We are running FortiGate on 6.4.5 and 6.4.7.
We have a scenario requiring our FortiGates to have 4 WAN (Internet connections). 2 out of the 4 WAN connections provide bandwidth of 200Mb/s Up/Down and the other 2 provide 50Mb/s Up/Down.
I would appreciate some input on the best approach for achieving the required outcome.
I require the 2 x 200Mb/s to be active and load-sharing traffic (maximize Bandwidth). In the event that both the 200Mb/s circuit are down or out of SLA (I am using a basic SLA if packet loss is above 5%). Then the other 2 Circuits @ 50Mb/s are then active also load-sharing. On resumption of one or both of the 200Mb/s traffic is restored via these links.
I have attempted to configure this via 1 SD WAN Rule containing each of the 4 Member interfaces without success. I have tested various methods in relation to SD WAN strategies (Cost, Manual, Maximize bandwidth etc) and even tinkered with the manipulation of member interface Cost and priority.
Ultimately I was either in a situation whereby only the First WAN interface is an eligible WAN forwarding option (E.g has a black tick next to the member interface the SD-WAN rule field) or all interfaces were viable.The latter was obviously due to the Maximize bandwidth selecting all available interfaces as long as they conform to SLA.
I have managed to achieve the desired outcome via the following method.
1. Creating 2 X SD WAN Zones. DIA with 2 X 200Mbs Interfaces (WAN-01 & WAN-02)
and DIA2 with 2 x 50Mbs Interfaces (WAN-03 & WAN-04)
Created a firewall policy with both SDWAN Zones (DIA and DIA2) as destinations
Created 2 X SD WAN rules Rule id 1 has the 2 x 200Mbs interfaces (WAN-01 & 02) and rule id 2 has the 2 x 50Mbs interfaces (WAN-03 & 04). Both are setup with identical parameters using Maximize bandwidth strategy.
For information this is configured withing an EVE-NG lab as such these IP addresses and basic open rules are internal and for lab purposes only.
The desired outcome is achieved. When WAN-01 and WAN-02 are out of SLA or unavailable SDWAN rule ID 2 becomes active and traffic flows via the 50Mb/s links. As soon as at least one of the 200Mb/s become available then traffic flows via Rule ID 1. The hit counts only increment on SD WAN rule id 2 When both interfaces are down from rule 1.
So a quick question can this be achieved using 1 SD WAN rule or is this approach the only way to achieve the desired result.
Many thanks, input appreciated