Fortinet Document Library

Version:

Version:


Table of Contents

More Links

Configuring the SD-WAN interface

Administration Guide

Download PDF
Copy Link

SD-WAN configuration portability

When configuring SD-WAN, adding interfaces to members is optional.

This allows the SD-WAN to be configured without associating any interfaces to SD-WAN members. It also allows a configuration to be copied directly from one device to another, without requiring the devices to have interfaces with the same names.

After the configuration is created, add interfaces to the members make it functional.

Example 1

In this example, we create a template with two SD-WAN members configured without assigned interfaces that are used in a performance SLA and SD-WAN rule. The template can be used to configure new devices, as in Example 2. Interfaces are then assigned to the members, and the configuration becomes active.

To create the SD-WAN members in the GUI:
  1. Go to Network > SD-WAN Zones.
  2. Click Create New > SD-WAN Member.
  3. Leave all the settings set to their default values and click OK.

  4. Repeat the above steps to create a second member.

    The empty members are listed on the SD-WAN Zones page.

    The members are disabled until interfaces are configured, but can still be used in performance SLAs and SD-WAN rules.

To create a performance SLA in the GUI:
  1. Go to Network > Performance SLA.
  2. Click Create New.
  3. Configure the performance SLA, specifying the empty members as participants.

  4. Click OK.
To create an SD-WAN rule in the GUI:
  1. Go to Network > SD-WAN Rules.
  2. Click Create New.
  3. Configure the rule, adding both members to the Interface preference field:

  4. Click OK.
To assign interfaces to the SD-WAN members in the GUI:
  1. Go to Network > SD-WAN Zones.
  2. Edit the first member
  3. Set Interface to an actual interface.

  4. Click OK.
  5. Repeat the above steps to assign an interface to the second member.
To configure the SD-WAN in the CLI:
  1. Create SD-WAN members:
    config system sdwan
        set status enable
        config members
            edit 1
            next
            edit 2
            next
        end
    end
  2. Create a health check (performance SLA):
    config system sdwan
        config health-check
            edit "office"
                set server "office365.com"
                set protocol http
                set sla-fail-log-period 300
                set sla-pass-log-period 300
                set members 2 1
                config sla
                    edit 1
                        set latency-threshold 300
                        set jitter-threshold 200
                    next
                    edit 2
                        set link-cost-factor latency
                        set latency-threshold 20
                    next
                end
            next
        end
    end
  3. Create a service (rule):
    config system sdwan
        config service
            edit 3
                set name "Office365"
                set mode sla
                set internet-service enable
                set internet-service-app-ctrl 33182
                config sla
                    edit "office"
                        set id 2
                    next
                end
                set priority-members 1 2
            next
        end
    end

    The SD-WAN configuration can now be used in as a template for new spokes, as in Example 2.

To assign interfaces to the SD-WAN members in the CLI:
config system sdwan
    config members
        edit 1
            set interface "_OCVPN4-0.0"
        next
        edit 2
            set interface "_OCVPN4-0.1"
        next
    end
end
Note

If no SD-WAN zone is specified, members are added to the default virtual-wan-link zone.

Example 2

In this example, the configuration from Example 1 is copied onto a new FortiGate.

Using the CLI console and the GUI

To copy the SD-WAN configuration from the original FortiGate:
  1. Optionally, change the console screen paging setting. See Screen paging for details.
  2. Open the CLI console.
  3. If necessary, click Clear console to empty the console.
  4. Enter the following command:

    show system sdwan

  5. Either click Download and open the file in a text editor, or click Copy to clipboard and paste the content into a text editor.

  6. Edit the CLI configuration as necessary. For example, the first line that shows the show command should be deleted, and the default health checks can be removed.
  7. If required, save the CLI configuration as a text file.
To paste the SD-WAN configuration onto a new FortiGate:
  1. Copy the SD-WAN configuration from the text editor.
  2. On the new FortiGate, open the CLI console.
  3. Press Ctrl + v to paste the CLI commands.
  4. In necessary, press Enter to apply the last end command.

    The SD-WAN configuration is copied to the new FortiGate.

    If the interfaces do not exist, the SD-WAN members are created without interfaces, and are disabled until interfaces are configured.

To assign interfaces to the SD-WAN members:
  1. Go to Network > SD-WAN Zones.
  2. Edit the first member
  3. Set Interface to an actual interface.

  4. Click OK.
  5. Repeat the above steps to assign an interface to the second member.

Using a terminal emulator

The following instructions use PuTTy. The steps may vary in other terminal emulators.

To copy the SD-WAN configuration from the original FortiGate:
  1. Connect to the FortiGate. See Connecting to the CLI for details.
  2. Enter the following command:

    show system sdwan

  3. Select the output, press Ctrl + c to copy it, and then paste it into a text editor.
  4. Edit the CLI configuration as necessary. For example, the default health checks can be removed.
  5. If required, save the CLI configuration as a text file.
To paste the SD-WAN configuration onto a new FortiGate:
  1. Copy the SD-WAN configuration from the text editor.
  2. Connect to the new FortiGate. See Connecting to the CLI for details.
  3. Right-click to paste the SD-WAN configuration.
  4. In necessary, press Enter to apply the last end command.

    The SD-WAN configuration is copied to the new FortiGate.

    If the interfaces do not exist, the SD-WAN members are created without interfaces, and are disabled until interfaces are configured.

To assign interfaces to the SD-WAN members::
config system sdwan
    config members
        edit 1
            set interface "_OCVPN4-0.0"
        next
        edit 2
            set interface "_OCVPN4-0.1"
        next
    end
end
Note

If no SD-WAN zone is specified, members are added to the default virtual-wan-link zone.

