FortiGate SD-WAN Setup

Quick, Basic SD-WAN Setup

Minimal Requirements

Here are the quick and dirty steps to get SD-WAN up and running on a FortiGate.
I’m running FortiOS 6.2.3 on 60E.

SD-WAN Interface

Under Network -> SD-WAN:

  1. Set the Status to Enabled
  2. Add at least one available port to the SD-WAN Interface Members
  3. Hit Apply

Perfomance Metrics

Under Network -> Performance SLA:

  1. Create a new SLA
  2. Give it a Name
  3. For Protocol pick Ping
  4. Add two IPs for servers to run ping tests against - I’d recommend 1.1.1.1 and 8.8.8.8, since they are Anycast and globaly respond quickly, but you might want to add one of your ISP’s upstream routers. You need to put two addresses in here. (Can be FQDNs)
  5. Add the Interface(s) [WAN1 or WAN2, etc.] you want to use this test to the Participants box
  6. Make sure “Enable probe packets” is selected - should be by defualt
  7. Hit Ok

Route

Under Network -> Static Routes:

  1. Create a new route
  2. Destination - Subnet
  3. Address - 0.0.0.0/0.0.0.0
  4. Interface - SD-WAN
  5. Admin Distance - 1 (or higher if you need it, make sure you pick the right one for your setup)
  6. Hit Ok

Firewall Policy

Under Policy & Objects:
Create Policies - as required - to allow traffic out by this new interface

Overview

These steps will create a new SD-WAN interface, turn on some basic performance monitoring, and add the new route, so you can use this interface in your Firewall Policies.

I had originally negelcted to setup the Performance SLA, and regretted it. It was quick to setup and provided some interesting information.

These steps can be followed as-is with a brand new FortiGate or one currently in production, however, this is easier on a brand new Gate. One that is already in production might require moving interfaces around and re-doing Firewall Policies…

Next Steps

Once you’ve got a basic SD-WAN running, you can start to enable some of the more interesting features - which is the SD-WAN Rules, under Network. With those rules you can steer traffic based on Source, Destination, Internet Service, Application - so that the traffic goes out the interface to match an SLA requirement or to maximize availalbe bandwidth or you can assign a preferred interface for a specific type of traffic.
The Cookbook explains the different SD-WAN Rule options here.

comments powered by Disqus