system sdwan'.

 

When using 'virtual-wan-link' for WAN load balancing with SD-WAN and then applying Fabric Overlay Orchestrator (FOO), this creates an additional SD-WAN zone for the FOO. The SD-WAN rules therefore need to be in the correct order, as traffic is otherwise routed incorrectly.

 

Related document: