Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

Configure redundant Internet connections with multiple outbound links and health-check profiles.

  config system sdwan
      Description: Configure redundant Internet connections with multiple outbound links and health-check profiles.
      set status [disable|enable]
      set load-balance-mode [source-ip-based|weight-based|...]
      set duplication-max-num {integer}
      set neighbor-hold-down [enable|disable]
      set neighbor-hold-down-time {integer}
      set neighbor-hold-boot-time {integer}
      set fail-detect [enable|disable]
      set fail-alert-interfaces <name1>, <name2>, ...
      config zone
          Description: Configure SD-WAN zones.
          edit <name>
              set service-sla-tie-break [cfg-order|fib-best-match]
          next
      end
      config members
          Description: FortiGate interfaces added to the SD-WAN.
          edit <seq-num>
              set interface {string}
              set zone {string}
              set gateway {ipv4-address}
              set source {ipv4-address}
              set gateway6 {ipv6-address}
              set source6 {ipv6-address}
              set cost {integer}
              set weight {integer}
              set priority {integer}
              set spillover-threshold {integer}
              set ingress-spillover-threshold {integer}
              set volume-ratio {integer}
              set status [disable|enable]
              set comment {var-string}
          next
      end
      config health-check
          Description: SD-WAN status checking or health checking. Identify a server on the Internet and determine how SD-WAN verifies that the FortiGate can communicate with it.
          edit <name>
              set probe-packets [disable|enable]
              set addr-mode [ipv4|ipv6]
              set system-dns [disable|enable]
              set server {string}
              set protocol [ping|tcp-echo|...]
              set port {integer}
              set quality-measured-method [half-open|half-close]
              set security-mode [none|authentication]
              set user {string}
              set password {password}
              set packet-size {integer}
              set ha-priority {integer}
              set ftp-mode [passive|port]
              set ftp-file {string}
              set http-get {string}
              set http-agent {string}
              set http-match {string}
              set dns-request-domain {string}
              set dns-match-ip {ipv4-address}
              set interval {integer}
              set probe-timeout {integer}
              set failtime {integer}
              set recoverytime {integer}
              set probe-count {integer}
              set diffservcode {user}
              set update-cascade-interface [enable|disable]
              set update-static-route [enable|disable]
              set sla-fail-log-period {integer}
              set sla-pass-log-period {integer}
              set threshold-warning-packetloss {integer}
              set threshold-alert-packetloss {integer}
              set threshold-warning-latency {integer}
              set threshold-alert-latency {integer}
              set threshold-warning-jitter {integer}
              set threshold-alert-jitter {integer}
              set members <seq-num1>, <seq-num2>, ...
              config sla
                  Description: Service level agreement (SLA).
                  edit <id>
                      set link-cost-factor {option1}, {option2}, ...
                      set latency-threshold {integer}
                      set jitter-threshold {integer}
                      set packetloss-threshold {integer}
                  next
              end
          next
      end
      config neighbor
          Description: Create SD-WAN neighbor from BGP neighbor table to control route advertisements according to SLA status.
          edit <ip>
              set member {integer}
              set role [standalone|primary|...]
              set health-check {string}
              set sla-id {integer}
          next
      end
      config service
          Description: Create SD-WAN rules (also called services) to control how sessions are distributed to interfaces in the SD-WAN.
          edit <id>
              set name {string}
              set addr-mode [ipv4|ipv6]
              set input-device <name1>, <name2>, ...
              set input-device-negate [enable|disable]
              set mode [auto|manual|...]
              set minimum-sla-meet-members {integer}
              set hash-mode [round-robin|source-ip-based|...]
              set role [standalone|primary|...]
              set standalone-action [enable|disable]
              set quality-link {integer}
              set tos {user}
              set tos-mask {user}
              set protocol {integer}
              set start-port {integer}
              set end-port {integer}
              set route-tag {integer}
              set dst <name1>, <name2>, ...
              set dst-negate [enable|disable]
              set src <name1>, <name2>, ...
              set dst6 <name1>, <name2>, ...
              set src6 <name1>, <name2>, ...
              set src-negate [enable|disable]
              set users <name1>, <name2>, ...
              set groups <name1>, <name2>, ...
              set internet-service [enable|disable]
              set internet-service-custom <name1>, <name2>, ...
              set internet-service-custom-group <name1>, <name2>, ...
              set internet-service-name <name1>, <name2>, ...
              set internet-service-group <name1>, <name2>, ...
              set internet-service-app-ctrl <id1>, <id2>, ...
              set internet-service-app-ctrl-group <name1>, <name2>, ...
              set health-check <name1>, <name2>, ...
              set link-cost-factor [latency|jitter|...]
              set packet-loss-weight {integer}
              set latency-weight {integer}
              set jitter-weight {integer}
              set bandwidth-weight {integer}
              set link-cost-threshold {integer}
              set hold-down-time {integer}
              set dscp-forward [enable|disable]
              set dscp-reverse [enable|disable]
              set dscp-forward-tag {user}
              set dscp-reverse-tag {user}
              config sla
                  Description: Service level agreement (SLA).
                  edit <health-check>
                      set id {integer}
                  next
              end
              set priority-members <seq-num1>, <seq-num2>, ...
              set status [enable|disable]
              set gateway [enable|disable]
              set default [enable|disable]
              set sla-compare-method [order|number]
              set tie-break [zone|cfg-order|...]
          next
      end
      config duplication
          Description: Create SD-WAN duplication rule.
          edit <id>
              set service-id <id1>, <id2>, ...
              set srcaddr <name1>, <name2>, ...
              set dstaddr <name1>, <name2>, ...
              set srcaddr6 <name1>, <name2>, ...
              set dstaddr6 <name1>, <name2>, ...
              set srcintf <name1>, <name2>, ...
              set dstintf <name1>, <name2>, ...
              set service <name1>, <name2>, ...
              set packet-duplication [disable|force|...]
              set packet-de-duplication [enable|disable]
          next
      end
  end

