Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ehamud
Staff
Staff

Created on ‎03-12-2023 10:29 PM Edited on ‎09-15-2023 06:07 AM By Moderator

Article Id 248772

Technical Tip: How to bond 2 ISP with SD-WAN and load balance traffic with Spillover algorithm under FortiGate v7.2.2

Description

 

This article describes how to use the SD-WAN feature to have primary and secondary ISP for redundancy.

 

Scope

 

The backup redundancy is tested with a Linux machine connected to one FortiGate port, also the FortiGate is receiving 2 ISPs as a WAN connection. The machine is going to generate some traffic once the maximum traffic allowed is reached by ISP1. Here ISP2 will help with the rest of the traffic, this is based on an SD-WAN Rule load balancing algorithm called Spillover. 

 

Solution

 

Step 1: Create SD-WAN Zone, give a name, and select 'OK'.

 

ehamud_0-1678472749762.png

 

Step 2: Once it is created, open again this SD-WAN Zone, select 'Interface Members', and select 'Create', (in this scenario the ISP1 has a Gateway 192.168.100.1 and the ISP2 Gateway has an IP 192.168.170.2).

 

ehamud_1-1678472967925.png

 

ehamud_2-1678472988968.png

 

Step 3: Move on to SD-WAN Rules and edit the default one. Spillover will be used, which means that if there is a bandwidth that is more than the value set as a threshold, the additional traffic will be taken from the next ISP2.

In order to accomplish it, it is necessary to set some values under Ingress Spillover Threshold and Egress Spillover Threshold. For testing purposes, 5kbps is used for ISP1 and ISP2.

 

ehamud_16-1678474443478.png

 

ehamud_6-1678473176059.png

 

Step 4: Create a default static route. It will allow access to the internet site.

The interface should be the SD-WAN Zone created= MY-LAB-SD-WAN, the Gateway Address is empty because it was added into the SD-WAN Zone.

 

ehamud_7-1678473374079.png

 

The result is like this:

 

ehamud_9-1678473468702.png

 

Step 5: Generate some traffic from the Linux machine, which is connected to port2.

LAN1 with a segment 192.168.150.1/24.

 

ehamud_11-1678473549202.png

 

Linux Machine IP address settings:

 

ehamud_12-1678473587098.png

 

It is now necessary to generate some traffic to see the SD-WAN Rule in action.

 

ehamud_13-1678473617722.png

 

Step 6: Under the dashboard, it is possible to see both ISPs in action, because the threshold has reached the second one which is also showing traffic.

 

ehamud_15-1678473977309.png

 

It is useful to have this kind of configuration if the ISP has an overload of traffic.

The next provider is under the rescue thanks to the SD-WAN settings. SD-WAN guides the ISP2 to start working providing an internet connection to the site when the amount of traffic bandwidth exceeds the threshold.

5859
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.