Handbook

What's new
- Fortinet Security Fabric
- Manageability
- Networking
- Security
  - SSH MITM deep inspection
Getting started
- Installation
- Using the GUI
- Using the CLI
- FortiExplorer for iOS
- LED specifications
- Inspection mode
- Basic administration
- Firmware
- FortiGuard
- FortiCloud
- Troubleshooting your installation
- Resources
Fortinet Security Fabric
- Overview
  - Benefits
  - Components
- Configuration
- Using the Fortinet Security Fabric
- Automation stitches
- Fabric Connectors
SD-WAN
- Configuring SD-WAN
  - SD-WAN requirements
  - Configuring a basic SD-WAN deployment
- Monitoring SD-WAN
- Applying traffic shaping to SD-WAN traffic
- Viewing SD-WAN information in the Fortinet Security Fabric
High availability
- HA solutions
- FGCP HA
- FGCP HA examples
- Virtual clustering
- Full mesh HA
  - Full mesh HA example
  - Troubleshooting full mesh HA
- Operating a cluster
- Failover protection
- Session failover
- HA and load balancing
- FortiGate-VM and third-party HA
- VRRP
- FGSP
- Standalone configuration sync
Firewall
- Firewall concepts
- IPv6
- Network defense
- Policies
- Addresses
- Virtual IPs
- IP pools
- Services
- Schedules
- WAN optimization, proxies, web caching, and WCCP
- Example topologies
- WAN optimization
- Transparent and explicit proxies
- Explicit web proxy
- Explicit FTP proxy
- Web caching
- WCCP
- WAN optimization diagnose commands
Security Profiles
- Overview
- Inside FortiOS
- Inspection modes
- AntiVirus
- Web filtering
- DNS filter
  - FortiGuard botnet protection
- Application control
- Intrusion prevention
- Anti-spam filter
- Data leak prevention
- ICAP support
- FortiClient Compliance Profiles
- Proxy options
- SSL/SSH inspection
- Other considerations
Authentication
- Introduction to authentication
- Authentication servers
- Users and user groups
- FortiToken Mobile user instructions
- Managing guest access
- Configuring authenticated access
- Captive portals
- Certificate-based authentication
- Single sign-on using a FortiAuthenticator unit
- Single sign-on to Windows AD
- Agent-based FSSO
- SSO using RADIUS accounting records
- Monitoring authenticated users
- Examples and troubleshooting
IPsec VPN
- IPsec VPN concepts
  - VPN tunnels
  - VPN gateways
  - Clients, servers, and peers
  - Encryption
  - Authentication
  - Phase 1 and Phase 2 settings
  - Security Association
  - IKE and IPsec packet processing
- IPsec VPN overview
  - Types of VPNs
  - Planning your VPN
  - General preparation steps
  - How to use this guide to configure an IPsec VPN
- IPsec VPN from the GUI
  - Phase 1 configuration
  - Concentrator
  - IPsec Monitor
- Phase 1 parameters
  - Overview
  - Defining the tunnel ends
  - Choosing Main mode or Aggressive mode
  - Authenticating the FortiGate unit
  - Authenticating remote peers and clients
  - Defining IKE negotiation parameters
  - Using XAuth authentication
  - Dynamic IPsec route control
- Phase 2 parameters
  - Phase 2 settings
  - Configuring Phase 2 parameters
- Defining VPN security policies
  - Defining policy addresses
  - Defining security policies
- Gateway-to-gateway configuration
  - Gateway-to-gateway configuration
  - Testing
- Hub-and-spoke configuration
  - Configuration overview
  - Configure the hub
  - Configure the spokes
  - Dynamic spokes configuration example
- One-Click VPN (OCVPN)
  - General configuration
  - Key exchange
  - Device polling and controller information
  - System states
  - Debugging and logging
- Dynamic DNS configuration
  - Configuration overview
- FortiClient dialup-client configuration
  - Configuration overview
- FortiGate dialup-client configuration
  - Configuration overview
- Supporting IKE Mode Config clients
  - Automatic configuration overview
- Internet-browsing configuration
  - Configuration overview
- Redundant VPN configuration
  - Configuration overview
- Transparent-mode VPN configuration
  - Configuration overview
- IPv6 IPsec VPNs
  - Configuration examples
- L2TP and IPsec (Microsoft VPN)
  - Configuration overview
- GRE over IPsec (Cisco VPN)
  - Configuration overview
- Protecting OSPF with IPsec
  - Configuration overview
- Redundant OSPF routing over IPsec
  - Configuration
- BGP over dynamic IPsec
- IPsec Auto-Discovery VPN (ADVPN)
  - Example ADVPN configuration
- Logging and monitoring
