I'd like to know if the following is possible. A setup for SD-WAN that supports a basic failover between two or more wan links. One link will always be 'preferred' due to it being a faster/more reliable link. The other link(s) should only be used if the primary connection is down.
An example would be a Leased line as primary wan link (wan1) and DSL as a secondary wan link (wan2). Both to be members of SD-WAN (for simplicity of setup and IPv4 rule management). Primary link 'wan1' should be used for all traffic, unless it has failed in which case 'wan2' is used.
On FortiOS 6.2.x it seems that SD-WAN rules are ignored and the traffic hits the implicit rule at the bottom and is balanced across all available SD-WAN members. Changing the algorithm has some affect (Source IP / Spillover / Volume / etc) but doesn't ever seem to result in wan2 being completely idle when wan1 is up/available.
I understand it would be possible if not using SD-WAN and only using static route metrics but this would require a lot of change to our existing estate, and make management more awkward as IPv4 rules would need to be duplicated for each additional wan link.
Can we achieve this on FortiOS v6.2.7 while still using SD-WAN? 6.0 wasn't perfect either but we've been seeing more issues on v6.2.7 that we did on v6.0.10. All observed on a variety of devices 30E/60E/100E.
Zero does not work anymore - in newer (starting 6.4.something, may be earlier) 0 is auto converted to 1. So you can't ensure that some interface will not be used while others are up inside SDWAN. Their usage may be close to 0 of course, but not absolute zero. And additionally, you will always have Implicit SD-WAN rule which includes ALL interfaces as possible candidates for traffic.
Without much digging I guess, as you already mentioned, you can exclude such interface from SDWAN completely and set its route priority so it will appear in RIB only after ALL SD-WAN members are down.
You have multiple options.
1. Create 2 sdwan policies.
1st policy for the primary line (add health check) src lan dst all.
2nd policy for the backup line src lan dst all.
when the Health check fails , the policy will be considered inactive, the it will go to the next policy backup line.
2. Create 1 sdwan policy with interface preference , 1st the primary 2nd the backup line. The change will be performed according the SLA that you configure.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.