Description
This article describes how to use the SD-WAN feature to have primary and secondary ISP for redundancy.
Scope
The backup redundancy is tested with a Linux machine connected to one FortiGate port, also the FortiGate is receiving 2 ISPs as a WAN connection. The machine is going to generate some traffic once the maximum traffic allowed is reached by ISP1. Here ISP2 will help with the rest of the traffic, this is based on an SD-WAN Rule load balancing algorithm called Spillover.
Solution
Step 1: Create SD-WAN Zone, give a name, and select 'OK'.
Step 2: Once it is created, open again this SD-WAN Zone, select 'Interface Members', and select 'Create', (in this scenario the ISP1 has a Gateway 192.168.100.1 and the ISP2 Gateway has an IP 192.168.170.2).
Step 3: Move on to SD-WAN Rules and edit the default one. Spillover will be used, which means that if there is a bandwidth that is more than the value set as a threshold, the additional traffic will be taken from the next ISP2.
In order to accomplish it, it is necessary to set some values under Ingress Spillover Threshold and Egress Spillover Threshold. For testing purposes, 5kbps is used for ISP1 and ISP2.
Step 4: Create a default static route. It will allow access to the internet site.
The interface should be the SD-WAN Zone created= MY-LAB-SD-WAN, the Gateway Address is empty because it was added into the SD-WAN Zone.
The result is like this:
Step 5: Generate some traffic from the Linux machine, which is connected to port2.
LAN1 with a segment 192.168.150.1/24.
Linux Machine IP address settings:
It is now necessary to generate some traffic to see the SD-WAN Rule in action.
Step 6: Under the dashboard, it is possible to see both ISPs in action, because the threshold has reached the second one which is also showing traffic.
It is useful to have this kind of configuration if the ISP has an overload of traffic.
The next provider is under the rescue thanks to the SD-WAN settings. SD-WAN guides the ISP2 to start working providing an internet connection to the site when the amount of traffic bandwidth exceeds the threshold.
Note:
The Spillover algorithm, like the other sdwan load-balancing algorithms, operates in terms of sessions. It is normal behavior for the Spillover distribution to exceed the configured threshold as when the thresholds are reached, the sessions will not be flagged as 'dirty'. Existing sessions including long-lived high-bandwidth sessions will not be load-balanced to the secondary member. Existing sessions will stay on the same member until session expiration, forced route lookup etc.
A session is flagged as 'dirty' in FortiGate under the following conditions:
- Any changes made on any firewall policy.
- Routing changes are made.
- Any network-related configuration changes are made.
- FortiGuard scheduled updates are performed, but only when new definitions are downloaded and the policy has a relevant security profile attached.
Only New Sessions will be load balanced to the Secondary member after the Primary member hits/exceeds the Spillover threshold.
Related articles:
Technical Tip: SD-WAN usage-based (spillover) load-balance method’s interface selection behavior whi...
Technical Tip: FortiOS SD-WAN sla-compare-method feature Overview