More Links

SD-WAN configuration portability

When configuring SD-WAN, adding interfaces to members is optional.

This allows the SD-WAN to be configured without associating any interfaces to SD-WAN members. It also allows a configuration to be copied directly from one device to another, without requiring the devices to have interfaces with the same names.

After the configuration is created, add interfaces to the members make it functional.

Example 1

In this example, we create a template with two SD-WAN members configured without assigned interfaces that are used in a performance SLA and SD-WAN rule. The template can be used to configure new devices, as in Example 2. Interfaces are then assigned to the members, and the configuration becomes active.

To create the SD-WAN members in the GUI:
  1. Go to Network > SD-WAN Zones.
  2. Click Create New > SD-WAN Member.
  3. Leave all the settings set to their default values and click OK.

  4. Repeat the above steps to create a second member.

    The empty members are listed on the SD-WAN Zones page.

    The members are disabled until interfaces are configured, but can still be used in performance SLAs and SD-WAN rules.

To create a performance SLA in the GUI:
  1. Go to Network > Performance SLA.
  2. Click Create New.
  3. Configure the performance SLA, specifying the empty members as participants.

  4. Click OK.
To create an SD-WAN rule in the GUI:
  1. Go to Network > SD-WAN Rules.
  2. Click Create New.
  3. Configure the rule, adding both members to the Interface preference field:

  4. Click OK.
To assign interfaces to the SD-WAN members in the GUI:
  1. Go to Network > SD-WAN Zones.
  2. Edit the first member
  3. Set Interface to an actual interface.

  4. Click OK.
  5. Repeat the above steps to assign an interface to the second member.
To configure the SD-WAN in the CLI:
  1. Create SD-WAN members:
    config system sdwan
        set status enable
        config members
            edit 1
            next
            edit 2
            next
        end
    end
  2. Create a health check (performance SLA):
    config system sdwan
        config health-check
            edit "office"
                set server "office365.com"
                set protocol http
                set sla-fail-log-period 300
                set sla-pass-log-period 300
                set members 2 1
                config sla
                    edit 1
                        set latency-threshold 300
                        set jitter-threshold 200
                    next
                    edit 2
                        set link-cost-factor latency
                        set latency-threshold 20
                    next
                end
            next
        end
    end
  3. Create a service (rule):
    config system sdwan
        config service
            edit 3
                set name "Office365"
                set mode sla
                set internet-service enable
                set internet-service-app-ctrl 33182
                config sla
                    edit "office"
                        set id 2
                    next
                end
                set priority-members 1 2
            next
        end
    end

    The SD-WAN configuration can now be used in as a template for new spokes, as in Example 2.

To assign interfaces to the SD-WAN members in the CLI:
config system sdwan
    config members
        edit 1
            set interface "_OCVPN4-0.0"
        next
        edit 2
            set interface "_OCVPN4-0.1"
        next
    end
end
Note

If no SD-WAN zone is specified, members are added to the default virtual-wan-link zone.

Example 2

In this example, the configuration from Example 1 is copied onto a new FortiGate.

Using the CLI console and the GUI

To copy the SD-WAN configuration from the original FortiGate:
  1. Optionally, change the console screen paging setting. See Screen paging for details.
  2. Open the CLI console.
  3. If necessary, click Clear console to empty the console.
  4. Enter the following command:

    show system sdwan

  5. Either click Download and open the file in a text editor, or click Copy to clipboard and paste the content into a text editor.

  6. Edit the CLI configuration as necessary. For example, the first line that shows the show command should be deleted, and the default health checks can be removed.
  7. If required, save the CLI configuration as a text file.
To paste the SD-WAN configuration onto a new FortiGate:
  1. Copy the SD-WAN configuration from the text editor.
  2. On the new FortiGate, open the CLI console.
  3. Press Ctrl + v to paste the CLI commands.
  4. In necessary, press Enter to apply the last end command.

    The SD-WAN configuration is copied to the new FortiGate.

    If the interfaces do not exist, the SD-WAN members are created without interfaces, and are disabled until interfaces are configured.

To assign interfaces to the SD-WAN members:
  1. Go to Network > SD-WAN Zones.
  2. Edit the first member
  3. Set Interface to an actual interface.

  4. Click OK.
  5. Repeat the above steps to assign an interface to the second member.

Using a terminal emulator

The following instructions use PuTTy. The steps may vary in other terminal emulators.

To copy the SD-WAN configuration from the original FortiGate:
  1. Connect to the FortiGate. See Connecting to the CLI for details.
  2. Enter the following command:

    show system sdwan

  3. Select the output, press Ctrl + c to copy it, and then paste it into a text editor.
  4. Edit the CLI configuration as necessary. For example, the default health checks can be removed.
  5. If required, save the CLI configuration as a text file.
To paste the SD-WAN configuration onto a new FortiGate:
  1. Copy the SD-WAN configuration from the text editor.
  2. Connect to the new FortiGate. See Connecting to the CLI for details.
  3. Right-click to paste the SD-WAN configuration.
  4. In necessary, press Enter to apply the last end command.

    The SD-WAN configuration is copied to the new FortiGate.

    If the interfaces do not exist, the SD-WAN members are created without interfaces, and are disabled until interfaces are configured.

To assign interfaces to the SD-WAN members::
config system sdwan
    config members
        edit 1
            set interface "_OCVPN4-0.0"
        next
        edit 2
            set interface "_OCVPN4-0.1"
        next
    end
end
Note

If no SD-WAN zone is specified, members are added to the default virtual-wan-link zone.