config system sdwan

Parameter Name Description Type Size
status Enable/disable SD-WAN.
disable: Disable SD-WAN.
enable: Enable SD-WAN.
option -
load-balance-mode Algorithm or mode to use for load balancing Internet traffic to SD-WAN members.
source-ip-based: Source IP load balancing. All traffic from a source IP is sent to the same interface.
weight-based: Weight-based load balancing. Interfaces with higher weights have higher priority and get more traffic.
usage-based: Usage-based load balancing. All traffic is sent to the first interface on the list. When the bandwidth on that interface exceeds the spill-over limit new traffic is sent to the next interface.
source-dest-ip-based: Source and destination IP load balancing. All traffic from a source IP to a destination IP is sent to the same interface.
measured-volume-based: Volume-based load balancing. Traffic is load balanced based on traffic volume (in bytes). More traffic is sent to interfaces with higher volume ratios.
option -
duplication-max-num Maximum number of interface members a packet is duplicated in the SD-WAN zone (2 - 4, default = 2; if set to 3, the original packet plus 2 more copies are created). integer Minimum value: 2 Maximum value: 4
neighbor-hold-down Enable/disable hold switching from the secondary neighbor to the primary neighbor.
enable: Enable hold switching from the secondary neighbor to the primary neighbor.
disable: Disable hold switching from the secondary neighbor to the primary neighbor.
option -
neighbor-hold-down-time Waiting period in seconds when switching from the secondary neighbor to the primary neighbor when hold-down is disabled. (0 - 10000000, default = 0). integer Minimum value: 0 Maximum value: 10000000
neighbor-hold-boot-time Waiting period in seconds when switching from the primary neighbor to the secondary neighbor from the neighbor start. (0 - 10000000, default = 0). integer Minimum value: 0 Maximum value: 10000000
fail-detect Enable/disable SD-WAN Internet connection status checking (failure detection).
enable: Enable status checking.
disable: Disable status checking.
option -
fail-alert-interfaces <name> Physical interfaces that will be alerted.
Physical interface name.
string Maximum length: 79

config zone

Parameter Name Description Type Size
service-sla-tie-break Method of selecting member if more than one meets the SLA.
cfg-order: Members that meet the SLA are selected in the order they are configured.
fib-best-match: Members that meet the SLA are selected that match the longest prefix in the routing table.
option -

