Fortinet black logo

CLI Reference

system virtual-wan-link

system virtual-wan-link

Use this command to enable and configure SD-WAN (also called WAN link load balancing). You can use the SD-WAN feature to create an SD-WAN interface consisting of two or more interfaces connected to the Internet, usually to different Internet provides. The SD-WAN interface provides redundant Internet connections. SD-WAN load balances traffic between the interfaces added to the SD-WAN interface. If one of the interfaces in the SD-WAN interface goes down, traffic is re-routed to the other interface(s) in the SD-WAN.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.2.

Command Description

config system virtual-wan-link

config service

edit <id>

set hold-down-time <seconds>

New hold down timer that allows you to add a waiting period in seconds when switching from backup members to the primary member. The range is 0 - 10000000 seconds. The default value of 0 disables the timer. Set a timer to prevent switching between links too frequently.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.1.

Command Description

config members

edit <id>

set comment [comments]

New option to add comments under the config members configuration method.

Note that config members is only available when status is set to enable.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set load-balance-mode {source-ip-based | weight-based | usage-based | source-dest-ip-based | measured-volume-based}

Improved help-text descriptions for each load-balance-mode option.

config health-check

edit <name>

set addr-mode {ipv4 | ipv6}

New option to choose IPv6 as the address mode.

config health-check

edit <name>

set members <seq-number>

Member sequence number list.

config health-check

edit <name>

config sla

edit <id>

set link-cost-factor {latency | jitter | packet-loss}

set latency-threshold <milliseconds>

set jitter-threshold <milliseconds>

set packetloss-threshold <percentage>

next

...

Configure SLA settings under health check to determine the criteria on which to base link selection.

config health-check

edit <name>

set protocol {ping6 | ...}

New support for ping6, to determine if the FortiGate can communicate with the server.

Note that ping6 is only available when addr-mode to set to ipv6.

config health-check

edit <name>

set server <ip/fqdn> [<ip/fqdn>]

Support to configure multiple servers in SD-WAN health-check.

config health-check

edit <name>

set timeout <seconds>

Removed the timeout for how long to wait before not receiving a reply from the server to consider the connetion attempt a failure.

config members

edit <name>

set gateway6 <ipv6-addr>

set source6 <ipv6-addr>

Configure an IPv6 gateway and source IPv6 address used in the health-check packet to the server.

config service

edit <id>

set dst-negate {enable | disable}

set src-negate {enable | disable}

Enable or disable negation of destination and source address match.

config service

edit <id>

set mode {sla | ...}

Assign link based on the selected service level agreement (SLA) settings.

config service

edit <id>

set addr-mode {ipv4 | ipv6}

set input-device <interface>

set dst6 <ipv6-addr-name>

set src6 <ipv6-addr-name>

New option to choose IPv6 as the address mode, along with the source interface name, and IPv6 destination and source address group names.

config service

edit <id>

set dscp-forward {enable | disable}

set dscp-reverse {enable | disable}

set dscp-forward-tag <forward-tag>

set dscp-reverse-tag <reverse-tag>

Support to configure DSCP tagging of forwarded packets based on identified SD-WAN services.

Note that dscp-forward-tag and dscp-reverse-tag are only available when dscp-forward and dscp-reverse are set to enable, respectively.

config service

edit <id>

set link-cost-factor {inbandwidth | outbandwidth | bibandwidth | custom-profile-1 | ...}

New link cost factor types. Note that this entry is only available when mode is set to either auto or priority.

See entry below for further details.

config service

edit <id>

set internet-service-custom-group <name>

set internet-service-group <name>

set internet-service-ctrl <id>

set internet-service-ctrl-group <name>

New custom and control-based Internet service link group options. Set the names of group names, as configured under the corresponding config firewall internet-service and application group name commands.

config service

edit <id>

set route-tag <integer>

IPv4 route map route-tag.
config system virtual-wan-link
    set status {disable | enable}   Enable/disable SD-WAN.
    set load-balance-mode {option}   Algorithm or mode to use for load balancing Internet traffic to SD-WAN members.
            source-ip-based        Source IP load balancing. All traffic from a source IP is sent to the same interface.
            weight-based           Weight-based load balancing. Interfaces with higher weights have higher priority and get more traffic.
            usage-based            Usage-based load balancing. All traffic is sent to the first interface on the list. When the bandwidth on that interface exceeds the spill-over limit new traffic is sent to the next interface.
            source-dest-ip-based   Source and destination IP load balancing. All traffic from a source IP to a destination IP is sent to the same interface.
            measured-volume-based  Volume-based load balancing. Traffic is load balanced based on traffic volume (in bytes). More traffic is sent to interfaces with higher volume ratios.
    set fail-detect {enable | disable}   Enable/disable SD-WAN Internet connection status checking (failure detection).
    config fail-alert-interfaces
        edit {name}
        # Physical interfaces that will be alerted.
            set name {string}   Physical interface name. size[64] - datasource(s): system.interface.name
        next
    config members
        edit {seq-num}
        # Physical FortiGate interfaces added to the virtual-wan-link.
            set seq-num {integer}   Sequence number(1-255). range[0-255]
            set interface {string}   Interface name. size[15] - datasource(s): system.interface.name
            set gateway {ipv4 address}   The default gateway for this interface. Usually the default gateway of the Internet service provider that this interface is connected to.
            set source {ipv4 address}   Source IP address used in the health-check packet to the server.
            set gateway6 {ipv6 address}   IPv6 gateway.
            set source6 {ipv6 address}   Source IPv6 address used in the health-check packet to the server.
            set weight {integer}   Weight of this interface for weighted load balancing. (0 - 255) More traffic is directed to interfaces with higher weights. range[0-255]
            set priority {integer}   Priority of the interface (0 - 4294967295). Used for SD-WAN rules or priority rules. range[0-4294967295]
            set spillover-threshold {integer}   Egress spillover threshold for this interface (0 - 16776000 kbit/s). When this traffic volume threshold is reached, new sessions spill over to other interfaces in the SD-WAN. range[0-16776000]
            set ingress-spillover-threshold {integer}   Ingress spillover threshold for this interface (0 - 16776000 kbit/s). When this traffic volume threshold is reached, new sessions spill over to other interfaces in the SD-WAN. range[0-16776000]
            set volume-ratio {integer}   Measured volume ratio (this value / sum of all values = percentage of link volume, 0 - 255). range[0-255]
            set status {disable | enable}   Enable/disable this interface in the SD-WAN.
            set comment {string}   Comments. size[255]
        next
    config health-check
        edit {name}
        # SD-WAN status checking or health checking. Identify a server on the Internet and determine how SD-WAN verifies that the FortiGate can communicate with it.
            set name {string}   Status check or health check name. size[35]
            set addr-mode {ipv4 | ipv6}   Address mode (IPv4 or IPv6).
                    ipv4  IPv4 mode.
                    ipv6  IPv6 mode.
            set server {string}   IP address or FQDN name of the server. size[64]
            set protocol {option}   Protocol used to determine if the FortiGate can communicate with the server.
                    ping      Use PING to test the link with the server.
                    tcp-echo  Use TCP echo to test the link with the server.
                    udp-echo  Use UDP echo to test the link with the server.
                    http      Use HTTP-GET to test the link with the server.
                    twamp     Use TWAMP to test the link with the server.
                    ping6     PING6 link monitor.
            set port {integer}   Port number used to communicate with the server over the selected protocol. range[1-65535]
            set security-mode {none | authentication}   Twamp controller security mode.
                    none            Unauthenticated mode.
                    authentication  Authenticated mode.
            set password {password_string}   Twamp controller password in authentication mode size[128]
            set packet-size {integer}   Packet size of a twamp test session, range[64-1024]
            set http-get {string}   URL used to communicate with the server if the protocol if the protocol is HTTP. size[1024]
            set http-agent {string}   String in the http-agent field in the HTTP header. size[1024]
            set http-match {string}   Response string expected from the server if the protocol is HTTP. size[1024]
            set interval {integer}   Status check interval, or the time between attempting to connect to the server (1 - 3600 sec, default = 5). range[1-3600]
            set failtime {integer}   Number of failures before server is considered lost (1 - 3600, default = 5). range[1-3600]
            set recoverytime {integer}   Number of successful responses received before server is considered recovered (1 - 3600, default = 5). range[1-3600]
            set update-cascade-interface {enable | disable}   Enable/disable update cascade interface.
            set update-static-route {enable | disable}   Enable/disable updating the static route.
            set threshold-warning-packetloss {integer}   Warning threshold for packet loss (percentage, default = 0). range[0-100]
            set threshold-alert-packetloss {integer}   Alert threshold for packet loss (percentage, default = 0). range[0-100]
            set threshold-warning-latency {integer}   Warning threshold for latency (ms, default = 0). range[0-4294967295]
            set threshold-alert-latency {integer}   Alert threshold for latency (ms, default = 0). range[0-4294967295]
            set threshold-warning-jitter {integer}   Warning threshold for jitter (ms, default = 0). range[0-4294967295]
            set threshold-alert-jitter {integer}   Alert threshold for jitter (ms, default = 0). range[0-4294967295]
            config members
                edit {seq-num}
                # Member sequence number list.
                    set seq-num {integer}   Member sequence number. range[0-4294967295] - datasource(s): system.virtual-wan-link.members.seq-num
                next
            config sla
                edit {id}
                # Service level agreement (SLA).
                    set id {integer}   SLA ID. range[1-32]
                    set link-cost-factor {latency | jitter | packet-loss}   Criteria on which to base link selection.
                            latency      Select link based on latency.
                            jitter       Select link based on jitter.
                            packet-loss  Select link based on packet loss.
                    set latency-threshold {integer}   Latency for SLA to make decision in milliseconds. (0 - 10000000, default = 5). range[0-10000000]
                    set jitter-threshold {integer}   Jitter for SLA to make decision in milliseconds. (0 - 10000000, default = 5). range[0-10000000]
                    set packetloss-threshold {integer}   Packet loss for SLA to make decision in percentage. (0 - 100, default = 0). range[0-100]
                next
        next
    config service
        edit {id}
