Description
This article describes how to entirely configure SD-WAN from CLI.
Scope
FortiGate.
Solution
To configure SD-WAN in the CLI.
Configure the WAN1 and WAN2 interfaces.
config system interface
edit "wan1"
set alias to_ISP1
set mode dhcp
set distance 10
next
edit "wan2"
set alias to_ISP2
set ip 10.100.20.1 255.255.255.0
next
end
Enable SD-WAN, create a new zone if it is needed (virtual-wan-link is created by default, and cannot be removed), and add the interfaces as members.
If there is no zone specified for a member, it will be included in the virtual-wan-link zone.
config system sdwan
set status enable
config zone
edit "virtual-wan-link"
next
edit "SDWAN-zone"
next
end
config members
edit 1
set interface "wan1"
set zone "SDWAN-zone"
next
edit 2
set interface "wan2"
set gateway 10.100.20.2
set zone "SDWAN-zone"
next
end
end
Create a static route for SD-WAN.
config router static
edit 1
set sdwan-zone "SDWAN-zone"
next
end
If needed, select the implicit SD-WAN algorithm. By default, the "source-ip-based" is selected.
config system virtual-wan-link
set load-balance-mode {source-ip-based | weight-based | source-dest-ip-based | measured-volume-based}
end
Create a firewall policy for SD-WAN. Only SD-WAN zones can be used as source or destination interfaces. Individual members can not be selected.
config firewall policy
edit <policy_id>
set name <policy_name>
set srcintf internal
set dstintf SDWAN-zone
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ALL
set utm-status enable
set ssl-ssh-profile <profile_name>
set av-profile <profile_name>
set webfilter-profile <profile_name>
set dnsfilter-profile <profile_name>
set application-list <app_list>
set logtraffic all
set nat enable
set status enable
next
end
Configure a performance SLA.
config system sdwan
config health-check
edit "server"
set server "208.91.112.53"
set update-static-route enable
set members 1 2
next
end
end
Results.
To view the routing table in the CLI.
get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [1/0] via 172.16.20.2, wan1
[1/0] via 10.100.20.2, wan2
C 10.100.20.0/24 is directly connected, wan2
C 172.16.20.2/24 is directly connected, wan1
C 192.168.0.0/24 is directly connected, internal
To diagnose the Performance SLA status.
diagnose sys sdwan health-check
Health Check(server):
Seq(1): state(alive), packet-loss(0.000%) latency(15.247), jitter(5.231) sla_map=0x0
Seq(2): state(alive), packet-loss(0.000%) latency(13.621), jitter(6.905) sla_map=0x0
Notes:
Before 6.4.1 there were no configurable SD-WAN zones. The only zone available was the virtual-wan-link. Also, before 6.4.1, the commands used for configuration and troubleshooting were different. From 6.4.1, the word 'virtual-wan-link' in the commands has been replaced with 'sdwan'. For example, in FortiOS 6.2 the command to enter SD-WAN configuration was 'config system virtual-wan-link', from 6.4.1 it is 'config system sdwan'.
When using 'virtual-wan-link' for WAN load balancing with SD-WAN and then applying Fabric Overlay Orchestrator (FOO), this creates an additional SD-WAN zone for the FOO. The SD-WAN rules therefore need to be in the correct order, as traffic is otherwise routed incorrectly.
Related document:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.