FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pkavin
Staff
Staff
Article Id 213674

Description

 

This article has a list of resources that can be used to configure and troubleshoot SD-WAN on FortiGate.

 

Solution

 

SD-WAN is a software-defined approach to managing Wide-Area Networks (WAN). It consolidates the physical transport connections, or underlays, and monitors and load-balances traffic across the links. VPN overlay networks can be built on top of the underlays to control traffic across different sites.

 

FortiGate delivers fast, scalable, and flexible Secure SD-WAN for cloud-first, security-sensitive, and global enterprises.

 

SD-WAN features could vary based on the firmware version. So, refer to the appropriate release notes of the firmware version of the FortiGate.

 

Another good resource to configure and troubleshoot SD-WAN on FortiGate is using the website SD-WAN.

 

 

SD-WAN Configuration
                                Title and Links                                   Description
SD-WAN designs principles  The Five-pillar approach, described in the SD-WAN / SD-Branch Architecture for MSSPs guide, is recommended when designing a secure SD-WAN solution. This article also includes some terminology that would be used in other articles.
 Basic SD-WAN configuration  Provides an example of how to start using SD-WAN for load balancing and redundancy.
Configuring SD-WAN from CLI  Configuring SD-WAN from the CLI.
Add a new WAN link to an existing SD-WAN setup.  How to add a new WAN interface to an existing SD-WAN configuration.
SD-WAN configuration for IPv6  SD-WAN configuration for IPv6.
SD-WAN zones  SD-WAN is divided into zones. SD-WAN member interfaces are assigned to zones, and zones are used in policies, static routes, and SD-WAN rules.
Performance SLA  SD-WAN Performance SLA.
SD-WAN rules  SD-WAN rules, which are sometimes called service rules, identify traffic of interest and then route the traffic based on a strategy and the condition of the route or link between two devices.
SD-WAN Advanced routing  Instructions on SD-WAN advanced routing.
VPN overlay with SD-WAN  Instructions on SD-WAN VPN overlays.
Advanced SD-WAN configuration  Instructions on SD-WAN advanced configuration
SD-WAN with Primary ISP and Failover setup
How to configure and test an active-backup ISP failover with basic and advanced considerations. 
Configure IPsec VPN with SD-WAN  Integration of IPsec VPN with SD-WAN to manage IPsec traffic flow and Redundancy using the SD-WAN rule.
Manually assign outgoing interface In SD-WAN setup  How to force the traffic to take a specific WAN link in SD-WAN configuration.
Multiple default routes where SD-WAN rules are not preferred  Multiple default routes where SD-WAN rules are not preferred.
SD-WAN support for ADVPN  SD-WAN support for ADVPN.
VXLAN with SD-WAN  How to extend VLANs (VXLAN) over multiple WAN connections (SD-WAN).
SD-WAN integration with OCVPN  SD-WAN integration with OCVPN
Gateway configuration for DHCP and PPPOE SD-WAN members  How to configure the gateway for DHCP and PPPOE SDWAN members.
Configure DHCP relay traffic to use SD-WAN rules  When the DHCP relay is configured on an interface, FortiGate can use any interface to forward its traffic.
NetFlow and SFlow SD-WAN support  From FortiOS 6.4.9, NetFlow and SFlow are supported using SD-WAN.
SD-WAN primary and backup ipsec tunnel Scenario  SD-WAN primary and backup IPsec tunnel Scenario.
Maximize Bandwidth Strategy in SD-WAN  Maximize Bandwidth Strategy in SD-WAN.
SD-WAN enhanced health check options  Health checks include several protocols and protocol-specific options.
SD-WAN rule with settings as ‘set mode load-balance’  Behavior when an SD-WAN rule is configured as ‘set mode load-balance’ from CLI or set as 'Maximize Bandwidth' (SLA) from GUI.
Traffic shaping with dedicated SD-WAN interface members.  Traffic shaping with dedicated SD-WAN interface members.
SD-WAN Bandwidth monitoring service  SD-WAN Bandwidth monitoring service.