  - Monitoring VPN connections
  - VPN event logs
- Troubleshooting
  - General troubleshooting tips
  - Troubleshooting L2TP and IPsec
  - Troubleshooting GRE over IPsec
SSL VPN
- Overview
- SSL VPN best practices
- Basic configuration
- SSL VPN client
  - FortiClient
  - Tunnel mode client configuration
- SSL VPN web portal
- Setup examples
- Troubleshooting
Networking
- Interfaces
- DNS
- Advanced static routing
- Dynamic routing
- Multicast forwarding
- Modems
- Troubleshooting
Transparent mode
- Overview
  - What is transparent mode?
  - Transparent mode features
- Installation
- Networking in transparent mode
- Firewalls and security in transparent mode
- IPsec VPN in transparent mode
- Using FortiManager and FortiAnalyzer
- High availability in transparent mode
  - Virtual clustering
  - MAC address assignment
- Best practices
VoIP Solutions: SIP
- Inside FortiOS: Voice over IP (VoIP) protection
- Common SIP VoIP configurations
  - Peer to peer configuration
  - SIP proxy server configuration
  - SIP redirect server configuration
  - SIP registrar configuration
  - SIP with a FortiGate
- SIP messages and media protocols
  - Hardware accelerated RTP processing
  - SIP request messages
  - SIP response messages
  - SIP message start line
  - SIP headers
  - The SIP message body and SDP session profiles
  - Example SIP messages
- The SIP session helper
  - SIP session helper configuration overview
  - Viewing, removing, and adding the SIP session helper configuration
  - Changing the port numbers that the SIP session helper listens on
  - Configuration example: SIP session helper in transparent mode
  - SIP session helper diagnose commands
- The SIP ALG
  - Enabling VoIP support from the GUI
  - SIP ALG configuration overview
  - VoIP profiles
  - Changing the port numbers that the SIP ALG listens on
  - Disabling the SIP ALG in a VoIP profile
  - SIP ALG diagnose commands
- Conflicts between the SIP ALG and the session helper
- Stateful SIP tracking, call termination, and session inactivity timeout
  - Adding a media stream timeout for SIP calls
  - Adding an idle dialog setting for SIP calls
  - Changing how long to wait for call setup to complete
- SIP and RTP/RTCP
- How the SIP ALG creates RTP pinholes
- Configuration example: SIP in transparent mode
- RTP enable/disable (RTP bypass)
- Opening and closing SIP register, contact, via and record-route pinholes
- Accepting SIP register responses
- How the SIP ALG performs NAT
  - SIP ALG source address translation
  - SIP ALG destination address translation
  - SIP call re-invite messages
  - How the SIP ALG translates IP addresses in SIP headers
  - How the SIP ALG translates IP addresses in the SIP body
  - SIP NAT scenario: source address translation (source NAT)
  - SIP NAT scenario: destination address translation (destination NAT)
  - SIP NAT configuration example: source address translation (source NAT)
  - SIP NAT configuration example: destination address translation (destination NAT)
  - SIP and RTP source NAT
  - SIP and RTP destination NAT
  - Source NAT with an IP pool
  - Different source and destination NAT for SIP and RTP
  - NAT with IP address conservation
  - Controlling how the SIP ALG NATs SIP contact header line addresses
  - Controlling NAT for addresses in SDP lines
  - Translating SIP session destination ports
  - Translating SIP sessions to multiple destination ports
  - Adding the original IP address and port to the SIP message header after NAT
- Enhancing SIP pinhole security
- Hosted NAT traversal
  - Configuration example: Hosted NAT traversal for calls between SIP Phone A and SIP Phone B
  - Hosted NAT traversal for calls between SIP Phone A and SIP Phone C
  - Restricting the RTP source IP
- SIP over IPv6
- Deep SIP message inspection
  - Actions taken when a malformed message line is found
  - Logging and statistics
  - Deep SIP message inspection best practices
  - Configuring deep SIP message inspection
- Blocking SIP request messages
- SIP rate limiting
  - Limiting the number of SIP dialogs accepted by a security policy
- SIP logging
- Inspecting SIP over SSL/TLS (secure SIP)
  - Adding the SIP server and client certificates
  - Adding SIP over SSL/TLS support to a VoIP profile
- SIP and HA–session failover and geographic redundancy
  - SIP geographic redundancy
  - Supporting geographic redundancy when blocking OPTIONS messages
  - Support for RFC 2543-compliant branch parameters
- SIP and IPS
- SIP debugging
  - SIP debug log format
  - SIP-proxy filter per VDOM
  - SIP-proxy filter command
  - SIP debug setting
  - Display SIP rate-limit data
Best practices
- General considerations
- Customer service and technical support
- Fortinet Knowledge Base
- System and performance
  - Performance
  - Shutting down
- Migration
- Environmental specifications
  - Grounding
  - Rack mounting
- Firmware
- Security Profiles (AV, Web Filtering etc.)
- Networking
- FGCP high availability
  - Heartbeat interfaces
  - Interface monitoring (port monitoring)
- WAN Optimization
- Virtual Domains (VDOMs)
- Explicit proxy
- Wireless
- Logging and reporting
  - Log management
  - System memory and hard disks
Managing devices
- Managing “bring your own device”
- Managing Fortinet devices
Server load balancing
- Inside FortiOS: server load balancing
- Basic load balancing configuration example
- Configuring load balancing
- HTTP and HTTPS load balancing, multiplexing, and persistence
- SSL/TLS load balancing
- IP, TCP, and UDP load balancing
- Example HTTP load balancing to three real web servers
- Example Basic IP load balancing configuration
- Example Adding a server load balance port forwarding virtual IP
- Example Weighted load balancing configuration
- Example HTTP and HTTPS persistence configuration
System administration
- Administrators
- Monitoring
- Replacement messages
- Administration for schools
- PPTP and L2TP
  - Configuring L2TP VPNs
  - L2TP configuration overview
- Session helpers
- Advanced concepts
Traffic shaping
- Overview
- Configuring traffic shaping
- Monitoring traffic shaping
- Traffic shaping examples
- Traffic shaping priority queueing (PRIQ)
- Troubleshooting traffic shaping
Virtual Domains
- VDOMs overview
  - Benefits
  - Configurations
- Configuring VDOMs
- Example configurations
  - Example 1: NAT mode
  - Example 2: NAT and transparent mode
- Troubleshooting VDOMs
FortiWifi and FortiAP Configuration
- Introduction to wireless networking
- Captive portals
- WiFi LAN configuration
- Access point deployment
- Remote AP setup
- Wireless mesh
  - Configuring a meshed WiFi network
  - Configuring a point-to-point bridge
- Hotspot 2.0
- Combining WiFi and wired networks with a software switch
  - FortiAP local bridging (private cloud-managed AP)
  - Using bridged FortiAPs to increase scalability
- Using remote WLAN FortiAPs
- Features for high-density deployments
- Wireless network protection
- Wireless network monitoring
- Wireless network client configuration
- Wireless network examples
  - Basic wireless network example
  - Complex wireless network example
- Managing a FortiAP with FortiCloud
  - FortiCloud-managed FortiAP WiFi
  - FortiCloud-managed FortiAP WiFi without a key
- Using a FortiWiFi unit as a client
  - Using a FortiWiFi unit in the client mode
  - Configuring a FortiAP unit as a WiFi Client in client mode
- Support for location-based services
  - Configuring location tracking
  - Viewing device location data on the FortiGate unit
- Troubleshooting
- Reference
FortiSwitch devices managed by FortiOS
- Connecting FortiLink ports
- Using the FortiGate GUI
- Using the FortiGate CLI
- Network topologies
- Optional setup tasks
- FortiSwitch port features
- FortiSwitch port security policy
- Additional capabilities
- Troubleshooting
FortiOS Carrier
- Overview of FortiOS Carrier features
  - MMS
  - GTP
- MMS Concepts
- MMS Configuration
- GTP basic concepts
- GTP Configuration
- SCTP Concepts
  - SCTP Firewall
- Troubleshooting
Sandbox inspection
- Using FortiSandbox with a FortiGate
  - Connecting a FortiGate to FortiSandbox
  - FortiSandbox console
- Sandbox integration
  - Overview
  - Example configuration
- Sandbox inspection FAQ
FortiView
- Overview
  - Enabling FortiView
  - FortiView interface
- FortiView consoles
- Reference
- Troubleshooting
Logging and reporting
- Logging and reporting overview
- Logging and reporting for small networks
- Logging and reporting for large networks
- Advanced logging
- Troubleshooting and logging
Troubleshooting
- Troubleshooting methodologies
- Troubleshooting tools
- Troubleshooting tips
- Troubleshooting resources

Home FortiGate / FortiOS 6.0.0 Handbook

6.0.0

Using the best quality strategy

The best quality strategy is based on the performance of your network. You can configure SD-WAN rules to dynamically route traffic through the SD-WAN interfaces that have the best link quality. The FortiGate uses the server information that you configured for link health monitoring against the quality criteria that you configure.

The FortiGate can measure link quality based on latency, jitter, packet loss, or bandwidth. For example, you can use the bandwidth options to configure a rule for applications that are primarily used for download and another rule for applications that are primarily used for uploading.

Configure the best quality strategy – GUI

Go to Network > SD-WAN Rules.
Select Create New.
In the Name field, enter a name for the rule.
In the Source section, set any of the following source parameters for matching incoming traffic from your organization’s internal network:

GUI option	Description	Additional configuration steps
Source address	Match traffic based on source IP address.	Select +. In the Select Entries window, select one or more source IP addresses. Select Close.
User group	Match traffic based on users and user groups.	Select +. In the Select Entries window, select one or more users and user groups. Select Close.

In the Destination section, set any of the following destination parameters for matching incoming traffic from your organization’s internal network:

GUI option	Description	Additional configuration steps
Address	Match traffic based on destination IP address, destination port number, and type of service (ToS). If you configure this option, you can’t configure Internet Service or Application options.	Select +. In the Select Entries window, select one or more destination IP addresses. Select Close. In the Protocol number field, select TCP, UDP, ANY, or Specify. If you select TCP or UDP, specify a Port range. If you select Specify, specify a protocol number, a Type of service, and a Bit Mask.
Internet Service	Match traffic based on Internet Service Database (ISDB) address objects. You can configure Internet services and Internet service groups. If you configure this option, you can’t configure the destination Address options.	Select +. In the Select Entries window, select one or more Internet services or Internet service groups from the list. Select Close.
Application	Match traffic based on applications and application control groups. If you configure this option, you can’t configure the destination Address options.	Select +. In the Select Entries window, select one or more applications or application control groups. Select Close.

GUI option

Description

Additional configuration steps

Address

Match traffic based on destination IP address, destination port number, and type of service (ToS).

If you configure this option, you can’t configure Internet Service or Application options.

Select +.
In the Select Entries window, select one or more destination IP addresses. Select Close.
In the Protocol number field, select TCP, UDP, ANY, or Specify.
If you select TCP or UDP, specify a Port range.
If you select Specify, specify a protocol number, a Type of service, and a Bit Mask.

Internet Service

Match traffic based on Internet Service Database (ISDB) address objects. You can configure Internet services and Internet service groups.

If you configure this option, you can’t configure the destination Address options.

Select +.
In the Select Entries window, select one or more Internet services or Internet service groups from the list.
Select Close.

Application

Match traffic based on applications and application control groups.

If you configure this option, you can’t configure the destination Address options.

Select +.
In the Select Entries window, select one or more applications or application control groups.
Select Close.

In the Outgoing Interfaces section, configure the following criteria for choosing which SD-WAN member interface to route traffic through:

GUI option	Description	Additional configuration steps
Strategy	The strategy that you want the SD-WAN rules to use.	Select Best Quality.
Interface preference	One or more interfaces, in order of priority, that you want the FortiGate to use. If you select more than one interface, the FortiGate uses the first interface in the list until the quality of that link falls below the quality of the next interface in the list. Then it uses the next interface in the list. You can configure the link quality threshold in the CLI. The default is 10%. Note that although the `link-cost-threshold` setting is defined as a percentage, you can set it to a value higher than 100%. For example, if you want the FortiGate to change interfaces only when the next link is at least five times better than the current link, set the `link-cost-threshold` value to 500.	In the Interface preference field, select +. In the Select Entries window, select one or more interfaces. Select Close. Optionally, change the link quality threshold: config system virtual-wan-link config service edit <rule_id> set link-cost-threshold <percentage> next end end The range is 0 to 10000000. The default is 10.
Measured SLA	The name of the performance SLA that includes the servers that you want the FortiGate to use to measure the quality of the links. If you haven’t yet configured a performance SLA that you want to use, you can also use this option to create a new performance SLA.	Select the name of the performance SLA from the drop-down list, or select + to create a new performance SLA. Select Close.
Quality criteria	The criteria that you want the FortiGate to use when it measures and compares the quality of the interfaces in the interface preference list, including latency, jitter, packet loss, downstream bandwidth, upstream bandwidth, and bidirectional bandwidth. You can also create a custom profile that allows you to use one or more of these as criteria. The FortiGate then uses the following formula to calculate link quality: (alatency) + (bjitter) + (cpacket loss) + (d/bandwidth). The larger the value, the more weight that criteria will have in the selection. Leave the weight value at zero to exclude that criteria from the equation. This field appears only if you select more than one interface in the Interface preference* field.	Select the criteria option that you want the FortiGate to use to measure the quality of the links. If you select custom-profile-1, set weights for each criteria in the latency-weight, jitter-weight, packet-loss-weight, and bandwidth-weight fields.

Select OK.
Go to Network > SD-WAN Rules to see the SD-WAN rules. You can drag and drop the rules to reorder them.

Configure the best quality strategy – CLI

In the CLI, an SD-WAN rule is called a service.

config system virtual-wan-link

config service

edit <rule_id>

set name <rule_name>

set addr-mode {ipv4 | ipv6}

end

Configure the source parameters:

CLI option	Description	Additional configuration steps
`set {src \| src6} <address_list>`	This is the same as the Source address option in the GUI.	None
`set groups <group_list>`	This is the same as the User group option in the GUI.	None

Configure the destination parameters:

CLI option	Description	Additional configuration steps
`set {dst \| dst6} <address_list>`	This is the same as the Address option in the GUI. The address list or address group list.	None
`set protocol <protocol_number>`	This is the same as the Protocol number option in the GUI.	If you set a specific protocol, you might also need to set additional values, such as: set start-port <port_number set end-port <port_number> set tos <bit_pattern> set tos-mask <evaluated_bits> For more information, see the FortiOS CLI Reference.
`set internet-service enable`	This is the same as the Internet Service and Application options in the GUI.	If you enable the internet-service option, set any of these options: set internet-service-custom <name_list> set internet-service-custom-group <group_list> set internet-service-id <id_list> set internet-service-group <group_list> set internet-service-ctrl <id_list> set internet-service-ctrl-group <group_list> For more information, see the FortiOS CLI Reference.

CLI option

Description

Additional configuration steps

set {dst | dst6} <address_list>

This is the same as the Address option in the GUI.

The address list or address group list.

None

set protocol <protocol_number>

This is the same as the Protocol number option in the GUI.

If you set a specific protocol, you might also need to set additional values, such as:

set start-port <port_number

set end-port <port_number>

set tos <bit_pattern>

set tos-mask <evaluated_bits>

For more information, see the FortiOS CLI Reference.

set internet-service enable

This is the same as the Internet Service and Application options in the GUI.

If you enable the internet-service option, set any of these options:

set internet-service-custom <name_list>

set internet-service-custom-group <group_list>

set internet-service-id <id_list>

set internet-service-group <group_list>

set internet-service-ctrl <id_list>

set internet-service-ctrl-group <group_list>

For more information, see the FortiOS CLI Reference.

Configure outgoing interface parameters:

CLI option	Description	Additional configuration steps
`set mode priority`	This is the same as the Best Quality in the GUI.	None
`set priority-members <member_sequence_list>`	This is the same as the Interface preference option in the GUI.	None
`set health-check <sla_name>`	This is the same as the Measured SLA option in the GUI.	None
`set link-cost-factor {latency \| jitter \| packet-loss \| inbandwidth \| outbandwidth \| bibandwidth \| custom-profile-1}`	This is the same as the Quality criteria option in the GUI.	If you set this to `custom-profile-1`, configure the following: set latency-weight <weight> set jitter-weight <weight> set packet-loss-weight <weight> set bandwidth <weight>

Using the best quality strategy

Configure the best quality strategy – GUI

Go to Network > SD-WAN Rules.
Select Create New.
In the Name field, enter a name for the rule.
In the Source section, set any of the following source parameters for matching incoming traffic from your organization’s internal network:

GUI option	Description	Additional configuration steps
Source address	Match traffic based on source IP address.	Select +. In the Select Entries window, select one or more source IP addresses. Select Close.
User group	Match traffic based on users and user groups.	Select +. In the Select Entries window, select one or more users and user groups. Select Close.

In the Destination section, set any of the following destination parameters for matching incoming traffic from your organization’s internal network:

GUI option	Description	Additional configuration steps
Address	Match traffic based on destination IP address, destination port number, and type of service (ToS). If you configure this option, you can’t configure Internet Service or Application options.	Select +. In the Select Entries window, select one or more destination IP addresses. Select Close. In the Protocol number field, select TCP, UDP, ANY, or Specify. If you select TCP or UDP, specify a Port range. If you select Specify, specify a protocol number, a Type of service, and a Bit Mask.
Internet Service	Match traffic based on Internet Service Database (ISDB) address objects. You can configure Internet services and Internet service groups. If you configure this option, you can’t configure the destination Address options.	Select +. In the Select Entries window, select one or more Internet services or Internet service groups from the list. Select Close.
Application	Match traffic based on applications and application control groups. If you configure this option, you can’t configure the destination Address options.	Select +. In the Select Entries window, select one or more applications or application control groups. Select Close.

GUI option

Description

Additional configuration steps

Address

Match traffic based on destination IP address, destination port number, and type of service (ToS).

If you configure this option, you can’t configure Internet Service or Application options.

Select +.
In the Select Entries window, select one or more destination IP addresses. Select Close.
In the Protocol number field, select TCP, UDP, ANY, or Specify.
If you select TCP or UDP, specify a Port range.
If you select Specify, specify a protocol number, a Type of service, and a Bit Mask.

Internet Service

Match traffic based on Internet Service Database (ISDB) address objects. You can configure Internet services and Internet service groups.

If you configure this option, you can’t configure the destination Address options.

Select +.
In the Select Entries window, select one or more Internet services or Internet service groups from the list.
Select Close.

Application

Match traffic based on applications and application control groups.

If you configure this option, you can’t configure the destination Address options.

Select +.
In the Select Entries window, select one or more applications or application control groups.
Select Close.

In the Outgoing Interfaces section, configure the following criteria for choosing which SD-WAN member interface to route traffic through:

GUI option	Description	Additional configuration steps
Strategy	The strategy that you want the SD-WAN rules to use.	Select Best Quality.
Interface preference	One or more interfaces, in order of priority, that you want the FortiGate to use. If you select more than one interface, the FortiGate uses the first interface in the list until the quality of that link falls below the quality of the next interface in the list. Then it uses the next interface in the list. You can configure the link quality threshold in the CLI. The default is 10%. Note that although the `link-cost-threshold` setting is defined as a percentage, you can set it to a value higher than 100%. For example, if you want the FortiGate to change interfaces only when the next link is at least five times better than the current link, set the `link-cost-threshold` value to 500.	In the Interface preference field, select +. In the Select Entries window, select one or more interfaces. Select Close. Optionally, change the link quality threshold: config system virtual-wan-link config service edit <rule_id> set link-cost-threshold <percentage> next end end The range is 0 to 10000000. The default is 10.
Measured SLA	The name of the performance SLA that includes the servers that you want the FortiGate to use to measure the quality of the links. If you haven’t yet configured a performance SLA that you want to use, you can also use this option to create a new performance SLA.	Select the name of the performance SLA from the drop-down list, or select + to create a new performance SLA. Select Close.
Quality criteria	The criteria that you want the FortiGate to use when it measures and compares the quality of the interfaces in the interface preference list, including latency, jitter, packet loss, downstream bandwidth, upstream bandwidth, and bidirectional bandwidth. You can also create a custom profile that allows you to use one or more of these as criteria. The FortiGate then uses the following formula to calculate link quality: (alatency) + (bjitter) + (cpacket loss) + (d/bandwidth). The larger the value, the more weight that criteria will have in the selection. Leave the weight value at zero to exclude that criteria from the equation. This field appears only if you select more than one interface in the Interface preference* field.	Select the criteria option that you want the FortiGate to use to measure the quality of the links. If you select custom-profile-1, set weights for each criteria in the latency-weight, jitter-weight, packet-loss-weight, and bandwidth-weight fields.

Select OK.
Go to Network > SD-WAN Rules to see the SD-WAN rules. You can drag and drop the rules to reorder them.

Configure the best quality strategy – CLI

In the CLI, an SD-WAN rule is called a service.

config system virtual-wan-link

config service

edit <rule_id>

set name <rule_name>

set addr-mode {ipv4 | ipv6}

end

Configure the source parameters:

CLI option	Description	Additional configuration steps
`set {src \| src6} <address_list>`	This is the same as the Source address option in the GUI.	None
`set groups <group_list>`	This is the same as the User group option in the GUI.	None

Configure the destination parameters:

CLI option	Description	Additional configuration steps
`set {dst \| dst6} <address_list>`	This is the same as the Address option in the GUI. The address list or address group list.	None
`set protocol <protocol_number>`	This is the same as the Protocol number option in the GUI.	If you set a specific protocol, you might also need to set additional values, such as: set start-port <port_number set end-port <port_number> set tos <bit_pattern> set tos-mask <evaluated_bits> For more information, see the FortiOS CLI Reference.
`set internet-service enable`	This is the same as the Internet Service and Application options in the GUI.	If you enable the internet-service option, set any of these options: set internet-service-custom <name_list> set internet-service-custom-group <group_list> set internet-service-id <id_list> set internet-service-group <group_list> set internet-service-ctrl <id_list> set internet-service-ctrl-group <group_list> For more information, see the FortiOS CLI Reference.

CLI option

Description

Additional configuration steps

set {dst | dst6} <address_list>

This is the same as the Address option in the GUI.

The address list or address group list.

None

set protocol <protocol_number>

This is the same as the Protocol number option in the GUI.

If you set a specific protocol, you might also need to set additional values, such as:

set start-port <port_number

set end-port <port_number>

set tos <bit_pattern>

set tos-mask <evaluated_bits>

For more information, see the FortiOS CLI Reference.

set internet-service enable

This is the same as the Internet Service and Application options in the GUI.

If you enable the internet-service option, set any of these options:

set internet-service-custom <name_list>

set internet-service-custom-group <group_list>

set internet-service-id <id_list>

set internet-service-group <group_list>

set internet-service-ctrl <id_list>

set internet-service-ctrl-group <group_list>

For more information, see the FortiOS CLI Reference.

Configure outgoing interface parameters:

CLI option	Description	Additional configuration steps
`set mode priority`	This is the same as the Best Quality in the GUI.	None
`set priority-members <member_sequence_list>`	This is the same as the Interface preference option in the GUI.	None
`set health-check <sla_name>`	This is the same as the Measured SLA option in the GUI.	None
`set link-cost-factor {latency \| jitter \| packet-loss \| inbandwidth \| outbandwidth \| bibandwidth \| custom-profile-1}`	This is the same as the Quality criteria option in the GUI.	If you set this to `custom-profile-1`, configure the following: set latency-weight <weight> set jitter-weight <weight> set packet-loss-weight <weight> set bandwidth <weight>

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

Handbook

Using the best quality strategy

Using the best quality strategy

Configure the best quality strategy – GUI

Configure the best quality strategy – CLI

Using the best quality strategy

Using the best quality strategy

Configure the best quality strategy – GUI

Configure the best quality strategy – CLI