SD-WAN enhancements 6.4.2
SD-WAN has been enhanced to include more load balancing hash methods, more health check protocols, and an option to set the minimum number of links required for a rule to take effect.
Minimum number of links for a rule to take effect
You can specify the number of links that must be up for an SD-WAN to take effect.
For example: Ports 1 to 4 each have 10Mbps of bandwidth, and port 5 has 50Mbps. An application requires 35Mbps of bandwidth, so the SD-WAN rule balances the traffic between ports 1 to 4. If one of the links goes down, all of the traffic must be passed to port 5.
To set the minimum number of links in a rule:
config system sdwan config service edit 1 set mode load-balance set minimum-sla-meet-members 4 set dst <destination> config sla edit <sla> set id <id> next end set priority-members 1 2 3 4 next end end
Load balance hash methods
The load balancing strategy in SD-WAN rules can be configured to balance based on the best bandwidth, source IP address, or source and destination IP addresses hash methods.
Hash methods include:
round-robin |
All traffic are distributed to selected interfaces in equal portions and circular order. |
source-ip-based |
All traffic from a source IP is sent to the same interface. |
source-dest-ip-based |
All traffic from a source IP to a destination IP is sent to the same interface. |
inbandwidth |
All traffic are distributed to a selected interface with most available bandwidth for incoming traffic. |
outbandwidth |
All traffic are distributed to a selected interface with most available bandwidth for outgoing traffic. |
bibandwidth |
All traffic are distributed to a selected interface with most available bandwidth for both incoming and outgoing traffic. |
To use the load balancing algorithm to steer traffic to an IPv4 address based on a hash method:
config system sdwan config service edit 1 set addr-mode ipv4 set mode load-balance set hash-mode {round-robin | source-ip-based | source-dest-ip-based | inbandwidth | outbandwidth | bibandwidth} set protocol 1 set dst "80.1.1.0/24" set src "70.1.1.0/24" config sla edit "h1" set id 1 next end set priority-members 1 2 3 4 next end end
To use the load balancing algorithm to steer traffic to an IPv6 address based on various hash methods:
config system sdwan config service edit 11 set addr-mode ipv6 set mode load-balance set hash-mode {round-robin | source-ip-based | source-dest-ip-based | inbandwidth | outbandwidth | bibandwidth} config sla edit "h6_dns1" set id 1 next end set priority-members 1 2 set dst6 "2032::11" next end end
Health check options
Health checks include several protocols and protocol specific options.
The health check protocol options include:
ping |
Use PING to test the link with the server. |
tcp-echo |
Use TCP echo to test the link with the server. |
udp-echo |
Use UDP echo to test the link with the server. |
http |
Use HTTP-GET to test the link with the server. |
twamp |
Use TWAMP to test the link with the server. |
dns |
Use DNS query to test the link with the server. The FortiGate sends a DNS query for an A Record and the response matches the expected IP address. |
tcp-connect |
Use a full TCP connection to test the link with the server. The method to measure the quality of the TCP connection can be:
|
ftp |
Use FTP to test the link with the server. The FTP mode can be:
|
To use UDP-echo and TCP-echo as health checks:
config system sdwan set status enable config health-check edit "h4_udp1" set protocol udp-echo set port 7 set server <server> next edit "h4_tcp1" set protocol tcp-echo set port 7 set server <server> next edit "h6_udp1" set addr-mode ipv6 set server "2032::12" set protocol udp-echo set port 7 next end end
To use DNS as a health check, and define the IP address that the response must match:
config system sdwan set status enable config health-check edit "h4_dns1" set protocol dns set dns-request-domain "ip41.forti2.com" set dns-match-ip 1.1.1.1 next edit "h6_dns1" set addr-mode ipv6 set server "2000::15.1.1.4" set protocol dns set port 53 set dns-request-domain "ip61.xxx.com" next end end
To use TCP Open (SYN/SYN-ACK) and TCP Close (FIN/FIN-ACK) to verify connections:
config system sdwan set status enable config health-check edit "h4_tcpconnect1" set protocol tcp-connect set port 443 set quality-measured-method {half-open | half-close} set server <server> next edit "h6_tcpconnect1" set addr-mode ipv6 set server "2032::13" set protocol tcp-connect set port 444 set quality-measured-method {half-open | half-close} next end end
To use active or passive mode FTP to verify connections:
config system sdwan set status enable config health-check edit "h4_ftp1" set protocol ftp set port 21 set user "root" set password *********** set ftp-mode {passive | port} set ftp-file "1.txt" set server <server> next edit "h6_ftp1" set addr-mode ipv6 set server "2032::11" set protocol ftp set port 21 set user "root" set password *********** set ftp-mode {passive | port} set ftp-file "2.txt" next end end