SD-WAN configuration

6.4.0

Copy Link

Copy Doc ID f03023fb-007b-11ec-8f3f-00505692583a:166334

Download PDF

SD-WAN configuration

Fortinet SD-WAN configuration includes the following main steps:

SD-WAN interface members define your SD-WAN bundle. They are the interfaces that will be controlled by SD-WAN and where traffic can potentially flow. Almost any interface supported by FortiGate devices can become an SD-WAN member (including physical ports, VLAN interfaces, LAGs, IPsec/GRE/IPIP tunnels, and even FortiExtender interfaces). Often it will include both your underlays and overlays, but this is not a requirement. For example, you can configure the overlays to be your SD-WAN members while keeping the underlay outside. We will look into these options in the design examples. For convenience, the SD-WAN members are grouped into SD-WAN zones.
Performance SLA are the health-check probes used by the edge devices to actively measure the health of each available path. You can define what server to probe and what protocol to use (including Ping, HTTP, TCP/UDP Echo, TWAMP, or DNS). Each probe will measure latency, jitter, and packet loss percentage over the configured subset of the SD-WAN members. In addition, you can configure multiple SLA targets for each probe. Together, these metrics will allow SD-WAN to compare the health of different available paths, and even determine which paths are acceptable for a particular application and which are not (called out of SLA).
SD-WAN rules combine all the elements. These are the actual set of business rules used to steer a particular application to a specific SD-WAN member while considering its current health and SLA status. Each rule has the following logical parts:
- Matching Criteria defines what applications or what kind of traffic will match this rule. We can match based on a large variety of inputs, including signature-based L7 application detection (Application Control Database), dynamic feeds (internet Service Database—ISDB), multiple User Identity providers, DSCP/ToS fields, Route Tags, and of course, all based on simple L3/L4 criteria!
- SD-WAN Strategy defines the logic applied to select one of the SD-WAN members to steer this traffic. The following strategies can be configured:
  - Best Quality—select an SD-WAN member with the best measured quality.
  - Lowest Cost (SLA)—select the cheapest SD-WAN member that meets a given SLA target.
  - Maximize Bandwidth (SLA)—load-balance across all SD-WAN members that meet a given SLA target.
  - Manual—manually specify an SD-WAN member to select.

The SD-WAN rules probably remind you of the Firewall rules to some extent, and, indeed, many of the same matching criteria are used. The SD-WAN rules are also evaluated in the order of their configuration—just like Firewall rules. But they serve two complementary goals (which will be discussed in more detail in the next chapter):

Firewall rules define how to secure a particular application, should a particular path be selected.
SD-WAN rules define how to select a particular path for a particular application.

Having both rulesets rely on the same inputs (such as Application Control Database, Internet Service Database [ISDB], same User Identity providers, and so on) significantly improves integration between different pillars and the consistency of the overall solution.

SD-WAN configuration

Fortinet SD-WAN configuration includes the following main steps:

SD-WAN interface members define your SD-WAN bundle. They are the interfaces that will be controlled by SD-WAN and where traffic can potentially flow. Almost any interface supported by FortiGate devices can become an SD-WAN member (including physical ports, VLAN interfaces, LAGs, IPsec/GRE/IPIP tunnels, and even FortiExtender interfaces). Often it will include both your underlays and overlays, but this is not a requirement. For example, you can configure the overlays to be your SD-WAN members while keeping the underlay outside. We will look into these options in the design examples. For convenience, the SD-WAN members are grouped into SD-WAN zones.
Performance SLA are the health-check probes used by the edge devices to actively measure the health of each available path. You can define what server to probe and what protocol to use (including Ping, HTTP, TCP/UDP Echo, TWAMP, or DNS). Each probe will measure latency, jitter, and packet loss percentage over the configured subset of the SD-WAN members. In addition, you can configure multiple SLA targets for each probe. Together, these metrics will allow SD-WAN to compare the health of different available paths, and even determine which paths are acceptable for a particular application and which are not (called out of SLA).
SD-WAN rules combine all the elements. These are the actual set of business rules used to steer a particular application to a specific SD-WAN member while considering its current health and SLA status. Each rule has the following logical parts:
- Matching Criteria defines what applications or what kind of traffic will match this rule. We can match based on a large variety of inputs, including signature-based L7 application detection (Application Control Database), dynamic feeds (internet Service Database—ISDB), multiple User Identity providers, DSCP/ToS fields, Route Tags, and of course, all based on simple L3/L4 criteria!
- SD-WAN Strategy defines the logic applied to select one of the SD-WAN members to steer this traffic. The following strategies can be configured:
  - Best Quality—select an SD-WAN member with the best measured quality.
  - Lowest Cost (SLA)—select the cheapest SD-WAN member that meets a given SLA target.
  - Maximize Bandwidth (SLA)—load-balance across all SD-WAN members that meet a given SLA target.
  - Manual—manually specify an SD-WAN member to select.

Firewall rules define how to secure a particular application, should a particular path be selected.
SD-WAN rules define how to select a particular path for a particular application.