|
Prerequisites:
- On the FortiGate system, two or more WAN interfaces are correctly set up and linked.
- Administrative access to the device that does not depend on WAN access. The steps below assume the administrator is making changes during a maintenance window and has local access to the device.
Configuration Steps:
- Take a configuration backup before beginning.
- Select 'SD-WAN' from the dropdown menu under 'Network' on the menu bar.
- To create a new SD-WAN member, select 'Create New' button, and select 'member'. Note that an interface that is referenced in an existing firewall policy is not selectable. Remove the interface from existing firewall policies before configuring it as and SD-WAN member.
- Create a static route for the zone: go to Network -> Static Routes -> 'Create New'.
Note: When the route under SD-WAN is already created, there is no need to create a static route for independent WANs (WAN1, WAN2, WAN3, etc.) because they are already included in the route for the whole virtual-wan-link (SDWAN Zone), which already has the WANs internally.
- To create a new SD-WAN rule, navigate to Network -> SD-WAN -> SD-WAN Rules, and select the 'Create New' button.
- Give the rule a name, select the relevant SD-WAN members from the list. The order of interface selection determines the preferred interface to send the traffic.
- Set the SD-WAN interface selection strategy to Manual and select 'OK' to confirm creation.
- Create a Performance SLA to monitor the link status. Got to Network -> SD-WAN -> Performance SLAs -> Select 'Create New'. It is recommended to configure two remote servers to avoid false positive interface failure detection. Note an SLA Target is not required for SD-WAN rules with 'Manual' interface selection strategy.
- Create a policy to allow the traffic: Go to Policy & Objects -> Firewall Policy and configure a new policy referencing the SD-WAN zone as follows:
Testing and Monitoring:
It is essential to test the system after configuring SD-WAN failover to ensure efficacy.
Configuring an incorrect gateway on one or more WAN interfaces will simulate a connection failure; watch to see if traffic is redirected to the remaining interfaces. Note while physically disconnecting an interface does simulate an link failure, it would not verify that the Performance SLA health check failover is working as intended.
A check sign will be seen beside the selected interface that is processing the traffic. In the below screenshot, it is possible to see that from all 3 interfaces, wan1 is selected as the outgoing interface.
When wan1 is down, the traffic will be processed by wan2:
Track the performance and status of each WAN link by checking the SD-WAN dashboard in the FortiGate administration interface.
Review the SD-WAN logs and reports frequently to spot any problems or irregularities.
Troubleshooting:
Check the WAN interfaces' physical connections and set-ups.
Verify the FortiGate device's firmware version to make sure SD-WAN capability is supported.
Review the load balancing mechanism, connection monitoring, and failover thresholds in the SD-WAN setup settings.
For more information, refer to the FortiGate manual or contact the Fortinet community.
The following commands are useful for troubleshooting an SD-WAN environment.
- Gather the traffic transmitted and received by the FortiGate:
diagnose sniffer packet any 'host <remote server IP address>' 4 1000 l
- View how FortiGate processes a packet and the decisions it makes:
diagnose debug flow
diagnose sys session list
For a similar setup without of the use of SD-WAN, the article below can be of assistance.
Related article:
|
