Scribd
Upload
63 views5 pages

Fortigate Sd-Wan Configuration

The document outlines the configuration process for FortiGate SD-WAN, emphasizing its ability to enhance application performance through dynamic path selection among various connectivity options. It details steps for setting up SD-WAN zones, creating static routes, configuring performance SLAs, and establishing firewall policies. Additionally, it includes commands for verifying the SD-WAN setup and monitoring its health and performance.

Uploaded by

celestinomario827
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
63 views5 pages

Fortigate Sd-Wan Configuration

The document outlines the configuration process for FortiGate SD-WAN, emphasizing its ability to enhance application performance through dynamic path selection among various connectivity options. It details steps for setting up SD-WAN zones, creating static routes, configuring performance SLAs, and establishing firewall policies. Additionally, it includes commands for verifying the SD-WAN setup and monitoring its health and performance.

Uploaded by

celestinomario827
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

FortiGate SD-WAN Configuration

Scenario: Software-defined wide-area network (SD-WAN) solutions transform an organization’s capabilities


by leveraging the corporate wide-area network (WAN) as well as multi-cloud connectivity to deliver high-
speed application performance at the WAN edge of branch sites. One of the chief benefits of SD-WAN is that
it provides a dynamic path selection among connectivity options—MPLS, 4G/5G, or broadband—ensuring
organizations can quickly and easily access business-critical cloud applications.[1] In this scenario, we are
simulating SD-WAN by using OpenWrt and this allows you to play with the features of SD-WAN. Port 4
and Port 5 acts like your different connection and you can manage them through SD-WAN.

Configure SD-WAN Zone

Go to Network > SD-WAN then click create new zone and you can set any name
Create static route going to the internet using the SD-WAN

We will then create a network link monitoring PERFORMANC SLA

After modifying the firewall rules, we can add WAN1 to the SD-WAN member
1) Basic interface IPs
config system interface
edit "port1"
set ip 192.168.15.1 255.255.255.0
set allowaccess ping http https ssh
set alias "LAN-to-LAN-SW"
next
edit "port2"
set ip 10.10.10.2 255.255.255.252
set alias "WAN-ISP01"
next
edit "port3"
set ip 11.11.11.2 255.255.255.252
set alias "WAN-ISP02"
next
end

2) Create the SD-WAN virtual-wan-link and add members


config system virtual-wan-link
set status enable
set load-balance-mode source-ip-based
config members
edit 1
set interface "port2"
set gateway 10.10.10.1
next
edit 2
set interface "port3"
set gateway 11.11.11.1
next
end
end

3) Configure Performance SLA


config system sdwan
config health-check
edit "hc-google"
set server "8.8.8.8"
set protocol ping
set interval 5
set failtime 3
set recoverytime 3
next
edit "hc-cloudflare"
set server "1.1.1.1"
set protocol ping
set interval 5
set failtime 3
set recoverytime 3
next
end
end
4) Bind health checks to SD-WAN members
config system virtual-wan-link config
members
edit 1
set interface "port2" set
gateway 10.10.10.1
set health-check "hc-google" "hc-cloudflare"
next edit 2
set interface "port3" set
gateway 11.11.11.1
set health-check "hc-google" "hc-cloudflare"
next
end
end

5) SD-WAN Rules
config system sdwan config
service
edit 1
set name "svc-default" set dst
"0.0.0.0/0"
set priority-method quality set
internet-service disable set
members 1 2
next
end
end

6) Default route via SD-WAN


config router static edit 0
set device "virtual-wan-link" set
gateway 0.0.0.0
set dst 0.0.0.0 0.0.0.0
next
end

7) Firewall policy LAN -> Internet


config firewall policy edit 0
set name "LAN-to-Internet-SD-WAN" set
srcintf "port1"
set dstintf "virtual-wan-link" set
srcaddr "all"
set dstaddr "all" set
action accept
set schedule "always" set
service "ALL"
set nat enable
next
end

8) Verification commands
get system virtual-wan-link
diagnose sys virtual-wan-link status diagnose sys
virtual-wan-link health-check get router info
routing-table all
diagnose sys session list | grep -E "port2|port3"

You might also like