system virtual-wan-link
Use this command to enable and configure SD-WAN (also called WAN link load balancing). You can use the SD-WAN feature to create an SD-WAN interface consisting of two or more interfaces connected to the Internet, usually to different Internet provides. The SD-WAN interface provides redundant Internet connections. SD-WAN load balances traffic between the interfaces added to the SD-WAN interface. If one of the interfaces in the SD-WAN interface goes down, traffic is re-routed to the other interface(s) in the SD-WAN.
History
The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.2.
Command | Description |
---|---|
config system virtual-wan-link config service edit <id> set hold-down-time <seconds> |
New hold down timer that allows you to add a waiting period in seconds when switching from backup members to the primary member. The range is 0 - 10000000 seconds. The default value of 0 disables the timer. Set a timer to prevent switching between links too frequently. |
The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.1.
Command | Description |
---|---|
config members edit <id> set comment [comments] |
New option to add comments under the Note that |
The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.
Command | Description |
---|---|
set load-balance-mode {source-ip-based | weight-based | usage-based | source-dest-ip-based | measured-volume-based} |
Improved help-text descriptions for each |
config health-check edit <name> set addr-mode {ipv4 | ipv6} |
New option to choose IPv6 as the address mode. |
config health-check edit <name> set members <seq-number> |
Member sequence number list. |
config health-check edit <name> config sla edit <id> set link-cost-factor {latency | jitter | packet-loss} set latency-threshold <milliseconds> set jitter-threshold <milliseconds> set packetloss-threshold <percentage> next ... |
Configure SLA settings under health check to determine the criteria on which to base link selection. |
config health-check edit <name> set protocol {ping6 | ...} |
New support for ping6, to determine if the FortiGate can communicate with the server. Note that |
config health-check edit <name> set server <ip/fqdn> [<ip/fqdn>] |
Support to configure multiple servers in SD-WAN health-check. |
config health-check edit <name> set timeout <seconds> |
Removed the timeout for how long to wait before not receiving a reply from the server to consider the connetion attempt a failure. |
config members edit <name> set gateway6 <ipv6-addr> set source6 <ipv6-addr> |
Configure an IPv6 gateway and source IPv6 address used in the health-check packet to the server. |
config service edit <id> set dst-negate {enable | disable} set src-negate {enable | disable} |
Enable or disable negation of destination and source address match. |
config service edit <id> set mode {sla | ...} |
Assign link based on the selected service level agreement (SLA) settings. |
config service edit <id> set addr-mode {ipv4 | ipv6} set input-device <interface> set dst6 <ipv6-addr-name> set src6 <ipv6-addr-name> |
New option to choose IPv6 as the address mode, along with the source interface name, and IPv6 destination and source address group names. |
config service edit <id> set dscp-forward {enable | disable} set dscp-reverse {enable | disable} set dscp-forward-tag <forward-tag> set dscp-reverse-tag <reverse-tag> |
Support to configure DSCP tagging of forwarded packets based on identified SD-WAN services. Note that |
config service edit <id> set link-cost-factor {inbandwidth | outbandwidth | bibandwidth | custom-profile-1 | ...} |
New link cost factor types. Note that this entry is only available when See entry below for further details. |
config service edit <id> set internet-service-custom-group <name> set internet-service-group <name> set internet-service-ctrl <id> set internet-service-ctrl-group <name> |
New custom and control-based Internet service link group options. Set the names of group names, as configured under the corresponding config firewall internet-service and application group name commands. |
config service edit <id> set route-tag <integer> |
IPv4 route map route-tag. |
config system virtual-wan-link set status {disable | enable} Enable/disable SD-WAN. set load-balance-mode {option} Algorithm or mode to use for load balancing Internet traffic to SD-WAN members. source-ip-based Source IP load balancing. All traffic from a source IP is sent to the same interface. weight-based Weight-based load balancing. Interfaces with higher weights have higher priority and get more traffic. usage-based Usage-based load balancing. All traffic is sent to the first interface on the list. When the bandwidth on that interface exceeds the spill-over limit new traffic is sent to the next interface. source-dest-ip-based Source and destination IP load balancing. All traffic from a source IP to a destination IP is sent to the same interface. measured-volume-based Volume-based load balancing. Traffic is load balanced based on traffic volume (in bytes). More traffic is sent to interfaces with higher volume ratios. set fail-detect {enable | disable} Enable/disable SD-WAN Internet connection status checking (failure detection). config fail-alert-interfaces edit {name} # Physical interfaces that will be alerted. set name {string} Physical interface name. size[64] - datasource(s): system.interface.name next config members edit {seq-num} # Physical FortiGate interfaces added to the virtual-wan-link. set seq-num {integer} Sequence number(1-255). range[0-255] set interface {string} Interface name. size[15] - datasource(s): system.interface.name set gateway {ipv4 address} The default gateway for this interface. Usually the default gateway of the Internet service provider that this interface is connected to. set source {ipv4 address} Source IP address used in the health-check packet to the server. set gateway6 {ipv6 address} IPv6 gateway. set source6 {ipv6 address} Source IPv6 address used in the health-check packet to the server. set weight {integer} Weight of this interface for weighted load balancing. (0 - 255) More traffic is directed to interfaces with higher weights. range[0-255] set priority {integer} Priority of the interface (0 - 4294967295). Used for SD-WAN rules or priority rules. range[0-4294967295] set spillover-threshold {integer} Egress spillover threshold for this interface (0 - 16776000 kbit/s). When this traffic volume threshold is reached, new sessions spill over to other interfaces in the SD-WAN. range[0-16776000] set ingress-spillover-threshold {integer} Ingress spillover threshold for this interface (0 - 16776000 kbit/s). When this traffic volume threshold is reached, new sessions spill over to other interfaces in the SD-WAN. range[0-16776000] set volume-ratio {integer} Measured volume ratio (this value / sum of all values = percentage of link volume, 0 - 255). range[0-255] set status {disable | enable} Enable/disable this interface in the SD-WAN. set comment {string} Comments. size[255] next config health-check edit {name} # SD-WAN status checking or health checking. Identify a server on the Internet and determine how SD-WAN verifies that the FortiGate can communicate with it. set name {string} Status check or health check name. size[35] set addr-mode {ipv4 | ipv6} Address mode (IPv4 or IPv6). ipv4 IPv4 mode. ipv6 IPv6 mode. set server {string} IP address or FQDN name of the server. size[64] set protocol {option} Protocol used to determine if the FortiGate can communicate with the server. ping Use PING to test the link with the server. tcp-echo Use TCP echo to test the link with the server. udp-echo Use UDP echo to test the link with the server. http Use HTTP-GET to test the link with the server. twamp Use TWAMP to test the link with the server. ping6 PING6 link monitor. set port {integer} Port number used to communicate with the server over the selected protocol. range[1-65535] set security-mode {none | authentication} Twamp controller security mode. none Unauthenticated mode. authentication Authenticated mode. set password {password_string} Twamp controller password in authentication mode size[128] set packet-size {integer} Packet size of a twamp test session, range[64-1024] set http-get {string} URL used to communicate with the server if the protocol if the protocol is HTTP. size[1024] set http-agent {string} String in the http-agent field in the HTTP header. size[1024] set http-match {string} Response string expected from the server if the protocol is HTTP. size[1024] set interval {integer} Status check interval, or the time between attempting to connect to the server (1 - 3600 sec, default = 5). range[1-3600] set failtime {integer} Number of failures before server is considered lost (1 - 3600, default = 5). range[1-3600] set recoverytime {integer} Number of successful responses received before server is considered recovered (1 - 3600, default = 5). range[1-3600] set update-cascade-interface {enable | disable} Enable/disable update cascade interface. set update-static-route {enable | disable} Enable/disable updating the static route. set threshold-warning-packetloss {integer} Warning threshold for packet loss (percentage, default = 0). range[0-100] set threshold-alert-packetloss {integer} Alert threshold for packet loss (percentage, default = 0). range[0-100] set threshold-warning-latency {integer} Warning threshold for latency (ms, default = 0). range[0-4294967295] set threshold-alert-latency {integer} Alert threshold for latency (ms, default = 0). range[0-4294967295] set threshold-warning-jitter {integer} Warning threshold for jitter (ms, default = 0). range[0-4294967295] set threshold-alert-jitter {integer} Alert threshold for jitter (ms, default = 0). range[0-4294967295] config members edit {seq-num} # Member sequence number list. set seq-num {integer} Member sequence number. range[0-4294967295] - datasource(s): system.virtual-wan-link.members.seq-num next config sla edit {id} # Service level agreement (SLA). set id {integer} SLA ID. range[1-32] set link-cost-factor {latency | jitter | packet-loss} Criteria on which to base link selection. latency Select link based on latency. jitter Select link based on jitter. packet-loss Select link based on packet loss. set latency-threshold {integer} Latency for SLA to make decision in milliseconds. (0 - 10000000, default = 5). range[0-10000000] set jitter-threshold {integer} Jitter for SLA to make decision in milliseconds. (0 - 10000000, default = 5). range[0-10000000] set packetloss-threshold {integer} Packet loss for SLA to make decision in percentage. (0 - 100, default = 0). range[0-100] next next config service edit {id} # Create SD-WAN rules or priority rules (also called services) to control how sessions are distributed to physical interfaces in the SD-WAN. set id {integer} Priority rule ID (1 - 4000). range[1-4000] set name {string} Priority rule name. size[35] set addr-mode {ipv4 | ipv6} Address mode (IPv4 or IPv6). ipv4 IPv4 mode. ipv6 IPv6 mode. config input-device edit {name} # Source interface name. set name {string} Interface