How to configure the hold downtime to support SD-WAN service strategies  How to configure the hold downtime to support SD-WAN service strategies
Identity-based routing with SD-WAN  Different route groups to different internet interfaces.
SD-WAN rule matching for ISDB and application ID  SD-WAN rule matching for ISDB and application ID.
Enable and disable SD-WAN options  How to enable or disable SD-WAN options.
Enabling auxiliary session with ECMP or SD-WAN  Enabling auxiliary sessions with ECMP or SD-WAN.
Locally generated traffic for DNS not matching SD-WAN rule with source address configured  Locally generated traffic for DNS not matching SD-WAN rule with source address configured.
SD-WAN interface as HA ping server monitor interface  Remote Link Monitoring can be used to detect a remote failure, either on a remote link or remote equipment, and potentially trigger a cluster failover to avoid a traffic interruption.
How to push gateway correctly in SD-Wan rules.  How to push gateway correctly in SD-WAN rules.
SD-WAN link status update through automation stitch feature  How to update SD-WAN link status through the automation stitch feature.
How to send logs to Syslog server over SD-WAN  How to send logs to Syslog server over SD-WAN.
Policy Routing Enhancements for Traffic in Reply Direction  Enhancements were made to the policy route look-up for reply traffic.
How to add Mac address in SD-WAN rule  How to add Mac address as a source in SD-WAN rule.
How to use IPsec tunnel interface on Performance SLA  How to implement performance SLA on an IPsec Tunnel using a loopback interface on the other end of the tunnel.
Configuring Zero Value for Volume or session based SD-WAN Algorithm  Configuring Zero Value for Volume or session-based SD-WAN Algorithm.
FortiOS SD-WAN SLA Tie Break Feature Overview  This article describes a FortiOS feature called tie-break which relates to SD-WAN traffic steering.
How to configure source IP for Secure SD-WAN Performance SLA  How to configure source IP for Secure SD-WAN Performance SLA.
Using 'probe-packets disable' in SLA Performance for SD-WAN  How to use 'probe-packets disable' in the SLA Performance in SD-WAN.
How to reset SD-WAN pie chart usage statistics  How to reset SD-WAN pie chart usage statistics.
SD-WAN Rules - link-cost-threshold attribute  SD-WAN Rules - link-cost-threshold attribute.
Routing in FortiGate (route-lookup-process)  How FortiGate performs route lookup and selects the outgoing interface.
Routing Change and Session Fail-over with SD-WAN  Routing Change and Session Fail-over with SD-WAN.
Load balancing per-rule  SD-WAN load balancing for all explicit rules.
How to set a scheduled speed test for a SD-WAN Network Monitor  How to set a scheduled speed test for the SD-WAN Network Monitor.
How to use BGP and SD-WAN for advertising routes and path selection in FortiGate  How to use BGP to advertise routes and SD-WAN for path selection.
How to load balance traffic between two interfaces via static routes  How to do ECMP load balancing with SDWAN configuration.
SD-WAN log explanation for 'conservative status with limited ablity to receive new sessions'  Log entries and possible fixes for the traffic disruptions that may be related to this behavior:
Differentiated Services Code Point (DSCP) support for SD-WAN health check probe packets  SD-WAN Health-check packets are not DSCP marked by default and therefore end up in the default group.
Use SD-WAN intelligence for selecting interface to use in communicating with Fortiguard servers  This article describes how to be able to use the best link for communicating Fortiguard servers.
Functionality of 'set update-cascade-interface' under 'config healthcheck; in SD-WAN  The functionality of 'set update-cascade-interface' when configured under 'config health-check' in SD-WAN.
Metadata variable for SD-WAN templates 
This article describes how to use metadata variables into FortiManager SD-WAN templates.

