In sdwan enviroment with one hub and multiple spokes, in which side the sdwan sla should be configure? In the hub or in every spoke?
Solved! Go to Solution.
https://docs.fortinet.com/document/fortigate/7.2.0/new-features/848259/embedded-sd-wan-sla-informati... would be also great to have implemented if not bgp self healing, https://docs.fortinet.com/document/fortigate/7.0.0/sd-wan-self-healing-with-bgp/559415/overview
If the traffic is initiated only from spoke to hub then you configure SLA on spoke.
If the traffic is initiated from both sides (hub to spoke and spoke to hub) then you should configure SLA on both.
Both
If we set the SLA both on hub and spoke, will there have asymetric issue? Just imagine if SLA on the hub decide traffic from hub to spoke passing thru path1 and SLA on the spoke decide traffic from spoke to hub passing thru path2.
As per my knowledge, the default behavior of FortiGate is symmetric, it means the response is imperatively sent from the receiving interface, and only initiated traffic depends on SLA, not the response.
E.g.: If hub (or spoke) receives traffic from port1, the response will be sent from port1.
show system settings
asymroute disable (default)
end
I hope I'm not wrong when I say this is also applicable for IPsec tunnels members of SD-WAN.
https://docs.fortinet.com/document/fortigate/7.2.0/new-features/848259/embedded-sd-wan-sla-informati... would be also great to have implemented if not bgp self healing, https://docs.fortinet.com/document/fortigate/7.0.0/sd-wan-self-healing-with-bgp/559415/overview
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2677 | |
| 1412 | |
| 810 | |
| 703 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.