Technical Tip: Fortinet's Secure SD-WAN Resource List

pkavin · ‎06-01-2022

Description

This article has a list of resources that can be used to configure and troubleshoot SD-WAN on FortiGate.

Scope

FortiGate.

Solution

SD-WAN is a software-defined approach to managing Wide-Area Networks (WAN). It consolidates the physical transport connections, or underlays, and monitors and load-balances traffic across the links. VPN overlay networks can be built on top of the underlays to control traffic across different sites.

FortiGate delivers fast, scalable, and flexible Secure SD-WAN for cloud-first, security-sensitive, and global enterprises.

SD-WAN features could vary based on the firmware version. So, refer to the appropriate release notes of the firmware version of the FortiGate.

Another good resource to configure and troubleshoot SD-WAN on FortiGate is using the website SD-WAN.

SD-WAN Configuration

Title and Links	Description
SD-WAN designs principles	The Five-pillar approach, described in the SD-WAN / SD-Branch Architecture for MSSPs guide, is recommended when designing a secure SD-WAN solution. This article also includes some terminology that would be used in other articles.
Basic SD-WAN configuration	Provides an example of how to start using SD-WAN for load balancing and redundancy.
Best Practices \| 4-D Resources for SD-WAN	List of documents for Best Practices at docs.fortinet.com.
Configuring SD-WAN from CLI	Configuring SD-WAN from the CLI.
Add a new WAN link to an existing SD-WAN setup.	How to add a new WAN interface to an existing SD-WAN configuration.
SD-WAN configuration for IPv6	SD-WAN configuration for IPv6.
SD-WAN zones	SD-WAN is divided into zones. SD-WAN member interfaces are assigned to zones, and zones are used in policies, static routes, and SD-WAN rules.
Performance SLA	SD-WAN Performance SLA.
SD-WAN rules	SD-WAN rules, which are sometimes called service rules, identify traffic of interest and then route the traffic based on a strategy and the condition of the route or link between two devices.
SD-WAN Advanced routing	Instructions on SD-WAN advanced routing.
VPN overlay with SD-WAN	Instructions on SD-WAN VPN overlays.
Advanced SD-WAN configuration	Instructions on SD-WAN advanced configuration
SD-WAN with Primary ISP and Failover setup	How to configure and test an active-backup ISP failover with basic and advanced considerations.
Configure IPsec VPN with SD-WAN	Integration of IPsec VPN with SD-WAN to manage IPsec traffic flow and Redundancy using the SD-WAN rule.
Manually assign outgoing interface In SD-WAN setup	How to force the traffic to take a specific WAN link in SD-WAN configuration.
Multiple default routes where SD-WAN rules are not preferred	Multiple default routes where SD-WAN rules are not preferred.
SD-WAN support for ADVPN	SD-WAN support for ADVPN.
VXLAN with SD-WAN	How to extend VLANs (VXLAN) over multiple WAN connections (SD-WAN).
SD-WAN integration with OCVPN	SD-WAN integration with OCVPN
Gateway configuration for DHCP and PPPOE SD-WAN members	How to configure the gateway for DHCP and PPPOE SDWAN members.
Configure DHCP relay traffic to use SD-WAN rules	When the DHCP relay is configured on an interface, FortiGate can use any interface to forward its traffic.
NetFlow and SFlow SD-WAN support	From FortiOS 6.4.9, NetFlow and SFlow are supported using SD-WAN.
SD-WAN primary and backup ipsec tunnel Scenario	SD-WAN primary and backup IPsec tunnel Scenario.
Maximize Bandwidth Strategy in SD-WAN	Maximize Bandwidth Strategy in SD-WAN.
SD-WAN enhanced health check options	Health checks include several protocols and protocol-specific options.
SD-WAN rule with settings as ‘set mode load-balance’	Behavior when an SD-WAN rule is configured as ‘set mode load-balance’ from CLI or set as 'Maximize Bandwidth' (SLA) from GUI.
Traffic shaping with dedicated SD-WAN interface members.	Traffic shaping with dedicated SD-WAN interface members.
SD-WAN Bandwidth monitoring service	SD-WAN Bandwidth monitoring service.
How to configure the hold downtime to support SD-WAN service strategies	How to configure the hold downtime to support SD-WAN service strategies
Identity-based routing with SD-WAN	Different route groups to different internet interfaces.
SD-WAN rule matching for ISDB and application ID	SD-WAN rule matching for ISDB and application ID.
Enable and disable SD-WAN options	How to enable or disable SD-WAN options.
Enabling auxiliary session with ECMP or SD-WAN	Enabling auxiliary sessions with ECMP or SD-WAN.