 

 

SD-WAN Troubleshooting

                            Title and Links                                   Description
Troubleshooting SD-WAN  Troubleshooting SD-WAN documents.
SD-WAN related diagnose commands  SD-WAN-related diagnose commands.
SD-WAN event log subtype  A separate log subtype, SD-WAN, has been added to Event logs.
The SNMP OID for the SD-WAN  Simple Network Management Protocol (SNMP) Object Identifiers (OIDs) of SD-WAN.
Error in adding interface to SD-WAN  How to add the interface into the SD-WAN.
How to trace-route using SD-WAN interface  How to trace-route using SD-WAN interface.
SD-WAN performance SLA for IPsec interface shows down  How to add the VPN interface to the SD-WAN and how to configure the SD-WAN performance SLA for the VPN interface.
VIP not working with SD-WAN reply traffic causing issue  Scenario where when trying to access VIP in a setup where SD-WAN, it does not work anymore.
Command to find historic log of the performace SLA of SD-WAN member  Command to find historic log of the performace SLA via CLI.
ECMP load-balancing mode CLI setting will disappear when SDWAN status enabled  When 'v4-ecmp-mode source-ip-based' default CLI system setting disappears when SD-WAN status is enabled.
SD-WAN link status update through automation stitch feature  How to update SD-WAN link status through automation stitch feature.
Prevent self-originating traffic egressing with certain SD-WAN rules  Prevent self-originating traffic egressing with certain SD-WAN rules.
Diagnostic commands to check the status of the SD-WAN link  How to show some diagnostic commands that help to check the SD-WAN routes and status of the links.
Unable to access SSL-VPN bookmarks when using different SD-WAN zone  How to fix the inaccessible SSL-VPN bookmarks when using different SD-WAN zones.
NPU offloaded session not failing over according to SD-WAN rule SLA  If the session is established on FortiGate and offloaded to NPU, if the SLA of the SD-WAN rule changes, the session sticks to the same interface.
FortiGate source-ping using SD-WAN rules  FortiGate source-ping using SD-WAN rules.
WAN interface bandwidth log  WAN interface bandwidth log.
PPPoE interface used in SD-WAN rules is not forwarding any traffic  The PPPoE interface used in SD-WAN rules is not forwarding any traffic.
Internet is not working with one of the SD-WAN member when IP pool is called in the policy  Internet is not working with one of the SD-WAN members when the IP pool is called in the policy.
How to associate a NAT pool (IP pool) to a physical interface of an SD-WAN  How to avoid misrouting by associating each of the WAN interfaces that comprise an SD-WAN to its corresponding physical interface, if there is a NAT pool for each of them.
Conflict when adding referenced interfaces that are part of SD-WAN to a zone under ‘config system zo...  Why it is not possible to add interfaces that are part of SD-WAN to another zone, due to the interface references.
Factory default health checks for performance SLA configuration  Factory default health checks for performance SLA configuration.
To prevent forwarding traffic gateway change of SD-WAN member interfaces due to ICMP-Redirect  To prevent forwarding traffic gateway change of SD-WAN member interfaces due to ICMP-Redirect.
Locally generated traffic for DNS not matching SD-WAN rule with source address configured  Scenario where an SD-WAN rule for locally generated DNS traffic is configured with a source address, the traffic will not be matched to the SD-WAN rule unless 'source-ip' is not defined under ‘config system dns’.
BGP SD-WAN Route-tag supersedes most specific route.  The behavior of BGP SD-WAN route-tagging for the routes learned and tagged.
SD-WAN application control traffic initially hits the less specific rule instead of the rule with ap...  SD-WAN application control traffic initially hits the less specific rule instead of the rule with application control.
FortiGuard update fails when having IPsec tunnel in SD-WAN members  How to avoid FortiGuard update failing using SD-WAN IPsec tunnel.
Functionality of 'set interface-select-method' for local-traffic with SD-WAN  The functionality of 'set interface-select-method' for local-traffic with SD-WAN.

SLA Logging 

10-minute history of SLA that can be viewed in the CLI.

0 bps value for the Upload/Download bandwidth value under the Upload and Download column in SD-WAN M... 

0 bps value for the Upload/Download bandwidth value under the Upload and Download column in SD-WAN M...