Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fortiraj_FTNT
Staff
Staff

Created on ‎11-01-2023 04:30 AM Edited on ‎12-10-2025 07:08 AM By Community Manager

Article Id 282227

Technical Tip: SD-WAN usage-based (spillover) load-balance method’s interface selection behavior while member priorities are used

Description

This article describes the SD-WAN usage-based (spillover) load-balance method’s interface selection behavior while member priorities are used.
Scope FortiGate.
Solution

As per the spillover load balancing algorithm, the highest priority member is used until bandwidth exceeds ingress and egress thresholds. Additional traffic is then sent through the next SD-WAN member.

 

The priority is often managed by manually configuring a priority value in the SD-WAN member configuration.

 

config system sdwan

    config members

        edit 1

            set interface "tunnel-A"

            set zone "VPN"

            set spillover-threshold 90000

            set ingress-spillover-threshold 90000

            set priority 10

        next

        edit 3

            set interface "tunnel-B"

            set zone "VPN"

            set priority 20

        next

 

Note: For the above configuration, member interface commands, i.e., 'set spillover-threshold' and 'set ingress-spillover-threshold', will be only available if load-balance-mode is set to 'usage-based' under SD-WAN. 


SD-WAN will not consider member priorities when dynamic routing (BGP) is in use. For the following routing entry pushed by BGP, interface tunnel-B is considered despite the priority set on the SD-WAN member interfaces (where tunnel-A is prioritized). FortiOS routes the traffic to 10.1.0.0/20 via tunnel-B (which is listed above tunnel-A in the route table), and it will never spill over.

 

Routing information:

* i10.1.0.0/20      172.16.23.2              0    100      0        0 65002 65001 65000 ? <1/->
*>i                 172.16.22.1            192    100      0        0 65000 ? <1/1>
*>i                 172.16.24.1            192    100      0        0 65000 ? <1/2>

 

Routing entry for 10.1.0.0/20
  * 172.16.22.1 (recursive via tunnel-B tunnel 1.1.1.1)
  * 172.16.24.1 (recursive via tunnel-A  tunnel 2.2.2.2)

 

Further information on why BGP selects tunnel-B over tunnel-A can be seen in Technical Tip: Usage of BGP multipath and description of the BGP NLRI table.

 

SD-WAN implicit rule with spillover as a load-balance method works only with static routes.

 

Configure a static route to override BGP routes. When a static route is configured, a priority value assigned to each SD-WAN member will be considered.

 

config router static

    edit 0

        set dst 10.1.0.0 255.255.240.0

        set distance 1

        set sdwan-zone "VPN"

    next
end

 

Note: This is not a separate priority that can be configured specifically for the Spillover load-balancing algorithm. It is the same as the SD-WAN member priority; changing it here will also change the member priority in the SD-WAN zone configuration.

 

spill-1.png

 

spill-2.png

 

If any non-zero spillover threshold values are configured, traffic is routed through the SD-WAN interface member with the lowest priority; else, keep the priority the same and use interface order for preference.

 

Related article:

Technical Tip: How to bond 2 ISP with SD-WAN and load balance traffic with Spillover algorithm under...
Labels:
9264
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.