Locally generated traffic for DNS not matching SD-WAN rule with source address configured	Locally generated traffic for DNS not matching SD-WAN rule with source address configured.
SD-WAN interface as HA ping server monitor interface	Remote Link Monitoring can be used to detect a remote failure, either on a remote link or remote equipment, and potentially trigger a cluster failover to avoid a traffic interruption.
How to push gateway correctly in SD-Wan rules.	How to push gateway correctly in SD-WAN rules.
SD-WAN link status update through automation stitch feature	How to update SD-WAN link status through the automation stitch feature.
How to send logs to Syslog server over SD-WAN	How to send logs to Syslog server over SD-WAN.
Policy Routing Enhancements for Traffic in Reply Direction	Enhancements were made to the policy route look-up for reply traffic.
How to add Mac address in SD-WAN rule	How to add Mac address as a source in SD-WAN rule.
How to use IPsec tunnel interface on Performance SLA	How to implement performance SLA on an IPsec Tunnel using a loopback interface on the other end of the tunnel.
Configuring Zero Value for Volume or session based SD-WAN Algorithm	Configuring Zero Value for Volume or session-based SD-WAN Algorithm.
FortiOS SD-WAN SLA Tie Break Feature Overview	This article describes a FortiOS feature called tie-break which relates to SD-WAN traffic steering.
How to configure source IP for Secure SD-WAN Performance SLA	How to configure source IP for Secure SD-WAN Performance SLA.
Using 'probe-packets disable' in SLA Performance for SD-WAN	How to use 'probe-packets disable' in the SLA Performance in SD-WAN.
How to reset SD-WAN pie chart usage statistics	How to reset SD-WAN pie chart usage statistics.
SD-WAN Rules - link-cost-threshold attribute	SD-WAN Rules - link-cost-threshold attribute.
Routing in FortiGate (route-lookup-process)	How FortiGate performs route lookup and selects the outgoing interface.
Routing Change and Session Fail-over with SD-WAN	Routing Change and Session Fail-over with SD-WAN.
Load balancing per-rule	SD-WAN load balancing for all explicit rules.
How to set a scheduled speed test for a SD-WAN Network Monitor	How to set a scheduled speed test for the SD-WAN Network Monitor.
How to use BGP and SD-WAN for advertising routes and path selection in FortiGate	How to use BGP to advertise routes and SD-WAN for path selection.
How to load balance traffic between two interfaces via static routes	How to do ECMP load balancing with SDWAN configuration.
SD-WAN log explanation for 'conservative status with limited ablity to receive new sessions'	Log entries and possible fixes for the traffic disruptions that may be related to this behavior:
Differentiated Services Code Point (DSCP) support for SD-WAN health check probe packets	SD-WAN Health-check packets are not DSCP marked by default and therefore end up in the default group.
Use SD-WAN intelligence for selecting interface to use in communicating with Fortiguard servers	This article describes how to be able to use the best link for communicating Fortiguard servers.
Functionality of 'set update-cascade-interface' under 'config healthcheck; in SD-WAN	The functionality of 'set update-cascade-interface' when configured under 'config health-check' in SD-WAN.
Metadata variable for SD-WAN templates	This article describes how to use metadata variables into FortiManager SD-WAN templates.
Moving an Interface that has existing references to SD-WAN zone using Integrate Interface feature	This article explains how to use the integrated interface feature to move the interface that has references to the SD-WAN zone.
Configure SD-WAN local break-out (DIA) on 2 or more WAN links with overlapping address allocation	This article describes how to deploy 2 or more WAN links in the scenario where the WAN subnets have the same gateway, given it is the same Service Provider (for example: Starlink with 2 antennas), or when 2 Service Providers assign the same WAN IP address
Understanding Default and Gateway Parameters in SD-WAN	This article describes how FortiGate handles SD-WAN traffic based on the Default and Gateway parameters, explaining different routing scenarios and how FortiGate selects the appropriate SD-WAN member depending on the configured criteria. It also outlines the behavior when these parameters are enabled or disabled and the impact on traffic steering.
SD-WAN: Performance SLA protocols	This article explains the different monitoring protocols that can be configured in performance SLAs when using active monitoring.