config members

Parameter Name Description Type Size
interface Interface name. string Maximum length: 15
zone Zone name. string Maximum length: 35
gateway The default gateway for this interface. Usually the default gateway of the Internet service provider that this interface is connected to. ipv4-address Not Specified
source Source IP address used in the health-check packet to the server. ipv4-address Not Specified
gateway6 IPv6 gateway. ipv6-address Not Specified
source6 Source IPv6 address used in the health-check packet to the server. ipv6-address Not Specified
cost Cost of this interface for services in SLA mode (0 - 4294967295, default = 0). integer Minimum value: 0 Maximum value: 4294967295
weight Weight of this interface for weighted load balancing. (1 - 255) More traffic is directed to interfaces with higher weights. integer Minimum value: 1 Maximum value: 255
priority Priority of the interface (0 - 65535). Used for SD-WAN rules or priority rules. integer Minimum value: 0 Maximum value: 65535
spillover-threshold Egress spillover threshold for this interface (0 - 16776000 kbit/s). When this traffic volume threshold is reached, new sessions spill over to other interfaces in the SD-WAN. integer Minimum value: 0 Maximum value: 16776000
ingress-spillover-threshold Ingress spillover threshold for this interface (0 - 16776000 kbit/s). When this traffic volume threshold is reached, new sessions spill over to other interfaces in the SD-WAN. integer Minimum value: 0 Maximum value: 16776000
volume-ratio Measured volume ratio (this value / sum of all values = percentage of link volume, 1 - 255). integer Minimum value: 1 Maximum value: 255
status Enable/disable this interface in the SD-WAN.
disable: Disable this interface in the SD-WAN.
enable: Enable this interface in the SD-WAN.
option -
comment Comments. var-string Maximum length: 255