        # Create SD-WAN rules or priority rules (also called services) to control how sessions are distributed to physical interfaces in the SD-WAN.
            set id {integer}   Priority rule ID (1 - 4000). range[1-4000]
            set name {string}   Priority rule name. size[35]
            set addr-mode {ipv4 | ipv6}   Address mode (IPv4 or IPv6).
                    ipv4  IPv4 mode.
                    ipv6  IPv6 mode.
            config input-device
                edit {name}
                # Source interface name.
                    set name {string}   Interface name. size[64] - datasource(s): system.interface.name
                next
            set mode {auto | manual | priority | sla}   Control how the priority rule sets the priority of interfaces in the SD-WAN.
                    auto      Assign interfaces a priority based on quality.
                    manual    Assign interfaces a priority manually.
                    priority  Assign interfaces a priority based on the priority assigned to the interface.
                    sla       Assign link based on selected SLA settings.
            set quality-link {integer}   Quality grade. range[0-255]
            set member {integer}   Member sequence number. range[0-255]
            set tos {string}   Type of service bit pattern.
            set tos-mask {string}   Type of service evaluated bits.
            set protocol {integer}   Protocol number. range[0-255]
            set start-port {integer}   Start destination port number. range[0-65535]
            set end-port {integer}   End destination port number. range[0-65535]
            set route-tag {integer}   IPv4 route map route-tag. range[0-4294967295]
            config dst
                edit {name}
                # Destination address name.
                    set name {string}   Address or address group name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
                next
            set dst-negate {enable | disable}   Enable/disable negation of destination address match.
            config src
                edit {name}
                # Source address name.
                    set name {string}   Address or address group name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
                next
            config dst6
                edit {name}
                # Destination address6 name.
                    set name {string}   Address6 or address6 group name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
                next
            config src6
                edit {name}
                # Source address6 name.
                    set name {string}   Address6 or address6 group name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
                next
            set src-negate {enable | disable}   Enable/disable negation of source address match.
            config users
                edit {name}
                # User name.
                    set name {string}   User name. size[64] - datasource(s): user.local.name
                next
            config groups
                edit {name}
                # User groups.
                    set name {string}   Group name. size[64] - datasource(s): user.group.name
                next
            set internet-service {enable | disable}   Enable/disable use of Internet service for application-based load balancing.
            config internet-service-custom
                edit {name}
                # Custom Internet service name list.
                    set name {string}   Custom Internet service name. size[64] - datasource(s): firewall.internet-service-custom.name
                next
            config internet-service-custom-group
                edit {name}
                # Custom Internet Service group list.
                    set name {string}   Custom Internet Service group name. size[64] - datasource(s): firewall.internet-service-custom-group.name
                next
            config internet-service-id
                edit {id}
                # Internet service ID list.
                    set id {integer}   Internet service ID. range[0-4294967295] - datasource(s): firewall.internet-service.id
                next
            config internet-service-group
                edit {name}
                # Internet Service group list.
                    set name {string}   Internet Service group name. size[64] - datasource(s): firewall.internet-service-group.name
                next
            config internet-service-ctrl
                edit {id}
                # Control-based Internet Service ID list.
                    set id {integer}   Control-based Internet Service ID. range[0-4294967295]
                next
            config internet-service-ctrl-group
                edit {name}
                # Control-based Internet Service group list.
                    set name {string}   Control-based Internet Service group name. size[64] - datasource(s): application.group.name
                next
            set health-check {string}   Health check. size[35] - datasource(s): system.virtual-wan-link.health-check.name
            set link-cost-factor {option}   Link cost factor.
                    latency           Select link based on latency.
                    jitter            Select link based on jitter.
                    packet-loss       Select link based on packet loss.
                    inbandwidth       Select link based on available bandwidth of incoming traffic.
                    outbandwidth      Select link based on available bandwidth of outgoing traffic.
                    bibandwidth       Select link based on available bandwidth of bidirectional traffic.
                    custom-profile-1  Select link based on customized profile.
            set packet-loss-weight {integer}   Coefficient of packet-loss in the formula of custom-profile-1. range[0-10000000]
            set latency-weight {integer}   Coefficient of latency in the formula of custom-profile-1. range[0-10000000]
            set jitter-weight {integer}   Coefficient of jitter in the formula of custom-profile-1. range[0-10000000]
            set bandwidth-weight {integer}   Coefficient of reciprocal of available bidirectional bandwidth in the formula of custom-profile-1. range[0-10000000]
            set link-cost-threshold {integer}   Percentage threshold change of link cost values that will result in policy route regeneration (0 - 10000000, default = 10). range[0-10000000]
            set hold-down-time {integer}   Waiting period in seconds when switching from the back-up member to the primary member (0 - 10000000, default = 0). range[0-10000000]
            set dscp-forward {enable | disable}   Enable/disable forward traffic DSCP tag.
            set dscp-reverse {enable | disable}   Enable/disable reverse traffic DSCP tag.
            set dscp-forward-tag {string}   Forward traffic DSCP tag.
            set dscp-reverse-tag {string}   Reverse traffic DSCP tag.
            config sla
                edit {health-check}
                # Service level agreement (SLA).
                    set health-check {string}   Virtual WAN Link health-check. size[35] - datasource(s): system.virtual-wan-link.health-check.name
                    set id {integer}   SLA ID. range[0-4294967295]
                next
            config priority-members
                edit {seq-num}
                # Member sequence number list.
                    set seq-num {integer}   Member sequence number. range[0-4294967295] - datasource(s): system.virtual-wan-link.members.seq-num
                next
            set status {enable | disable}   Enable/disable SD-WAN service.
            set gateway {enable | disable}   Enable/disable SD-WAN service gateway.
            set default {enable | disable}   Enable/disable use of SD-WAN as default service.
        next
end

