Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sfernando
Staff
Staff

Created on ‎05-08-2025 04:20 AM Edited on ‎12-29-2025 08:36 AM By Community Manager

Article Id 390489

Troubleshooting Tip: SD-WAN GUI does not show expected sessions based on the configured weight on SD-WAN members

Description This article describes the reasons why the SD-WAN GUI in FortiGate may not show the expected traffic distribution based on the configured weight on each members.
Scope FortiGate SD-WAN.
Solution

This article requires an understanding of several key facts about configuring weights on each member in SD-WAN. See Technical Tip: Configuring and understanding weight attributes in SD-WAN setup.

 

The following is an example configuration of SD-WAN members set up with weight distribution for load balancing:

 

config system sdwan
    set status enable
    set load-balance-mode weight-based
        config zone
            edit "virtual-wan-link"
            next
        end
    config members
        edit 1
            set interface "port1"
            set gateway 10.56.243.254
            set weight 120
        next
        edit 2
            set interface "port2"
            set gateway 10.56.247.254
            set weight 80
        next
   end

 

When there are no SD-WAN rules configured, the session count in the SD-WAN GUI is very close to the weight ratio configured on the SD-WAN members, as shown below:

 

 ddddd.png

 

In this scenario, there is a number of SD-WAN rules configured as shown below, and they carry a considerable amount of traffic:

 

config service
    edit 1
        set name "cnntraffic"
        set src "all"
        set internet-service enable
        set internet-service-name "CNN-DNS" "CNN-FTP" "CNN-ICMP" "CNN-Inbound_Email" "CNN-LDAP" "CNN-            NetBIOS.Name.Service" "CNN-NetBIOS.Session.Service" "CNN-NTP" "CNN-Other" "CNN-Outbound_Email"          "CNN-RTMP" "CNN-SSH" "CNN-Web"
        set priority-members 2
        set priority-zone "virtual-wan-link"
    next
    edit 2
        set name "googelvideo"
        set dst "googlevideo"
        set src "all"
        set priority-members 2
        set priority-zone "virtual-wan-link"

 

The SD-WAN GUI will look like the following:

 

daada.png

Captfwwwfcfqdure.JPG

 

Furthermore, there may be IPsec tunnels configured which are included in the SD-WAN rules. These will also further affect monitoring. In most cases, an SD-WAN rule selects one interface to send traffic to, based on the rule configuration. The result is an increase in the number of sessions and traffic volume for each link.

 

In large organizations with a wide variety of traffic types and configurations, having an exact replica of the weight distribution in the SD-WAN GUI is not possible.

 

Note:

A bug was detected in FortiOS v7.4.8 where SD-WAN members display 0 active sessions in the FortiGate Web GUI, and the SD-WAN Monitor widget reflects the same status. The affected SD-WAN member uses a PPPoE interface. This is a cosmetic issue only and does not impact the actual functionality of the SD-WAN configuration on the FortiGate. Active session information remains visible via the CLI. This issue is fixed in FortiOS v7.4.11, v7.6.6 and later versions.
451
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.