config health-check

Parameter Name Description Type Size
probe-packets Enable/disable transmission of probe packets.
disable: Disable transmission of probe packets.
enable: Enable transmission of probe packets.
option -
addr-mode Address mode (IPv4 or IPv6).
ipv4: IPv4 mode.
ipv6: IPv6 mode.
option -
system-dns Enable/disable system DNS as the probe server.
disable: Disable system DNS as the probe server.
enable: Enable system DNS as the probe server.
option -
server IP address or FQDN name of the server. string Maximum length: 79
protocol Protocol used to determine if the FortiGate can communicate with the server.
ping: Use PING to test the link with the server.
tcp-echo: Use TCP echo to test the link with the server.
udp-echo: Use UDP echo to test the link with the server.
http: Use HTTP-GET to test the link with the server.
twamp: Use TWAMP to test the link with the server.
dns: Use DNS query to test the link with the server.
tcp-connect: Use a full TCP connection to test the link with the server.
ftp: Use FTP to test the link with the server.
option -
port Port number used to communicate with the server over the selected protocol (0-65535, default = 0, auto select. http, twamp: 80, udp-echo, tcp-echo: 7, dns: 53, ftp: 21). integer Minimum value: 0 Maximum value: 65535
quality-measured-method Method to measure the quality of tcp-connect.
half-open: Measure the round trip between syn and ack.
half-close: Measure the round trip between fin and ack.
option -
security-mode Twamp controller security mode.
none: Unauthenticated mode.
authentication: Authenticated mode.
option -
user The user name to access probe server. string Maximum length: 64
password Twamp controller password in authentication mode password Not Specified
packet-size Packet size of a twamp test session, integer Minimum value: 64 Maximum value: 1024
ha-priority HA election priority (1 - 50). integer Minimum value: 1 Maximum value: 50
ftp-mode FTP mode.
passive: The FTP health-check initiates and establishes the data connection.
port: The FTP server initiates and establishes the data connection.
option -
ftp-file Full path and file name on the FTP server to download for FTP health-check to probe. string Maximum length: 254
http-get URL used to communicate with the server if the protocol if the protocol is HTTP. string Maximum length: 1024
http-agent String in the http-agent field in the HTTP header. string Maximum length: 1024
http-match Response string expected from the server if the protocol is HTTP. string Maximum length: 1024
dns-request-domain Fully qualified domain name to resolve for the DNS probe. string Maximum length: 255
dns-match-ip Response IP expected from DNS server if the protocol is DNS. ipv4-address Not Specified
interval Status check interval in milliseconds, or the time between attempting to connect to the server (500 - 3600*1000 msec, default = 500). integer Minimum value: 500 Maximum value: 3600000
probe-timeout Time to wait before a probe packet is considered lost (500 - 3600*1000 msec, default = 500). integer Minimum value: 500 Maximum value: 3600000
failtime Number of failures before server is considered lost (1 - 3600, default = 5). integer Minimum value: 1 Maximum value: 3600
recoverytime Number of successful responses received before server is considered recovered (1 - 3600, default = 5). integer Minimum value: 1 Maximum value: 3600
probe-count Number of most recent probes that should be used to calculate latency and jitter (5 - 30, default = 30). integer Minimum value: 5 Maximum value: 30
diffservcode Differentiated services code point (DSCP) in the IP header of the probe packet. user Not Specified
update-cascade-interface Enable/disable update cascade interface.
enable: Enable update cascade interface.
disable: Disable update cascade interface.
option -
update-static-route Enable/disable updating the static route.
enable: Enable updating the static route.
disable: Disable updating the static route.
option -
sla-fail-log-period Time interval in seconds that SLA fail log messages will be generated (0 - 3600, default = 0). integer Minimum value: 0 Maximum value: 3600
sla-pass-log-period Time interval in seconds that SLA pass log messages will be generated (0 - 3600, default = 0). integer Minimum value: 0 Maximum value: 3600
threshold-warning-packetloss Warning threshold for packet loss (percentage, default = 0). integer Minimum value: 0 Maximum value: 100
threshold-alert-packetloss Alert threshold for packet loss (percentage, default = 0). integer Minimum value: 0 Maximum value: 100
threshold-warning-latency Warning threshold for latency (ms, default = 0). integer Minimum value: 0 Maximum value: 4294967295
threshold-alert-latency Alert threshold for latency (ms, default = 0). integer Minimum value: 0 Maximum value: 4294967295
threshold-warning-jitter Warning threshold for jitter (ms, default = 0). integer Minimum value: 0 Maximum value: 4294967295
threshold-alert-jitter Alert threshold for jitter (ms, default = 0). integer Minimum value: 0 Maximum value: 4294967295
members <seq-num> Member sequence number list.
Member sequence number.
integer Minimum value: 0 Maximum value: 4294967295

config sla

Parameter Name Description Type Size
link-cost-factor Criteria on which to base link selection.
latency: Select link based on latency.
jitter: Select link based on jitter.
packet-loss: Select link based on packet loss.
option -
latency-threshold Latency for SLA to make decision in milliseconds. (0 - 10000000, default = 5). integer Minimum value: 0 Maximum value: 10000000
jitter-threshold Jitter for SLA to make decision in milliseconds. (0 - 10000000, default = 5). integer Minimum value: 0 Maximum value: 10000000
packetloss-threshold Packet loss for SLA to make decision in percentage. (0 - 100, default = 0). integer Minimum value: 0 Maximum value: 100
id SLA ID. integer Minimum value: 0 Maximum value: 4294967295

config neighbor

Parameter Name Description Type Size
member Member sequence number. integer Minimum value: 0 Maximum value: 4294967295
role Role of neighbor.
standalone: Standalone neighbor.
primary: Primary neighbor.
secondary: Secondary neighbor.
option -
health-check SD-WAN health-check name. string Maximum length: 35
sla-id SLA ID. integer Minimum value: 0 Maximum value: 4294967295

