Description
This article describes how to entirely configure SD-WAN from CLI.
Scope
FortiGate.
Solution
Design layout:
- 2 WAN interfaces.
- Define SD-WAN Zone as 'SD-WAN zone'.
- Wan 1 and Wan 2 are placed under SD-WAN Zone.
- Static Route definition for default-gateway (0.0.0.0/0) via SD-WAN zone.
- Firewall policy configuration.
- Health-check or SLA configuration check. The target is 208.91.112.53.
To configure SD-WAN in the CLI.
Configure the WAN1 and WAN2 interfaces.
config system interface
edit "wan1"
set alias to_ISP1
set mode dhcp
set distance 10
next
edit "wan2"
set alias to_ISP2
set ip 10.100.20.1 255.255.255.0
next
end
Enable SD-WAN, create a new zone if it is needed (virtual-wan-link is created by default, and cannot be removed), and add the interfaces as members.
If there is no zone specified for a member, it will be included in the virtual-wan-link zone.
config system sdwan
set status enable
config zone
edit "virtual-wan-link"
next
edit "SDWAN-zone"
next
end
config members
edit 1
set interface "wan1"
set zone "SDWAN-zone"
next
edit 2
set interface "wan2"
set gateway 10.100.20.2
set zone "SDWAN-zone"
next
end
end
Create a static route for SD-WAN.
config router static
edit 1
set sdwan-zone "SDWAN-zone"
next
end
If needed, select the implicit SD-WAN algorithm. By default, the "source-ip-based" is selected.
config system sdwan
set load-balance-mode {source-ip-based | weight-based | source-dest-ip-based | measured-volume-based}
end
Create a firewall policy for SD-WAN.
Note: SD-WAN members cannot be used directly in firewall policies. Only SD-WAN zones and interfaces that are not SD-WAN members can be selected as source or destination interfaces. Individual SD-WAN members cannot be referenced in these policies.
When an interface is migrated to an SD-WAN zone, FortiGate prompts the administrator to choose between two options: Replace Instance, which replaces the individual interface with the SD-WAN zone in the firewall policy, or Delete Entry, which removes the entire firewall policy that contains the migrated interface.
It is important to note that selecting Delete Entry results in the deletion of the entire firewall policy, not just the migrated interface. This behavior applies regardless of whether the policy contains a single destination interface or multiple destination interfaces. Even if some destination interfaces have not been migrated to SD-WAN, the policy will still be deleted.
config firewall policy
edit <policy_id>
set name <policy_name>
set srcintf internal
set dstintf SDWAN-zone
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ALL
set utm-status enable
set ssl-ssh-profile <profile_name>
set av-profile <profile_name>
set webfilter-profile <profile_name>
set dnsfilter-profile <profile_name>
set application-list <app_list>
set logtraffic all
set nat enable
set status enable
next
end
Configure a performance SLA.
config system sdwan
config health-check
edit "server"
set server "208.91.112.53"
set update-static-route enable
set members 1 2
next
end
end
Results:
To view the routing table in the CLI:
get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [1/0] via 172.16.20.2, wan1
[1/0] via 10.100.20.2, wan2
C 10.100.20.0/24 is directly connected, wan2
C 172.16.20.2/24 is directly connected, wan1
C 192.168.0.0/24 is directly connected, internal
To diagnose the Performance SLA status.
diagnose sys sdwan health-check
Health Check(server):
Seq(1): state(alive), packet-loss(0.000%) latency(15.247), jitter(5.231) sla_map=0x0
Seq(2): state(alive), packet-loss(0.000%) latency(13.621), jitter(6.905) sla_map=0x0
Notes:
Before 6.4.1 there were no configurable SD-WAN zones. The only zone available was the virtual-wan-link. Also, before 6.4.1, the commands used for configuration and troubleshooting were different. From 6.4.1, the word 'virtual-wan-link' in the commands has been replaced with 'sdwan'. For example, in FortiOS 6.2 the command to enter SD-WAN configuration was 'config system virtual-wan-link', from 6.4.1 it is 'config system sdwan'.
When using 'virtual-wan-link' for WAN load balancing with SD-WAN and then applying Fabric Overlay Orchestrator (FOO), this creates an additional SD-WAN zone for the FOO. The SD-WAN rules therefore need to be in the correct order, as traffic is otherwise routed incorrectly.
Related document:
SD-WAN
SD-WAN Resource List
Technical Tip: Explaining the SD-WAN rule matching process