name. size[64] - datasource(s): system.interface.name next set mode {auto | manual | priority | sla} Control how the priority rule sets the priority of interfaces in the SD-WAN. auto Assign interfaces a priority based on quality. manual Assign interfaces a priority manually. priority Assign interfaces a priority based on the priority assigned to the interface. sla Assign link based on selected SLA settings. set quality-link {integer} Quality grade. range[0-255] set member {integer} Member sequence number. range[0-255] set tos {string} Type of service bit pattern. set tos-mask {string} Type of service evaluated bits. set protocol {integer} Protocol number. range[0-255] set start-port {integer} Start destination port number. range[0-65535] set end-port {integer} End destination port number. range[0-65535] set route-tag {integer} IPv4 route map route-tag. range[0-4294967295] config dst edit {name} # Destination address name. set name {string} Address or address group name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name next set dst-negate {enable | disable} Enable/disable negation of destination address match. config src edit {name} # Source address name. set name {string} Address or address group name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name next config dst6 edit {name} # Destination address6 name. set name {string} Address6 or address6 group name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name next config src6 edit {name} # Source address6 name. set name {string} Address6 or address6 group name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name next set src-negate {enable | disable} Enable/disable negation of source address match. config users edit {name} # User name. set name {string} User name. size[64] - datasource(s): user.local.name next config groups edit {name} # User groups. set name {string} Group name. size[64] - datasource(s): user.group.name next set internet-service {enable | disable} Enable/disable use of Internet service for application-based load balancing. config internet-service-custom edit {name} # Custom Internet service name list. set name {string} Custom Internet service name. size[64] - datasource(s): firewall.internet-service-custom.name next config internet-service-custom-group edit {name} # Custom Internet Service group list. set name {string} Custom Internet Service group name. size[64] - datasource(s): firewall.internet-service-custom-group.name next config internet-service-id edit {id} # Internet service ID list. set id {integer} Internet service ID. range[0-4294967295] - datasource(s): firewall.internet-service.id next config internet-service-group edit {name} # Internet Service group list. set name {string} Internet Service group name. size[64] - datasource(s): firewall.internet-service-group.name next config internet-service-ctrl edit {id} # Control-based Internet Service ID list. set id {integer} Control-based Internet Service ID. range[0-4294967295] next config internet-service-ctrl-group edit {name} # Control-based Internet Service group list. set name {string} Control-based Internet Service group name. size[64] - datasource(s): application.group.name next set health-check {string} Health check. size[35] - datasource(s): system.virtual-wan-link.health-check.name set link-cost-factor {option} Link cost factor. latency Select link based on latency. jitter Select link based on jitter. packet-loss Select link based on packet loss. inbandwidth Select link based on available bandwidth of incoming traffic. outbandwidth Select link based on available bandwidth of outgoing traffic. bibandwidth Select link based on available bandwidth of bidirectional traffic. custom-profile-1 Select link based on customized profile. set packet-loss-weight {integer} Coefficient of packet-loss in the formula of custom-profile-1. range[0-10000000] set latency-weight {integer} Coefficient of latency in the formula of custom-profile-1. range[0-10000000] set jitter-weight {integer} Coefficient of jitter in the formula of custom-profile-1. range[0-10000000] set bandwidth-weight {integer} Coefficient of reciprocal of available bidirectional bandwidth in the formula of custom-profile-1. range[0-10000000] set link-cost-threshold {integer} Percentage threshold change of link cost values that will result in policy route regeneration (0 - 10000000, default = 10). range[0-10000000] set hold-down-time {integer} Waiting period in seconds when switching from the back-up member to the primary member (0 - 10000000, default = 0). range[0-10000000] set dscp-forward {enable | disable} Enable/disable forward traffic DSCP tag. set dscp-reverse {enable | disable} Enable/disable reverse traffic DSCP tag. set dscp-forward-tag {string} Forward traffic DSCP tag. set dscp-reverse-tag {string} Reverse traffic DSCP tag. config sla edit {health-check} # Service level agreement (SLA). set health-check {string} Virtual WAN Link health-check. size[35] - datasource(s): system.virtual-wan-link.health-check.name set id {integer} SLA ID. range[0-4294967295] next config priority-members edit {seq-num} # Member sequence number list. set seq-num {integer} Member sequence number. range[0-4294967295] - datasource(s): system.virtual-wan-link.members.seq-num next set status {enable | disable} Enable/disable SD-WAN service. set gateway {enable | disable} Enable/disable SD-WAN service gateway. set default {enable | disable} Enable/disable use of SD-WAN as default service. next end
Additional information
The following section is for those options that require additional explanation.