config service

Parameter Name Description Type Size
name SD-WAN rule name. string Maximum length: 35
addr-mode Address mode (IPv4 or IPv6).
ipv4: IPv4 mode.
ipv6: IPv6 mode.
option -
input-device <name> Source interface name.
Interface name.
string Maximum length: 79
input-device-negate Enable/disable negation of input device match.
enable: Enable negation of input device match.
disable: Disable negation of input device match.
option -
mode Control how the SD-WAN rule sets the priority of interfaces in the SD-WAN.
auto: Assign interfaces a priority based on quality.
manual: Assign interfaces a priority manually.
priority: Assign interfaces a priority based on the link-cost-factor quality of the interface.
sla: Assign interfaces a priority based on selected SLA settings.
load-balance: Distribute traffic among all available links based on round robin. ADVPN feature is not supported in the mode.
option -
minimum-sla-meet-members Minimum number of members which meet SLA. integer Minimum value: 0 Maximum value: 255
hash-mode Hash algorithm for selected priority members for load balance mode.
round-robin: All traffic are distributed to selected interfaces in equal portions and circular order.
source-ip-based: All traffic from a source IP is sent to the same interface.
source-dest-ip-based: All traffic from a source IP to a destination IP is sent to the same interface.
inbandwidth: All traffic are distributed to a selected interface with most available bandwidth for incoming traffic.
outbandwidth: All traffic are distributed to a selected interface with most available bandwidth for outgoing traffic.
bibandwidth: All traffic are distributed to a selected interface with most available bandwidth for both incoming and outgoing traffic.
option -
role Service role to work with neighbor.
standalone: Standalone service.
primary: Primary service for primary neighbor.
secondary: Secondary service for secondary neighbor.
option -
standalone-action Enable/disable service when selected neighbor role is standalone while service role is not standalone.
enable: Enable service when selected neighbor role is standalone.
disable: Disable service when selected neighbor role is standalone.
option -
quality-link Quality grade. integer Minimum value: 0 Maximum value: 255
tos Type of service bit pattern. user Not Specified
tos-mask Type of service evaluated bits. user Not Specified
protocol Protocol number. integer Minimum value: 0 Maximum value: 255
start-port Start destination port number. integer Minimum value: 0 Maximum value: 65535
end-port End destination port number. integer Minimum value: 0 Maximum value: 65535
route-tag IPv4 route map route-tag. integer Minimum value: 0 Maximum value: 4294967295
dst <name> Destination address name.
Address or address group name.
string Maximum length: 79
dst-negate Enable/disable negation of destination address match.
enable: Enable destination address negation.
disable: Disable destination address negation.
option -
src <name> Source address name.
Address or address group name.
string Maximum length: 79
dst6 <name> Destination address6 name.
Address6 or address6 group name.
string Maximum length: 79
src6 <name> Source address6 name.
Address6 or address6 group name.
string Maximum length: 79
src-negate Enable/disable negation of source address match.
enable: Enable source address negation.
disable: Disable source address negation.
option -
users <name> User name.
User name.
string Maximum length: 79
groups <name> User groups.
Group name.
string Maximum length: 79
internet-service Enable/disable use of Internet service for application-based load balancing.
enable: Enable cloud service to support application-based load balancing.
disable: Disable cloud service to support application-based load balancing.
option -
internet-service-custom <name> Custom Internet service name list.
Custom Internet service name.
string Maximum length: 79
internet-service-custom-group <name> Custom Internet Service group list.
Custom Internet Service group name.
string Maximum length: 79
internet-service-name <name> Internet service name list.
Internet service name.
string Maximum length: 79
internet-service-group <name> Internet Service group list.
Internet Service group name.
string Maximum length: 79
internet-service-app-ctrl <id> Application control based Internet Service ID list.
Application control based Internet Service ID.
integer Minimum value: 0 Maximum value: 4294967295
internet-service-app-ctrl-group <name> Application control based Internet Service group list.
Application control based Internet Service group name.
string Maximum length: 79
health-check <name> Health check list.
Health check name.
string Maximum length: 79
link-cost-factor Link cost factor.
latency: Select link based on latency.
jitter: Select link based on jitter.
packet-loss: Select link based on packet loss.
inbandwidth: Select link based on available bandwidth of incoming traffic.
outbandwidth: Select link based on available bandwidth of outgoing traffic.
bibandwidth: Select link based on available bandwidth of bidirectional traffic.
custom-profile-1: Select link based on customized profile.
option -
packet-loss-weight Coefficient of packet-loss in the formula of custom-profile-1. integer Minimum value: 0 Maximum value: 10000000
latency-weight Coefficient of latency in the formula of custom-profile-1. integer Minimum value: 0 Maximum value: 10000000
jitter-weight Coefficient of jitter in the formula of custom-profile-1. integer Minimum value: 0 Maximum value: 10000000
bandwidth-weight Coefficient of reciprocal of available bidirectional bandwidth in the formula of custom-profile-1. integer Minimum value: 0 Maximum value: 10000000
link-cost-threshold Percentage threshold change of link cost values that will result in policy route regeneration (0 - 10000000, default = 10). integer Minimum value: 0 Maximum value: 10000000
hold-down-time Waiting period in seconds when switching from the back-up member to the primary member (0 - 10000000, default = 0). integer Minimum value: 0 Maximum value: 10000000
dscp-forward Enable/disable forward traffic DSCP tag.
enable: Enable use of forward DSCP tag.
disable: Disable use of forward DSCP tag.
option -
dscp-reverse Enable/disable reverse traffic DSCP tag.
enable: Enable use of reverse DSCP tag.
disable: Disable use of reverse DSCP tag.
option -
dscp-forward-tag Forward traffic DSCP tag. user Not Specified
dscp-reverse-tag Reverse traffic DSCP tag. user Not Specified
priority-members <seq-num> Member sequence number list.
Member sequence number.
integer Minimum value: 0 Maximum value: 4294967295
status Enable/disable SD-WAN service.
enable: Enable SD-WAN service.
disable: Disable SD-WAN service.
option -
gateway Enable/disable SD-WAN service gateway.
enable: Enable SD-WAN service gateway.
disable: Disable SD-WAN service gateway.
option -
default Enable/disable use of SD-WAN as default service.
enable: Enable use of SD-WAN as default service.
disable: Disable use of SD-WAN as default service.
option -
sla-compare-method Method to compare SLA value for SLA mode.
order: Compare SLA value based on the order of health-check.
number: Compare SLA value based on the number of satisfied health-check. Limits health-checks to only configured member interfaces.
option -
tie-break Method of selecting member if more than one meets the SLA.
zone: Use the setting that is configured for the members' zone.
cfg-order: Members that meet the SLA are selected in the order they are configured.
fib-best-match: Members that meet the SLA are selected that match the longest prefix in the routing table.
option -

config duplication

Parameter Name Description Type Size
service-id <id> SD-WAN service rule ID list.
SD-WAN service rule ID.
integer Minimum value: 0 Maximum value: 4294967295
srcaddr <name> Source address or address group names.
Address or address group name.
string Maximum length: 79
dstaddr <name> Destination address or address group names.
Address or address group name.
string Maximum length: 79
srcaddr6 <name> Source address6 or address6 group names.
Address6 or address6 group name.
string Maximum length: 79
dstaddr6 <name> Destination address6 or address6 group names.
Address6 or address6 group name.
string Maximum length: 79
srcintf <name> Incoming (ingress) interfaces or zones.
Interface, zone or SDWAN zone name.
string Maximum length: 79
dstintf <name> Outgoing (egress) interfaces or zones.
Interface, zone or SDWAN zone name.
string Maximum length: 79
service <name> Service and service group name.
Service and service group name.
string Maximum length: 79
packet-duplication Configure packet duplication method.
disable: Disable packet duplication.
force: Duplicate packets across all interface members of the SD-WAN zone.
on-demand: Duplicate packets across all interface members of the SD-WAN zone based on the link quality.
option -
packet-de-duplication Enable/disable discarding of packets that have been duplicated.
enable: Enable discarding of packets that have been duplicated.
disable: Disable discarding of packets that have been duplicated.
option -

Configure redundant Internet connections with multiple outbound links and health-check profiles.