Additional information

The following section is for those options that require additional explanation.

{estimated-upstream-bandwidth | estimated-down stream-bandwidth}

These options allows you to set the estimated uplink and downlink bandwidths of a WAN interface.The range of the setting is from 0 to 4294967295 (effectively 2 32). The value is in Kbps.

In the CLI, the fields can be set by using the following syntax:

config system interface

edit <wan interface>

set estimated-upstream-bandwidth <integer from 0 - 4294967295>

set estimated-downstream-bandwidth <integer from 0 - 4294967295>

end

The purpose for these settings is to work with monitoring software such as MRTG (Multi Router Traffic Grapher) to compare the estimated and real bandwith usage. This is not connected to threshold settings.

Status checking or health checking

For load balancing to be effective, there needs to be a constant monitoring of the health and status of the links that make up the virtual WAN link. Customized status checks can be configured to check on health of various aspects the traffic flow going through the link. Using either ICMP packets (PING) or HTTP requests to a designated server. Once the health reaches a specified threshold, the interface can be automatically removed from the virtual WAN link so that the algorithm is not sending traffic to a failed interface and bring down communications for a portion of the FortiGate's clientele.

To configure status or health checking go to Network > WAN Status Check and add status check profiles. You can also configure status and health checking from the CLI. The CLI includes additional options for setting latency, jitter, and pack loss thresholds.

config system virtual-wan-link

set fail-detect [enable | disable]

set fail-alert-interfaces (available only if fail-detect is enabled)

config health-check

edit [Health check name]

set server <string>

set protocol [ping | tcp-echo | udp-echo | http | twamp]

Some of the protocol options cause additional settings to be made available.

http

set port

set http-get

set http-match

twamp

set port

set security-mode[none | authentication]

The security-mode setting authentication generates yet another potential setting, password.

set password

set packet-size

The next settings are available for all protocols.

set interval <integer>

set failtime [1 - 10]

set recoverytime [1 - 10]

set update-cascade-interface [enable | disable]

set update-static-route [enable | disable]

set threshold-warning-latency <integer 0-4294967295>

set threshold-alert-latency <integer 0-4294967295>

set threshold-warning-jitter <integer 0-4294967295>

set threshold-alert-jitter <integer 0-4294967295>

set threshold-warning-packetloss <integer 0-4294967295>

set threshold-alert-packetloss <integer 0-4294967295>

end

config service

Use this configuration method to configure the following settings.

link-cost-threshold <integer>

Note: This entry is only available when mode is set to either auto or priority.

Configure the percentage threshold of change of link cost values that will result in a policy route generation. Set the range between 0 - 10000000. The default threshold is 10.

link-cost-factor {latency | jitter | packet-loss | inbandwidth | outbandwidth | bibandwidth | custom-profile-1}

Note: This entry is only available when mode is set to either auto or priority.

New link cost factor types. Select link based on either available bandwidth of incoming, outgoing, or bidirectional traffic.

Alternatively, use custom-profile-1, which calculates the best link using the following formula (useful for micro-managing the most applications flowing in an enterprise network).

Link Quality = (a * packet loss) + (b * latency) + (c * jitter) + (d / bandwidth)

Once link-cost-factor is set to custom-profile-1, use the following other weight-entries below to customize the link quality, based on the formula above, to your specifications:

  • packet-loss-weight (a)
  • latency-weight (b)
  • jitter-weight (c)
  • bandwidth-weight (d)

Set the range for each entry between 0 - 10000000. The default for each value is 0.

hold-down-time <seconds>

Set a hold down timer that allows you to add a waiting period in seconds when switching from backup members to the primary member. The range is 0 - 10000000 seconds. The default value of 0 disables the timer. Set a timer to prevent switching between links too frequently.

system virtual-wan-link

Use this command to enable and configure SD-WAN (also called WAN link load balancing). You can use the SD-WAN feature to create an SD-WAN interface consisting of two or more interfaces connected to the Internet, usually to different Internet provides. The SD-WAN interface provides redundant Internet connections. SD-WAN load balances traffic between the interfaces added to the SD-WAN interface. If one of the interfaces in the SD-WAN interface goes down, traffic is re-routed to the other interface(s) in the SD-WAN.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.2.

Command Description

config system virtual-wan-link

config service

edit <id>

set hold-down-time <seconds>

New hold down timer that allows you to add a waiting period in seconds when switching from backup members to the primary member. The range is 0 - 10000000 seconds. The default value of 0 disables the timer. Set a timer to prevent switching between links too frequently.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.1.

Command Description

config members

edit <id>

set comment [comments]

New option to add comments under the config members configuration method.

Note that config members is only available when status is set to enable.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set load-balance-mode {source-ip-based | weight-based | usage-based | source-dest-ip-based | measured-volume-based}

Improved help-text descriptions for each load-balance-mode option.

config health-check

edit <name>

set addr-mode {ipv4 | ipv6}

New option to choose IPv6 as the address mode.

config health-check

edit <name>

set members <seq-number>

Member sequence number list.

config health-check

edit <name>

config sla

edit <id>

set link-cost-factor {latency | jitter | packet-loss}

set latency-threshold <milliseconds>

set jitter-threshold <milliseconds>

set packetloss-threshold <percentage>

next

...

Configure SLA settings under health check to determine the criteria on which to base link selection.

config health-check

edit <name>

set protocol {ping6 | ...}

New support for ping6, to determine if the FortiGate can communicate with the server.

Note that ping6 is only available when addr-mode to set to ipv6.

config health-check

edit <name>

set server <ip/fqdn> [<ip/fqdn>]

Support to configure multiple servers in SD-WAN health-check.

config health-check

edit <name>

set timeout <seconds>

Removed the timeout for how long to wait before not receiving a reply from the server to consider the connetion attempt a failure.

config members

edit <name>

set gateway6 <ipv6-addr>

set source6 <ipv6-addr>

Configure an IPv6 gateway and source IPv6 address used in the health-check packet to the server.

config service

edit <id>

set dst-negate {enable | disable}

set src-negate {enable | disable}

Enable or disable negation of destination and source address match.

config service

edit <id>

set mode {sla | ...}

Assign link based on the selected service level agreement (SLA) settings.

config service

edit <id>

set addr-mode {ipv4 | ipv6}

set input-device <interface>

set dst6 <ipv6-addr-name>

set src6 <ipv6-addr-name>

New option to choose IPv6 as the address mode, along with the source interface name, and IPv6 destination and source address group names.

config service

edit <id>

set dscp-forward {enable | disable}

set dscp-reverse {enable | disable}

set dscp-forward-tag <forward-tag>

set dscp-reverse-tag <reverse-tag>

Support to configure DSCP tagging of forwarded packets based on identified SD-WAN services.

Note that dscp-forward-tag and dscp-reverse-tag are only available when dscp-forward and dscp-reverse are set to enable, respectively.

config service

edit <id>

set link-cost-factor {inbandwidth | outbandwidth | bibandwidth | custom-profile-1 | ...}

New link cost factor types. Note that this entry is only available when mode is set to either auto or priority.

See entry below for further details.

config service

edit <id>

set internet-service-custom-group <name>

set internet-service-group <name>

set internet-service-ctrl <id>

set internet-service-ctrl-group <name>

New custom and control-based Internet service link group options. Set the names of group names, as configured under the corresponding config firewall internet-service and application group name commands.

config service

edit <id>

set route-tag <integer>

IPv4 route map route-tag.
config system virtual-wan-link
    set status {disable | enable}   Enable/disable SD-WAN.
    set load-balance-mode {option}   Algorithm or mode to use for load balancing Internet traffic to SD-WAN members.
            source-ip-based        Source IP load balancing. All traffic from a source IP is sent to the same interface.
            weight-based           Weight-based load balancing. Interfaces with higher weights have higher priority and get more traffic.
            usage-based            Usage-based load balancing. All traffic is sent to the first interface on the list. When the bandwidth on that interface exceeds the spill-over limit new traffic is sent to the next interface.
            source-dest-ip-based   Source and destination IP load balancing. All traffic from a source IP to a destination IP is sent to the same interface.
            measured-volume-based  Volume-based load balancing. Traffic is load balanced based on traffic volume (in bytes). More traffic is sent to interfaces with higher volume ratios.
    set fail-detect {enable | disable}   Enable/disable SD-WAN Internet connection status checking (failure detection).
    config fail-alert-interfaces
        edit {name}
        # Physical interfaces that will be alerted.
            set name {string}   Physical interface name. size[64] - datasource(s): system.interface.name
        next
    config members
        edit {seq-num}
        # Physical FortiGate interfaces added to the virtual-wan-link.
            set seq-num {integer}   Sequence number(1-255). range[0-255]
            set interface {string}   Interface name. size[15] - datasource(s): system.interface.name
            set gateway {ipv4 address}   The default gateway for this interface. Usually the default gateway of the Internet service provider that this interface is connected to.
            set source {ipv4 address}   Source IP address used in the health-check packet to the server.
            set gateway6 {ipv6 address}   IPv6 gateway.
            set source6 {ipv6 address}   Source IPv6 address used in the health-check packet to the server.
            set weight {integer}   Weight of this interface for weighted load balancing. (0 - 255) More traffic is directed to interfaces with higher weights. range[0-255]
            set priority {integer}   Priority of the interface (0 - 4294967295). Used for SD-WAN rules or priority rules. range[0-4294967295]
            set spillover-threshold {integer}   Egress spillover threshold for this interface (0 - 16776000 kbit/s). When this traffic volume threshold is reached, new sessions spill over to other interfaces in the SD-WAN. range[0-16776000]
            set ingress-spillover-threshold {integer}   Ingress spillover threshold for this interface (0 - 16776000 kbit/s). When this traffic volume threshold is reached, new sessions spill over to other interfaces in the SD-WAN. range[0-16776000]
            set volume-ratio {integer}   Measured volume ratio (this value / sum of all values = percentage of link volume, 0 - 255). range[0-255]
            set status {disable | enable}   Enable/disable this interface in the SD-WAN.
            set comment {string}   Comments. size[255]
        next
    config health-check
        edit {name}
        # SD-WAN status checking or health checking. Identify a server on the Internet and determine how SD-WAN verifies that the FortiGate can communicate with it.
            set name {string}   Status check or health check name. size[35]
            set addr-mode {ipv4 | ipv6}   Address mode (IPv4 or IPv6).
                    ipv4  IPv4 mode.
                    ipv6  IPv6 mode.
            set server {string}   IP address or FQDN name of the server. size[64]
            set protocol {option}   Protocol used to determine if the FortiGate can communicate with the server.
                    ping      Use PING to test the link with the server.
                    tcp-echo  Use TCP echo to test the link with the server.
                    udp-echo  Use UDP echo to test the link with the server.
                    http      Use HTTP-GET to test the link with the server.
                    twamp     Use TWAMP to test the link with the server.
                    ping6     PING6 link monitor.
            set port {integer}   Port number used to communicate with the server over the selected protocol. range[1-65535]
            set security-mode {none | authentication}   Twamp controller security mode.
                    none            Unauthenticated mode.
                    authentication  Authenticated mode.
            set password {password_string}   Twamp controller password in authentication mode size[128]
            set packet-size {integer}   Packet size of a twamp test session, range[64-1024]
            set http-get {string}   URL used to communicate with the server if the protocol if the protocol is HTTP. size[1024]
            set http-agent {string}   String in the http-agent field in the HTTP header. size[1024]
            set http-match {string}   Response string expected from the server if the protocol is HTTP. size[1024]
            set interval {integer}   Status check interval, or the time between attempting to connect to the server (1 - 3600 sec, default = 5). range[1-3600]
            set failtime {integer}   Number of failures before server is considered lost (1 - 3600, default = 5). range[1-3600]
            set recoverytime {integer}   Number of successful responses received before server is considered recovered (1 - 3600, default = 5). range[1-3600]
            set update-cascade-interface {enable | disable}   Enable/disable update cascade interface.
            set update-static-route {enable | disable}   Enable/disable updating the static route.
            set threshold-warning-packetloss {integer}   Warning threshold for packet loss (percentage, default = 0). range[0-100]
            set threshold-alert-packetloss {integer}   Alert threshold for packet loss (percentage, default = 0). range[0-100]
            set threshold-warning-latency {integer}   Warning threshold for latency (ms, default = 0). range[0-4294967295]
            set threshold-alert-latency {integer}   Alert threshold for latency (ms, default = 0). range[0-4294967295]
            set threshold-warning-jitter {integer}   Warning threshold for jitter (ms, default = 0). range[0-4294967295]
            set threshold-alert-jitter {integer}   Alert threshold for jitter (ms, default = 0). range[0-4294967295]
            config members
                edit {seq-num}
                # Member sequence number list.
                    set seq-num {integer}   Member sequence number. range[0-4294967295] - datasource(s): system.virtual-wan-link.members.seq-num
                next
            config sla
                edit {id}
                # Service level agreement (SLA).
                    set id {integer}   SLA ID. range[1-32]
                    set link-cost-factor {latency | jitter | packet-loss}   Criteria on which to base link selection.
                            latency      Select link based on latency.
                            jitter       Select link based on jitter.
                            packet-loss  Select link based on packet loss.
                    set latency-threshold {integer}   Latency for SLA to make decision in milliseconds. (0 - 10000000, default = 5). range[0-10000000]
                    set jitter-threshold {integer}   Jitter for SLA to make decision in milliseconds. (0 - 10000000, default = 5). range[0-10000000]
                    set packetloss-threshold {integer}   Packet loss for SLA to make decision in percentage. (0 - 100, default = 0). range[0-100]
                next
        next
    config service
        edit {id}
        # Create SD-WAN rules or priority rules (also called services) to control how sessions are distributed to physical interfaces in the SD-WAN.
            set id {integer}   Priority rule ID (1 - 4000). range[1-4000]
            set name {string}   Priority rule name. size[35]
            set addr-mode {ipv4 | ipv6}   Address mode (IPv4 or IPv6).
                    ipv4  IPv4 mode.
                    ipv6  IPv6 mode.
            config input-device
                edit {name}
                # Source interface name.
                    set name {string}   Interface name. size[64] - datasource(s): system.interface.name
                next
            set mode {auto | manual | priority | sla}   Control how the priority rule sets the priority of interfaces in the SD-WAN.
                    auto      Assign interfaces a priority based on quality.
                    manual    Assign interfaces a priority manually.
                    priority  Assign interfaces a priority based on the priority assigned to the interface.
                    sla       Assign link based on selected SLA settings.
            set quality-link {integer}   Quality grade. range[0-255]
            set member {integer}   Member sequence number. range[0-255]
            set tos {string}   Type of service bit pattern.
            set tos-mask {string}   Type of service evaluated bits.
            set protocol {integer}   Protocol number. range[0-255]
            set start-port {integer}   Start destination port number. range[0-65535]
            set end-port {integer}   End destination port number. range[0-65535]
            set route-tag {integer}   IPv4 route map route-tag. range[0-4294967295]
            config dst
                edit {name}
                # Destination address name.
                    set name {string}   Address or address group name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
                next
            set dst-negate {enable | disable}   Enable/disable negation of destination address match.
            config src
                edit {name}
                # Source address name.
                    set name {string}   Address or address group name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
                next
            config dst6
                edit {name}
                # Destination address6 name.
                    set name {string}   Address6 or address6 group name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
                next
            config src6
                edit {name}
                # Source address6 name.
                    set name {string}   Address6 or address6 group name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
                next
            set src-negate {enable | disable}   Enable/disable negation of source address match.
            config users
                edit {name}
                # User name.
                    set name {string}   User name. size[64] - datasource(s): user.local.name
                next
            config groups
                edit {name}
                # User groups.
                    set name {string}   Group name. size[64] - datasource(s): user.group.name
                next
            set internet-service {enable | disable}   Enable/disable use of Internet service for application-based load balancing.
            config internet-service-custom
                edit {name}
                # Custom Internet service name list.
                    set name {string}   Custom Internet service name. size[64] - datasource(s): firewall.internet-service-custom.name
                next
            config internet-service-custom-group
                edit {name}
                # Custom Internet Service group list.
                    set name {string}   Custom Internet Service group name. size[64] - datasource(s): firewall.internet-service-custom-group.name
                next
            config internet-service-id
                edit {id}
                # Internet service ID list.
                    set id {integer}   Internet service ID. range[0-4294967295] - datasource(s): firewall.internet-service.id
                next
            config internet-service-group
                edit {name}
                # Internet Service group list.
                    set name {string}   Internet Service group name. size[64] - datasource(s): firewall.internet-service-group.name
                next
            config internet-service-ctrl
                edit {id}
                # Control-based Internet Service ID list.
                    set id {integer}   Control-based Internet Service ID. range[0-4294967295]
                next
            config internet-service-ctrl-group
                edit {name}
                # Control-based Internet Service group list.
                    set name {string}   Control-based Internet Service group name. size[64] - datasource(s): application.group.name
                next
            set health-check {string}   Health check. size[35] - datasource(s): system.virtual-wan-link.health-check.name
            set link-cost-factor {option}   Link cost factor.
                    latency           Select link based on latency.
                    jitter            Select link based on jitter.
                    packet-loss       Select link based on packet loss.
                    inbandwidth       Select link based on available bandwidth of incoming traffic.
                    outbandwidth      Select link based on available bandwidth of outgoing traffic.
                    bibandwidth       Select link based on available bandwidth of bidirectional traffic.
                    custom-profile-1  Select link based on customized profile.
            set packet-loss-weight {integer}   Coefficient of packet-loss in the formula of custom-profile-1. range[0-10000000]
            set latency-weight {integer}   Coefficient of latency in the formula of custom-profile-1. range[0-10000000]
            set jitter-weight {integer}   Coefficient of jitter in the formula of custom-profile-1. range[0-10000000]
            set bandwidth-weight {integer}   Coefficient of reciprocal of available bidirectional bandwidth in the formula of custom-profile-1. range[0-10000000]
            set link-cost-threshold {integer}   Percentage threshold change of link cost values that will result in policy route regeneration (0 - 10000000, default = 10). range[0-10000000]
            set hold-down-time {integer}   Waiting period in seconds when switching from the back-up member to the primary member (0 - 10000000, default = 0). range[0-10000000]
            set dscp-forward {enable | disable}   Enable/disable forward traffic DSCP tag.
            set dscp-reverse {enable | disable}   Enable/disable reverse traffic DSCP tag.
            set dscp-forward-tag {string}   Forward traffic DSCP tag.
            set dscp-reverse-tag {string}   Reverse traffic DSCP tag.
            config sla
                edit {health-check}
                # Service level agreement (SLA).
                    set health-check {string}   Virtual WAN Link health-check. size[35] - datasource(s): system.virtual-wan-link.health-check.name
                    set id {integer}   SLA ID. range[0-4294967295]
                next
            config priority-members
                edit {seq-num}
                # Member sequence number list.
                    set seq-num {integer}   Member sequence number. range[0-4294967295] - datasource(s): system.virtual-wan-link.members.seq-num
                next
            set status {enable | disable}   Enable/disable SD-WAN service.
            set gateway {enable | disable}   Enable/disable SD-WAN service gateway.
            set default {enable | disable}   Enable/disable use of SD-WAN as default service.
        next
end

Additional information

The following section is for those options that require additional explanation.

{estimated-upstream-bandwidth | estimated-down stream-bandwidth}

These options allows you to set the estimated uplink and downlink bandwidths of a WAN interface.The range of the setting is from 0 to 4294967295 (effectively 2 32). The value is in Kbps.

In the CLI, the fields can be set by using the following syntax:

config system interface

edit <wan interface>

set estimated-upstream-bandwidth <integer from 0 - 4294967295>

set estimated-downstream-bandwidth <integer from 0 - 4294967295>

end

The purpose for these settings is to work with monitoring software such as MRTG (Multi Router Traffic Grapher) to compare the estimated and real bandwith usage. This is not connected to threshold settings.

Status checking or health checking

For load balancing to be effective, there needs to be a constant monitoring of the health and status of the links that make up the virtual WAN link. Customized status checks can be configured to check on health of various aspects the traffic flow going through the link. Using either ICMP packets (PING) or HTTP requests to a designated server. Once the health reaches a specified threshold, the interface can be automatically removed from the virtual WAN link so that the algorithm is not sending traffic to a failed interface and bring down communications for a portion of the FortiGate's clientele.

To configure status or health checking go to Network > WAN Status Check and add status check profiles. You can also configure status and health checking from the CLI. The CLI includes additional options for setting latency, jitter, and pack loss thresholds.

config system virtual-wan-link

set fail-detect [enable | disable]

set fail-alert-interfaces (available only if fail-detect is enabled)

config health-check

edit [Health check name]

set server <string>

set protocol [ping | tcp-echo | udp-echo | http | twamp]

Some of the protocol options cause additional settings to be made available.

http

set port

set http-get

set http-match

twamp

set port

set security-mode[none | authentication]

The security-mode setting authentication generates yet another potential setting, password.

set password

set packet-size

The next settings are available for all protocols.

set interval <integer>

set failtime [1 - 10]

set recoverytime [1 - 10]

set update-cascade-interface [enable | disable]

set update-static-route [enable | disable]

set threshold-warning-latency <integer 0-4294967295>

set threshold-alert-latency <integer 0-4294967295>

set threshold-warning-jitter <integer 0-4294967295>

set threshold-alert-jitter <integer 0-4294967295>

set threshold-warning-packetloss <integer 0-4294967295>

set threshold-alert-packetloss <integer 0-4294967295>

end

config service

Use this configuration method to configure the following settings.

link-cost-threshold <integer>

Note: This entry is only available when mode is set to either auto or priority.

Configure the percentage threshold of change of link cost values that will result in a policy route generation. Set the range between 0 - 10000000. The default threshold is 10.

link-cost-factor {latency | jitter | packet-loss | inbandwidth | outbandwidth | bibandwidth | custom-profile-1}

Note: This entry is only available when mode is set to either auto or priority.

New link cost factor types. Select link based on either available bandwidth of incoming, outgoing, or bidirectional traffic.

Alternatively, use custom-profile-1, which calculates the best link using the following formula (useful for micro-managing the most applications flowing in an enterprise network).

Link Quality = (a * packet loss) + (b * latency) + (c * jitter) + (d / bandwidth)

Once link-cost-factor is set to custom-profile-1, use the following other weight-entries below to customize the link quality, based on the formula above, to your specifications:

  • packet-loss-weight (a)
  • latency-weight (b)
  • jitter-weight (c)
  • bandwidth-weight (d)

Set the range for each entry between 0 - 10000000. The default for each value is 0.

hold-down-time <seconds>

Set a hold down timer that allows you to add a waiting period in seconds when switching from backup members to the primary member. The range is 0 - 10000000 seconds. The default value of 0 disables the timer. Set a timer to prevent switching between links too frequently.