{estimated-upstream-bandwidth | estimated-down stream-bandwidth}
These options allows you to set the estimated uplink and downlink bandwidths of a WAN interface.The range of the setting is from 0 to 4294967295 (effectively 2 32). The value is in Kbps.
In the CLI, the fields can be set by using the following syntax:
config system interface
edit <wan interface>
set estimated-upstream-bandwidth <integer from 0 - 4294967295>
set estimated-downstream-bandwidth <integer from 0 - 4294967295>
end
The purpose for these settings is to work with monitoring software such as MRTG (Multi Router Traffic Grapher) to compare the estimated and real bandwith usage. This is not connected to threshold settings.
Status checking or health checking
For load balancing to be effective, there needs to be a constant monitoring of the health and status of the links that make up the virtual WAN link. Customized status checks can be configured to check on health of various aspects the traffic flow going through the link. Using either ICMP packets (PING) or HTTP requests to a designated server. Once the health reaches a specified threshold, the interface can be automatically removed from the virtual WAN link so that the algorithm is not sending traffic to a failed interface and bring down communications for a portion of the FortiGate's clientele.
To configure status or health checking go to Network > WAN Status Check and add status check profiles. You can also configure status and health checking from the CLI. The CLI includes additional options for setting latency, jitter, and pack loss thresholds.
config system virtual-wan-link
set fail-detect [enable | disable]
set fail-alert-interfaces (available only if fail-detect is enabled)
config health-check
edit [Health check name]
set server <string>
set protocol [ping | tcp-echo | udp-echo | http | twamp]
Some of the protocol options cause additional settings to be made available.
http
set port
set http-get
set http-match
twamp
set port
set security-mode[none | authentication]
The security-mode setting authentication generates yet another potential setting, password.
set password
set packet-size
The next settings are available for all protocols.
set interval <integer>
set failtime [1 - 10]
set recoverytime [1 - 10]
set update-cascade-interface [enable | disable]
set update-static-route [enable | disable]
set threshold-warning-latency <integer 0-4294967295>
set threshold-alert-latency <integer 0-4294967295>
set threshold-warning-jitter <integer 0-4294967295>
set threshold-alert-jitter <integer 0-4294967295>
set threshold-warning-packetloss <integer 0-4294967295>
set threshold-alert-packetloss <integer 0-4294967295>
end
config service
Use this configuration method to configure the following settings.
link-cost-threshold <integer>
Note: This entry is only available when mode
is set to either auto
or priority
.
Configure the percentage threshold of change of link cost values that will result in a policy route generation. Set the range between 0 - 10000000. The default threshold is 10.
link-cost-factor {latency | jitter | packet-loss | inbandwidth | outbandwidth | bibandwidth | custom-profile-1}
Note: This entry is only available when mode
is set to either auto
or priority
.
New link cost factor types. Select link based on either available bandwidth of incoming, outgoing, or bidirectional traffic.
Alternatively, use custom-profile-1
, which calculates the best link using the following formula (useful for micro-managing the most applications flowing in an enterprise network).
Link Quality = (a * packet loss) + (b * latency) + (c * jitter) + (d / bandwidth)
Once link-cost-factor
is set to custom-profile-1
, use the following other weight-entries below to customize the link quality, based on the formula above, to your specifications:
packet-loss-weight
(a)latency-weight
(b)jitter-weight
(c)bandwidth-weight
(d)
Set the range for each entry between 0 - 10000000. The default for each value is 0.
hold-down-time <seconds>
Set a hold down timer that allows you to add a waiting period in seconds when switching from backup members to the primary member. The range is 0 - 10000000 seconds. The default value of 0 disables the timer. Set a timer to prevent switching between links too frequently.