FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 282227

This article describes the SD-WAN usage-based (spillover) load-balance method’s interface selection behavior while member priorities are used.

Scope FortiGate.

As per the spillover load balancing algorithm, the highest priority member is used until bandwidth exceeds ingress and egress thresholds. Additional traffic is then sent through the next SD-WAN member.


The priority is often managed by manually configuring a priority value in SD-WAN member configuration.


config system sdwan

config members

        edit 1

            set interface "tunnel-A"

            set zone "VPN"

            set spillover-threshold 90000

            set ingress-spillover-threshold 90000

            set priority 10


        edit 3

            set interface "tunnel-B"

            set zone "VPN"

            set priority 20



However, SD-WAN will not consider member priorities when dynamic routing (BGP) is in use.


For the following routing entry pushed by BGP, interface tunnel-B is considered despite the priority set on the SD-WAN member interfaces (where tunnel-A is prioritized). FortiOS routes the traffic to via tunnel-B (which is listed above tunnel-A in the route table) and it will never spillover.


Routing information:


* i10.1.0.0/20              0    100      0        0 65002 65001 65000 ? <1/->
*>i                   192    100      0        0 65000 ? <1/1>
*>i                   192    100      0        0 65000 ? <1/2>


Routing entry for
  * (recursive via tunnel-B tunnel
  * (recursive via tunnel-A  tunnel


Further information on why BGP selects tunnel-B over tunnel-A can be seen in Technical Tip: Usage of BGP multipath and description of the BGP NLRI table.


SD-WAN implicit rule with spillover as load-balance method works only with static routes.


Configure a static route to override BGP routes. When a static route is configured, priority value assigned to each SD-WAN member will be considered.


config router static

    edit 0

        set dst

        set distance 1

        set sdwan-zone "VPN"