Description
This article describes how to entirely configure SD-WAN from CLI.
Scope
FortiGate.
Solution
To configure SD-WAN in the CLI.
Configure the WAN1 and WAN2 interfaces.
config system interface
edit "wan1"
set alias to_ISP1
set mode dhcp
set distance 10
next
edit "wan2"
set alias to_ISP2
set ip 10.100.20.1 255.255.255.0
next
end
Enable SD-WAN, create a new zone if it is needed (virtual-wan-link is created by default, and cannot be removed), and add the interfaces as members.
If there is no zone specified for a member, it will be included in the virtual-wan-link zone.
config system sdwan
set status enable
config zone
edit "virtual-wan-link"
next
edit "SDWAN-zone"
next
end
config members
edit 1
set interface "wan1"
set zone "SDWAN-zone"
next
edit 2
set interface "wan2"
set gateway 10.100.20.2
set zone "SDWAN-zone"
next
end
end
Create a static route for SD-WAN.
config router static
edit 1
set sdwan-zone "SDWAN-zone"
next
end
If needed, select the implicit SD-WAN algorithm. By default, the "source-ip-based" is selected.
config system virtual-wan-link
set load-balance-mode {source-ip-based | weight-based | source-dest-ip-based | measured-volume-based}
end
Create a firewall policy for SD-WAN. Only SD-WAN zones can be used as source or destination interfaces. Individual members can not be selected.
config firewall policy
edit <policy_id>
set name <policy_name>
set srcintf internal
set dstintf SDWAN-zone
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ALL
set utm-status enable
set ssl-ssh-profile <profile_name>
set av-profile <profile_name>
set webfilter-profile <profile_name>
set dnsfilter-profile <profile_name>
set application-list <app_list>
set logtraffic all
set nat enable
set status enable
next
end
Configure a performance SLA.
config system sdwan
config health-check
edit "server"
set server "208.91.112.53"
set update-static-route enable
set members 1 2
next
end
end
Results.
To view the routing table in the CLI.
get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [1/0] via 172.16.20.2, wan1
[1/0] via 10.100.20.2, wan2
C 10.100.20.0/24 is directly connected, wan2
C 172.16.20.2/24 is directly connected, wan1
C 192.168.0.0/24 is directly connected, internal
To diagnose the Performance SLA status.
diagnose sys sdwan health-check
Health Check(server):
Seq(1): state(alive), packet-loss(0.000%) latency(15.247), jitter(5.231) sla_map=0x0
Seq(2): state(alive), packet-loss(0.000%) latency(13.621), jitter(6.905) sla_map=0x0
Notes:
Before 6.4.1 there were no configurable SD-WAN zones. The only zone available was the virtual-wan-link. Also, before 6.4.1, the commands used for configuration and troubleshooting were different. From 6.4.1, the word 'virtual-wan-link' in the commands has been replaced with 'sdwan'. For example, in FortiOS 6.2 the command to enter SD-WAN configuration was 'config system virtual-wan-link', from 6.4.1 it is 'config system sdwan'.
When using 'virtual-wan-link' for WAN load balancing with SD-WAN and then applying Fabric Overlay Orchestrator (FOO), this creates an additional SD-WAN zone for the FOO. The SD-WAN rules therefore need to be in the correct order, as traffic is otherwise routed incorrectly.
Related document:
