Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Cookbook

    6.2.0
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.0
    6.0.0
    5.6.0
    5.4.0

    Using DHCP interface

    Using DHCP interface

    This recipe provides a sample configuration for customer using the DHCP interface as SD-WAN members. SD-WAN members can be all static IP interfaces, all DHCP interfaces, or a mix of both IP and DHCP interfaces.

    In this example, a customer who has two ISP internet connections: wan1 and wan2. wan1 is a DHCP interface and wan2 is a static IP address interface.

    Sample topology

    To configure DHCP interface on the GUI:
    1. Enable SD-WAN and add wan1 and wan2 as SD-WAN members.
      1. Go to Network > SD-WAN and ensure Status is Enable.
      2. In the SD-WAN Interface Members section, click the + button and add two members: wan1 and wan2.
        • For the static IP member, enter the Gateway address.
        • For the DHCP member, do not change the Gateway.
      3. Click Apply.
    2. Create static route and enable virtual-wan-link.
      1. Go to Network > Static Routes and click Create New.
      2. Click the Interface dropdown list and select SD-WAN.
      3. Click OK.
    3. Create policy for this traffic.
      1. Go to Policy & Objects > IPv4 Policy and click Create New.
      2. For the Incoming Interface, select dmz.
      3. For the Outgoing Interface, select SD-WAN
      4. Configure other options as needed.
      5. Click OK.

    Outgoing traffic is balanced between wan1 and wan2 at about 50% each.

    To configure the interface on the CLI:
    config system interface 
    edit "wan1"
        set alias to_ISP1
        set mode dhcp
    next
    edit "wan2"
        set alias to_ISP2
        set ip 10.100.20.1 255.255.255.0
    next
end
    To configure SD-WAN on the CLI:
    config system virtual-wan-link
    set status enable
    config members
        edit 1
            set interface "wan1"
        next
        edit 2
            set interface "wan2"
            set gateway 10.100.20.2
        next
    end
end
    To configure static route on the CLI:
    config router static
    edit 1
        set distance 1
        set virtual-wan-link enable
    next
end
    To configure firewall policy on the CLI:
    config firewall policy
    edit 2
        set name "VWL"
        set srcintf "dmz"
        set dstintf "virtual-wan-link"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end
    To use the diagnose command to check SD-WAN state:
    # diagnose sys virtual-wan-link member 
Member(1): interface: wan1, gateway: 172.16.20.2, priority: 0, weight: 0 
Member(2): interface: wan2, gateway: 10.100.20.2, priority: 0, weight: 0
    Previous
    Next

    Using DHCP interface

    Using DHCP interface

    This recipe provides a sample configuration for customer using the DHCP interface as SD-WAN members. SD-WAN members can be all static IP interfaces, all DHCP interfaces, or a mix of both IP and DHCP interfaces.

    In this example, a customer who has two ISP internet connections: wan1 and wan2. wan1 is a DHCP interface and wan2 is a static IP address interface.

    Sample topology

    To configure DHCP interface on the GUI:
    1. Enable SD-WAN and add wan1 and wan2 as SD-WAN members.
      1. Go to Network > SD-WAN and ensure Status is Enable.
      2. In the SD-WAN Interface Members section, click the + button and add two members: wan1 and wan2.
        • For the static IP member, enter the Gateway address.
        • For the DHCP member, do not change the Gateway.
      3. Click Apply.
    2. Create static route and enable virtual-wan-link.
      1. Go to Network > Static Routes and click Create New.
      2. Click the Interface dropdown list and select SD-WAN.
      3. Click OK.
    3. Create policy for this traffic.
      1. Go to Policy & Objects > IPv4 Policy and click Create New.
      2. For the Incoming Interface, select dmz.
      3. For the Outgoing Interface, select SD-WAN
      4. Configure other options as needed.
      5. Click OK.

    Outgoing traffic is balanced between wan1 and wan2 at about 50% each.

    To configure the interface on the CLI:
    config system interface 
    edit "wan1"
        set alias to_ISP1
        set mode dhcp
    next
    edit "wan2"
        set alias to_ISP2
        set ip 10.100.20.1 255.255.255.0
    next
end
    To configure SD-WAN on the CLI:
    config system virtual-wan-link
    set status enable
    config members
        edit 1
            set interface "wan1"
        next
        edit 2
            set interface "wan2"
            set gateway 10.100.20.2
        next
    end
end
    To configure static route on the CLI:
    config router static
    edit 1
        set distance 1
        set virtual-wan-link enable
    next
end
    To configure firewall policy on the CLI:
    config firewall policy
    edit 2
        set name "VWL"
        set srcintf "dmz"
        set dstintf "virtual-wan-link"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end
    To use the diagnose command to check SD-WAN state:
    # diagnose sys virtual-wan-link member 
Member(1): interface: wan1, gateway: 172.16.20.2, priority: 0, weight: 0 
Member(2): interface: wan2, gateway: 10.100.20.2, priority: 0, weight: 0
    Previous
    Next