Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Admin Guide (Standalone)

    Home FortiExtender 7.4.0 Admin Guide (Standalone)
    7.4.0
    7.6.0
    7.4.4
    7.4.1
    7.4.0
    7.2.3
    7.2.2
    7.2.0
    7.0.3
    7.0.2
    7.0.1

    Configure an SD-WAN

    Configure an SD-WAN

    Use the following commands to configure an SD-WAN.

    CLI command

    Description

    config system interface

    Enters system interface configuration mode.

    edit <vwan_name>

    Specify the name of the SD-WAN interface.

    set type virtual-wan

    Set the interface type to virtual-wan.

    set status <status>

    Set the status of the interface:

    • up—Enable the interface.
    • down—Disable the interface.

    set FEC {source |

    dest | ip-pair | connection}

    Select a LLB metric to denote how to distribute traffic:

    • source—Traffic from the same source IP is forwarded to the same target.
    • dest—Traffic to the same destination IP is forwarded to the same target.
    • ip-pair—Traffic from the same source IP and to the same destination IP is forwarded to the same target.
    • connection—Traffic with the same 5 tuples (i.e., a source IP address/port number, destination IP address/port number and the protocol) is forwarded to the same target

    set algorithm {redundant |

    WRR}

    Select the LLB algorithm:

    • redundant—Targets work in primary-secondary mode.
    • WRR—Targets work in Weighted Round Robin mode.

    Set grace-period

    Specify the grace period in seconds to delay fail-back.

    set session-timeout 60

    Specify the session timeout threshold in seconds. The default is 60. This is used to time out a VWAN session. A LLB session is created for each traffic stream. However, when a session times out, it is deleted.

    set members

    Add VWAN members to the VWAN interface.

    FortiExtender supports both redundant and Weighted Round Robin (WRR) load-balancing algorithms.

    In redundant mode, the link member with the highest priority is selected as the primary member to forward packets. When the primary member is down, the member with the next highest priority is selected.

    In WRR mode, traffic is sent to each link member in a round-robin fashion based on the weight assigned to it.

    • Weighted Round Robin (WRR)—Traffic is load-balanced based on the weight configured on the underlying link member. The weight value should be based on the available bandwidth of the link member.
    • Redundant—If the primary link (determined by priority) goes down, traffic is steered to the secondary link. In the above example, if the algorithm were set to redundant mode, the priorities of the member interfaces (i.e., tunnel0 and tunnel1) must be different. A link with the lowest priority setting gains the primary link status.

    Unreliable links can cause bouncing between the primary and the secondary links. Therefore, a grace-period option is provided.

    Use persistence to guarantee a specific traffic stream always goes through the same link member. This is useful for a group of traffic streams related to the same application, and there is a time sequence and dependency among them. In this case, a proper persistence should be configured. Current available options are source_ip, dest_ip, source_dest_ip_pair, and connection.

    Previous
    Next

    Configure an SD-WAN

    Configure an SD-WAN

    Use the following commands to configure an SD-WAN.

    CLI command

    Description

    config system interface

    Enters system interface configuration mode.

    edit <vwan_name>

    Specify the name of the SD-WAN interface.

    set type virtual-wan

    Set the interface type to virtual-wan.

    set status <status>

    Set the status of the interface:

    • up—Enable the interface.
    • down—Disable the interface.

    set FEC {source |

    dest | ip-pair | connection}

    Select a LLB metric to denote how to distribute traffic:

    • source—Traffic from the same source IP is forwarded to the same target.
    • dest—Traffic to the same destination IP is forwarded to the same target.
    • ip-pair—Traffic from the same source IP and to the same destination IP is forwarded to the same target.
    • connection—Traffic with the same 5 tuples (i.e., a source IP address/port number, destination IP address/port number and the protocol) is forwarded to the same target

    set algorithm {redundant |

    WRR}

    Select the LLB algorithm:

    • redundant—Targets work in primary-secondary mode.
    • WRR—Targets work in Weighted Round Robin mode.

    Set grace-period

    Specify the grace period in seconds to delay fail-back.

    set session-timeout 60

    Specify the session timeout threshold in seconds. The default is 60. This is used to time out a VWAN session. A LLB session is created for each traffic stream. However, when a session times out, it is deleted.

    set members

    Add VWAN members to the VWAN interface.

    FortiExtender supports both redundant and Weighted Round Robin (WRR) load-balancing algorithms.

    In redundant mode, the link member with the highest priority is selected as the primary member to forward packets. When the primary member is down, the member with the next highest priority is selected.

    In WRR mode, traffic is sent to each link member in a round-robin fashion based on the weight assigned to it.

    • Weighted Round Robin (WRR)—Traffic is load-balanced based on the weight configured on the underlying link member. The weight value should be based on the available bandwidth of the link member.
    • Redundant—If the primary link (determined by priority) goes down, traffic is steered to the secondary link. In the above example, if the algorithm were set to redundant mode, the priorities of the member interfaces (i.e., tunnel0 and tunnel1) must be different. A link with the lowest priority setting gains the primary link status.

    Unreliable links can cause bouncing between the primary and the secondary links. Therefore, a grace-period option is provided.

    Use persistence to guarantee a specific traffic stream always goes through the same link member. This is useful for a group of traffic streams related to the same application, and there is a time sequence and dependency among them. In this case, a proper persistence should be configured. Current available options are source_ip, dest_ip, source_dest_ip_pair, and connection.

    Previous
    Next