Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pwellion2000
New Contributor

Created on ‎11-10-2022 03:38 AM

FortiGate 6.4 SD WAN - Prioritising WAN Connections

We are running FortiGate on 6.4.5 and 6.4.7.

 

We have a scenario requiring our FortiGates to have 4 WAN (Internet connections). 2 out of the 4 WAN connections provide bandwidth of 200Mb/s Up/Down and the other 2 provide 50Mb/s Up/Down.

 

I would appreciate some input on the best approach for achieving the required outcome.

 

 

I require the 2 x 200Mb/s to be active and load-sharing traffic (maximize Bandwidth). In the event that both the 200Mb/s circuit are down or out of SLA (I am using a basic SLA if packet loss is above 5%). Then the other 2 Circuits @ 50Mb/s are then active also load-sharing. On resumption of one or both of the 200Mb/s traffic is restored via these links.

 

I have attempted to configure this via 1 SD WAN Rule containing each of the 4 Member interfaces without success. I have tested various methods in relation to SD WAN strategies (Cost, Manual, Maximize bandwidth etc) and even tinkered with the manipulation of member interface Cost and priority.

 

Ultimately I was either in a situation whereby only the First WAN interface is an eligible WAN forwarding option (E.g has a black tick next to the member interface the SD-WAN rule field) or all interfaces were viable.The latter was obviously due to the Maximize bandwidth selecting all available interfaces as long as they conform to SLA.

 

 

I have managed to achieve the desired outcome via the following method.

 

1. Creating 2 X SD WAN Zones. DIA with 2 X 200Mbs Interfaces (WAN-01 & WAN-02)

and DIA2 with 2 x 50Mbs Interfaces (WAN-03 & WAN-04)

 

pwellion2000_3-1668078882401.png

 

Created a firewall policy with both SDWAN Zones (DIA and DIA2) as destinations

 

pwellion2000_1-1668078614385.png

 

Created 2 X SD WAN rules Rule id 1 has the 2 x 200Mbs interfaces (WAN-01 & 02) and rule id 2 has the 2 x 50Mbs interfaces (WAN-03 & 04). Both are setup with identical parameters using Maximize bandwidth strategy.

 

pwellion2000_5-1668080166487.png

 

 

For information this is configured withing an EVE-NG lab as such these IP addresses and basic open rules are internal and for lab purposes only.

 

The desired outcome is achieved. When WAN-01 and WAN-02 are out of SLA or unavailable SDWAN rule ID 2 becomes active and traffic flows via the 50Mb/s links. As soon as at least one of the 200Mb/s become available then traffic flows via Rule ID 1. The hit counts only increment on SD WAN rule id 2 When both interfaces are down from rule 1.

 

So a quick question can this be achieved using 1 SD WAN rule or is this approach the only way to achieve the desired result.

 

Many thanks, input appreciated

 

 

 

 

 

 

 

 

Labels:
1246
0 Kudos
1 REPLY 1
distillednetwork
Contributor III

Created on ‎11-12-2022 07:26 PM

With maximize bandwidth option, it will load balance all the traffic based on the algorithms chosen with any available interface:

https://docs.fortinet.com/document/fortigate/6.4.5/administration-guide/708464/maximize-bandwidth-sl...

 

You don't need to go to the extent you did to create two different zones, you could keep all the interfaces in the same zone and just have two SDWAN policies with the faster links in the first policy and the slower links in the second policy.

 

Just keep in mind with snat-route-change disabled (default) existing sessions will remain on the slow link even if the faster links come up.  All new sessions will use the faster links.  This helps to not break sessions outbound since the snat would change.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-SNAT-route-change-to-update-existing...

1229
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.