Register Now

Login

Lost Password

Lost your password? Please enter your email address. You will receive a link and will create a new password via email.

SD WAN Understanding In Fortigate Firewall

Here in this article let us learn how SD WAN works in fortigate firewall.

Lets say in your network you are having three ISP with different bandwidth, if we don’t  have SD WAN feature we cannot have control on traffic and use ISP efficiently.  With this feature SD WAN we will be able to manage traffic over multiple ISP’s efficiently according to your requirement.

SD WAN Rules:

SD WAN rules in the firewall will have highest precedence.

As per routing in fortigate firewall SD WAN rules will have first precedence then comes policy routes and then normal routing table (get router info routing-table details)

Using SD WAN rules, we will be able to route the traffic based on the destination address, internet service and application.

Also we can mention user group in SD WAN rule by which we can control traffic based on the user group.

Configuration Of SDWAN In Fortigate Firewall:

Step-1:

First we need to define multiple ISP in the SD WAN zone:

Under Network >> SD WAN >> SDWAN Zone >> Create New >> SDWAN member:

Under interface select ISP interface, some times you will not be able to select the interface it would have references (Means lets say if you are using that interface in some objects like firewall policies) then you need to remove all the references associated with that interface.

Then you will be able to select that interface as SD WAN member, under sd wan zone you will select zone and then gateway you can select that ISP gateway.

Screenshot for your reference:

member1

Then you can create second interface in the same sd wan zone:

member2

Now you have added two interfaces in SD WAN zone, you can route traffic through specific destination, application or ISDB based on your requirement:

sdwan

Now you can add SD WAN according to your requirement. Lets say my requirement is to forward traffic to “8.8.8.8” ip address towards port1 and traffic towards “8.8.4.4” should go towards port2

You can configure two sd wan rules to achieve your requirement:

Under network >> SD WAN> SD WAN rules>> Create New:

First SD WAN rule:

Under source address keep “all” and in the destination keep “8.8.8.8/32” under outgoing interface strategy keep “manual”, in the interface preference select “port1” and then save the rule

Manual: Manual strategy means the interface which you kept on will take precedence, only if first interface goes down traffic will pass through second interface

sdwanrule top

Second SD WAN rule:

Under source address keep “all”  and in the destination keep “8.8.4.4/32” under outgoing interface strategy keep “manual”, in the interface preference select “port2” and then save the rule

sdwan2

sdwan bot

Now your requirement is, when your network team accessing any google IP address traffic should take best available interface (Best available interface will be calculated based on SLA) i will show you in next section.

Third SD WAN Rule:

Under network >> sd wan  >> SD WAN rules >> create NEW

Source address: keep ALL

Internet service: Select all google databases, you can refer to the below screenshot for the same:

thirdsdwan

Strategy should be best quality and so that based on the quality criteria  defined in specific Measured SLA  whichever interface have best performance based on quality criteria it will chose the specific interface

sdwan third

So based on the Latency parameter in that specific Default_AWS the ISP which has small latency will be chosed

Now lets discuss on Performance SLA the main use of performance SLA is to calculate the parameters like latency, jitler and packet loss by which we can calculate the best quality of interface.

Also. in performance SLA we will mention server by which firewall will ping to that server through that specific interface and if we get reply firewall will detect that ISP as up, if firewall is not getting reply for that specific ISP firewall will detect that ISP as up.

Hope this article helps you.