Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Kenundrum
Contributor III

SD-WAN best load balance algorithm?

We've been using SD-WAN to load balance across 4 internet connections on version 6.0.x no problem for a long time. We recently updated to 6.2.x and have seen nothing but problems that seem to be related to sessions hopping from one ISP to another too frequently. We have looked at the logs and the destination interface for the same source/destination IP pair jumps periodically. We have been using weighted volume based balancing until now.

It seems that for the kinds of applications that most of our people use, either source-destination or just source-based balancing may be the best fit to force the connections to stay on the same outbound connection and not break signed-on web application sessions and the like.

So the question for the group is, do others see problems like this with connections jumping around? In the real world, do you see better results by trying to create specific rules for the troublesome destination applications to make the connections more sticky? Or is it easier to just do the source based balancing for everything?

 

CISSP, NSE4

 

4 REPLIES 4
emnoc
Esteemed Contributor III

Did you play around with the other LB and tray source-destination? I would look at 6.4.x and use it. SDWAN seems to be better and works simpler from my optinion

 

https://docs.fortinet.com/document/fortigate/6.4.3/administration-guide/216765/implicit-rule

 

Ken Felix

 

 

 

PCNSE 

NSE 

StrongSwan  

BensonLEI
New Contributor

Hi, guys,

 

I am also having this curious questions of SD-WAN algorithm ( I am using Forti400E with FortiOS V6.4.2 :(

1. if this implicit-policy only for default SD-WAN zone ?

2. if I have more than 1 SD-WAN zone ( e.g. 2 zones ), how the implicit-policy applies for different SD-WAN zones ?

 

3. I am now using the maximized bandwidth for different zones, how I can assign the load-balance/load-sharing portions among  the SD-WAN members ?

 

 

Many thanks

 

 

 

 

 

emnoc
Esteemed Contributor III

Did you read the information in the link I posted?

 

 

When no explicit SD-WAN rules are defined, or if none of the rules are matched, then the default implicit rule is used.

 

 

 

So when you build  rules above the implicit these rules are execute outside of what you have configured in implicit. Another item if your on 6.4.x you can't even clone or edit that rule. It like what the document says is the implicit implied rule.

 

so all zones are impacted

 

 

fwhibTH081 # diag sys sdwan zone Zone upg-zone-wan2 index=2 members(1): 8(wan2) Zone virtual-wan-link index=1 members(0): Zone vpn index=3 members(2): 43(vpn1) 44(vpn2)

Zone vpn index=4 members(2): 47(vpn3) 48(vpn4)

 

Remember the SDWAN concept is advance PBR with load-balance and session persistence.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

BensonLEI

Hi, EMNOC,

 

You seems an expert with the Fortinet SD-WAN.  Your kindly advice and recommendation will be great helpful.

 

Some questions about SD-WAN ( we have Forti400E HA and Forti600E HA pair configurations with FortiOS v6.4.2 in different sites :(

1. I find these devices have no option "SD-WAN load-balance", only "SD-WAN maximize bandwidth (SLA)", correct ?

2. "SD-WAN maximize bandwidth (SLA)" has limited choices ( for example, no ip source, destination, session, weight ) ?

3. Any document and recommendation suggests how this "SD-WAN maximize bandwidth (SLA)" assigns/controls the weight/portion of the SD-WAN link bandwidth ?

 

 

 

 

 

I find new version of FortiOS v6.4.3, good for upgrade ?

 

 

Many many thanks in advance.