Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
IanB
New Contributor

SD-WAN rule query

Hi Folks

 

I'd like to know if the following is possible. A setup for SD-WAN that supports a basic failover between two or more wan links. One link will always be 'preferred' due to it being a faster/more reliable link. The other link(s) should only be used if the primary connection is down. An example would be a Leased line as primary wan link (wan1) and DSL as a secondary wan link (wan2). Both to be members of SD-WAN (for simplicity of setup and IPv4 rule management). Primary link 'wan1' should be used for all traffic, unless it has failed in which case 'wan2' is used. On FortiOS 6.2.x it seems that SD-WAN rules are ignored and the traffic hits the implicit rule at the bottom and is balanced across all available SD-WAN members. Changing the algorithm has some affect (Source IP / Spillover / Volume / etc) but doesn't ever seem to result in wan2 being completely idle when wan1 is up/available. I understand it would be possible if not using SD-WAN and only using static route metrics but this would require a lot of change to our existing estate, and make management more awkward as IPv4 rules would need to be duplicated for each additional wan link. Can we achieve this on FortiOS v6.2.7 while still using SD-WAN? 6.0 wasn't perfect either but we've been seeing more issues on v6.2.7 that we did on v6.0.10. All observed on a variety of devices 30E/60E/100E.

3 REPLIES 3
IanB
New Contributor

Has anyone used this method to successfully exclude a WAN interface from passing traffic when a higher priority interface is up in SD-WAN?

Configuring Zero Value for Volume or session based SD-WAN Algorithm (fortinet.com)

 

 

Yurisk
Valued Contributor

Zero does not work anymore - in newer (starting 6.4.something, may be earlier) 0 is auto converted to 1. So you can't ensure that some interface will not be used while others are up inside SDWAN. Their usage may be close to 0 of course, but not absolute zero. And additionally, you will always have Implicit SD-WAN rule which includes ALL interfaces as possible candidates for traffic.

Without much digging I guess, as you already mentioned, you can exclude such interface from SDWAN completely and set its route priority so it will appear in RIB only after ALL SD-WAN members are down.

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
pyy
New Contributor III

You have multiple options. 1. Create 2 sdwan policies. 1st policy for the primary line (add health check) src lan dst all.

2nd policy for the backup line src lan dst all.

 

when the Health check fails , the policy will be considered inactive, the it will go to the next policy backup line. 2. Create 1 sdwan policy with interface preference , 1st the primary 2nd the backup line. The change will be performed according the SLA that you configure.

Labels
Top Kudoed Authors