SD-WAN Troubleshooting

Title and Links	Description
Troubleshooting SD-WAN	Troubleshooting SD-WAN documents.
SD-WAN related diagnose commands	SD-WAN-related diagnose commands.
SD-WAN event log subtype	A separate log subtype, SD-WAN, has been added to Event logs.
The SNMP OID for the SD-WAN	Simple Network Management Protocol (SNMP) Object Identifiers (OIDs) of SD-WAN.
Error in adding interface to SD-WAN	How to add the interface into the SD-WAN.
How to trace-route using SD-WAN interface	How to trace-route using SD-WAN interface.
SD-WAN performance SLA for IPsec interface shows down	How to add the VPN interface to the SD-WAN and how to configure the SD-WAN performance SLA for the VPN interface.
VIP not working with SD-WAN reply traffic causing issue	Scenario where when trying to access VIP in a setup where SD-WAN, it does not work anymore.
Command to find historic log of the performace SLA of SD-WAN member	Command to find historic log of the performace SLA via CLI.
ECMP load-balancing mode CLI setting will disappear when SDWAN status enabled	When 'v4-ecmp-mode source-ip-based' default CLI system setting disappears when SD-WAN status is enabled.
SD-WAN link status update through automation stitch feature	How to update SD-WAN link status through automation stitch feature.
Prevent self-originating traffic egressing with certain SD-WAN rules	Prevent self-originating traffic egressing with certain SD-WAN rules.
Diagnostic commands to check the status of the SD-WAN link	How to show some diagnostic commands that help to check the SD-WAN routes and status of the links.
Unable to access SSL-VPN bookmarks when using different SD-WAN zone	How to fix the inaccessible SSL-VPN bookmarks when using different SD-WAN zones.
NPU offloaded session not failing over according to SD-WAN rule SLA	If the session is established on FortiGate and offloaded to NPU, if the SLA of the SD-WAN rule changes, the session sticks to the same interface.
FortiGate source-ping using SD-WAN rules	FortiGate source-ping using SD-WAN rules.
WAN interface bandwidth log	WAN interface bandwidth log.
PPPoE interface used in SD-WAN rules is not forwarding any traffic	The PPPoE interface used in SD-WAN rules is not forwarding any traffic.
Internet is not working with one of the SD-WAN member when IP pool is called in the policy	Internet is not working with one of the SD-WAN members when the IP pool is called in the policy.
How to associate a NAT pool (IP pool) to a physical interface of an SD-WAN	How to avoid misrouting by associating each of the WAN interfaces that comprise an SD-WAN to its corresponding physical interface, if there is a NAT pool for each of them.
Conflict when adding referenced interfaces that are part of SD-WAN to a zone under ‘config system zo...	Why it is not possible to add interfaces that are part of SD-WAN to another zone, due to the interface references.
Factory default health checks for performance SLA configuration	Factory default health checks for performance SLA configuration.
To prevent forwarding traffic gateway change of SD-WAN member interfaces due to ICMP-Redirect	To prevent forwarding traffic gateway change of SD-WAN member interfaces due to ICMP-Redirect.
Locally generated traffic for DNS not matching SD-WAN rule with source address configured	Scenario where an SD-WAN rule for locally generated DNS traffic is configured with a source address, the traffic will not be matched to the SD-WAN rule unless 'source-ip' is not defined under ‘config system dns’.
BGP SD-WAN Route-tag supersedes most specific route.	The behavior of BGP SD-WAN route-tagging for the routes learned and tagged.
SD-WAN application control traffic initially hits the less specific rule instead of the rule with ap...	SD-WAN application control traffic initially hits the less specific rule instead of the rule with application control.
FortiGuard update fails when having IPsec tunnel in SD-WAN members	How to avoid FortiGuard update failing using SD-WAN IPsec tunnel.
Functionality of 'set interface-select-method' for local-traffic with SD-WAN	The functionality of 'set interface-select-method' for local-traffic with SD-WAN.
SLA Logging	10-minute history of SLA that can be viewed in the CLI.
0 bps value for the Upload/Download bandwidth value under the Upload and Download column in SD-WAN M...	0 bps value for the Upload/Download bandwidth value under the Upload and Download column in SD-WAN M...