Mark III Systems Blog

SD-WAN setup on a Fortigate firewall

Recently I used the SD-Wan setup on the Fortigate firewall for a customers redundant internet connection.  The ease and simplicity of setting this up, compared with past experiences on other vendors, was a pleasant surprise.  This easy 5 minute process through the GUI provides a load balanced interface for your 2 isp’s.  There are other quality rules that can be used

1- Auto – based on quality of connection

2- Manual – Administrator manually assigns the priority

3- Lowest cost SLA – based on desired sla settings

4- Maximize Bandwidth – this is the load balance option that takes advantage of both connections

First you setup the sd-wan link.  Be sure that either wan1 or wan2 are not assigned to any current firewall policies or route statements.

Next go to InterfacesàSD-Wan.  Here you will add the 2 wan interface members (wan1 and wan2).  Be sure to label each wan interface so you know what isp each is connecting to.  This builds your “SD-Wan Interface”.

Next you will go to static routes and add your default route and point it to the SD-Wan interface for outgoing traffic.  The Policy and Objects section will be your next step.  Here you will select your internal lan or ssid interface for the source and destination is going to be your sd-wan interface.  You can control all of the different protocols/ports/apps that use this interface beign that this is on the Fortigate Firewall itself.

To then confirm and test the redundancy you can do the following:

1- Go to your interfaces –Wan1 and Wan2 and be sure they are both showing  your static ip or if they use a dhcp from the provider.

2- Setup a continuous ping to google dns for example ,  Then unplug wan 1 and be sure there are no ping drops.  Plug this interface back in and test wan2.  This should provide proof of successful and immediate redundancy.

You can then use the monitoring section to see the amount of bandwidth and throughput going through each connection. Use these metrics to help you decide on whether you can cut back or need to add more bandwidth to one pipe or the other depending on needs/costs.

This simple setup, easy visual, and reliability make it a lot less stress on the administrator, whereas other vendors tend to have a more tedious process that is harder to roll back from if issues are created.