|
SD-WAN is a strategy to perform intelligent routing on FortiGate. When there are multiple WAN links available, SD-WAN assists in utilizing the links efficiently.
When configuring SD-WAN, a minimum of one or several interfaces can be part of an SD-WAN zone. SD-WAN rules are then configured to steer the traffic from specific interface(s).
In the example below, an SD-WAN zone has been created with two members: port1 and port3.
config system sdwan
set status enable
config zone
edit "virtual-wan-link"
next
edit "SDWAN"
next
end
config members
edit 1
set interface "port1"
set zone "SDWAN"
next
edit 2
set interface "port3"
set zone "SDWAN"
next
end
The below SD-WAN rule has been configured, which will steer all outgoing traffic via port1. port3 will not be used for outgoing traffic due to the manual strategy (default).
config service
edit 1
set name "LAN-WAN"
set dst "all"
set src "all"
set priority-members 1 2
next
end
In this case, both members meet the SLA requirements.
config health-check
edit "TestSLA"
set server "8.8.8.8"
set members 1 2
config sla
edit 1
next
end
next
end
With this configuration in place, all traffic destined for the Internet will go through port1, and port3 will not be used for outgoing traffic. It is expected that no traffic should be observed on port3 until port1 is unavailable (or the link goes down).
In some specific cases, bandwidth usage on port 3 can be seen as well.
As an example, port3 has an external VIP configuration, mapped to an interval Digital Video Recorder (DVR) so internal cameras can be reached from the outside. In such case, it is expected to see bandwidth usage on port3, as the traffic nonetheless will traverse through this port because of the VIP configuration.
SD-WAN rules are matched for outgoing traffic generated from behind the FortiGate (internal LAN). Incoming traffic from outside (Internet) to the internal LAN is handled by FortiGate routing table and firewall policies (in that order) and not by SD-WAN rules.
|
