Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sw2090
Honored Contributor

priorize vpn traffic?

We run a Loadbalancer (SD-WAN) on our FGT that balances internet traffic. 

We also have several IPSec Tunnels. Those have to be connected to a specific wan interface and cannot use SD-WAN.

I set the Loadbalancer volume based and it is set o not use all avaiable bandwith.

Thus big downloads affect the performance on ipsec. 

Since I cannot use SD-WAN rules here - is there a way to priorize ipsec traffc before internet traffic?

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
1 Solution
hubertzw

Let's assume you have WAN1 and WAN2. You have some IPsec tunnels on WAN2. 

In SD-WAN definition I'd try to set the load balancing method 'sessions' to send 2x more traffic over WAN1 than via WAN2.

Is it something what you are looking for?

View solution in original post

5 REPLIES 5
hubertzw
Contributor III

What software version do you use? Every version have many new features 5.6 vs 6.0 vs 6.2.0 s 6.2.1.

How many WAN links do you have? If more than one I'd try to separate VPN traffic from the Internet, I think you could use PBR.

Is there any reason you can't add WAN dedicated for VPN to the SD-WAN? By creating rules you can totally separate traffic between two or or more groups of interfaces.

 

sw2090
Honored Contributor

We still have 5.4. 

We have two WAN Lines and both are in SD-WAN.

IPSec doesn't use SD-WAN because it needs a unique termination.

So how could any SD-WAN rules affect VPN Traffic that goes either directly to the wan line or the vpn interface?

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
hubertzw

Let's assume you have WAN1 and WAN2. You have some IPsec tunnels on WAN2. 

In SD-WAN definition I'd try to set the load balancing method 'sessions' to send 2x more traffic over WAN1 than via WAN2.

Is it something what you are looking for?

sw2090
Honored Contributor

Hubertzv thanks for your reply. I think you got me onto the right path.

Alas I think session based is not the right decision since it does the same as volume based (which we had) just counting sessions instead of packets and distributing procentual by weight. This would not prevent the Loadbalancer from exhausting too much bandwith.

I've now changed it to use spillover and set the ingress/egress threholds for the lines so that the loadbalancer cannot exhaust all bandwith. In fact it can to on line 2 because that has the bigger bandwith and is only secondaryly used by tunnels. So atm its thresholts are at maximum. I thus set Line 1 (primary Wan for the tunnels) to threshold at half of its bandwith in/out (that is a symetric line!).

So accoarding to the descriptions at Fortinet Site internet traffic should not be able to use up more than this on that line.

I'll monitor that and see...

 

thanks so far.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
hubertzw

Yes please let us know if you achieve it. Thanks

Labels
Top Kudoed Authors