  config system sdwan
      Description: Configure redundant Internet connections with multiple outbound links and health-check profiles.
      set status [disable|enable]
      set load-balance-mode [source-ip-based|weight-based|...]
      set duplication-max-num {integer}
      set neighbor-hold-down [enable|disable]
      set neighbor-hold-down-time {integer}
      set neighbor-hold-boot-time {integer}
      set fail-detect [enable|disable]
      set fail-alert-interfaces <name1>, <name2>, ...
      config zone
          Description: Configure SD-WAN zones.
          edit <name>
              set service-sla-tie-break [cfg-order|fib-best-match]
          next
      end
      config members
          Description: FortiGate interfaces added to the SD-WAN.
          edit <seq-num>
              set interface {string}
              set zone {string}
              set gateway {ipv4-address}
              set source {ipv4-address}
              set gateway6 {ipv6-address}
              set source6 {ipv6-address}
              set cost {integer}
              set weight {integer}
              set priority {integer}
              set spillover-threshold {integer}
              set ingress-spillover-threshold {integer}
              set volume-ratio {integer}
              set status [disable|enable]
              set comment {var-string}
          next
      end
      config health-check
          Description: SD-WAN status checking or health checking. Identify a server on the Internet and determine how SD-WAN verifies that the FortiGate can communicate with it.
          edit <name>
              set probe-packets [disable|enable]
              set addr-mode [ipv4|ipv6]
              set system-dns [disable|enable]
              set server {string}
              set protocol [ping|tcp-echo|...]
              set port {integer}
              set quality-measured-method [half-open|half-close]
              set security-mode [none|authentication]
              set user {string}
              set password {password}
              set packet-size {integer}
              set ha-priority {integer}
              set ftp-mode [passive|port]
              set ftp-file {string}
              set http-get {string}
              set http-agent {string}
              set http-match {string}
              set dns-request-domain {string}
              set dns-match-ip {ipv4-address}
              set interval {integer}
              set probe-timeout {integer}
              set failtime {integer}
              set recoverytime {integer}
              set probe-count {integer}
              set diffservcode {user}
              set update-cascade-interface [enable|disable]
              set update-static-route [enable|disable]
              set sla-fail-log-period {integer}
              set sla-pass-log-period {integer}
              set threshold-warning-packetloss {integer}
              set threshold-alert-packetloss {integer}
              set threshold-warning-latency {integer}
              set threshold-alert-latency {integer}
              set threshold-warning-jitter {integer}
              set threshold-alert-jitter {integer}
              set members <seq-num1>, <seq-num2>, ...
              config sla
                  Description: Service level agreement (SLA).
                  edit <id>
                      set link-cost-factor {option1}, {option2}, ...
                      set latency-threshold {integer}
                      set jitter-threshold {integer}
                      set packetloss-threshold {integer}
                  next
              end
          next
      end
      config neighbor
          Description: Create SD-WAN neighbor from BGP neighbor table to control route advertisements according to SLA status.
          edit <ip>
              set member {integer}
              set role [standalone|primary|...]
              set health-check {string}
              set sla-id {integer}
          next
      end
      config service
          Description: Create SD-WAN rules (also called services) to control how sessions are distributed to interfaces in the SD-WAN.
          edit <id>
              set name {string}
              set addr-mode [ipv4|ipv6]
              set input-device <name1>, <name2>, ...
              set input-device-negate [enable|disable]
              set mode [auto|manual|...]
              set minimum-sla-meet-members {integer}
              set hash-mode [round-robin|source-ip-based|...]
              set role [standalone|primary|...]
              set standalone-action [enable|disable]
              set quality-link {integer}
              set tos {user}
              set tos-mask {user}
              set protocol {integer}
              set start-port {integer}
              set end-port {integer}
              set route-tag {integer}
              set dst <name1>, <name2>, ...
              set dst-negate [enable|disable]
              set src <name1>, <name2>, ...
              set dst6 <name1>, <name2>, ...
              set src6 <name1>, <name2>, ...
              set src-negate [enable|disable]
              set users <name1>, <name2>, ...
              set groups <name1>, <name2>, ...
              set internet-service [enable|disable]
              set internet-service-custom <name1>, <name2>, ...
              set internet-service-custom-group <name1>, <name2>, ...
              set internet-service-name <name1>, <name2>, ...
              set internet-service-group <name1>, <name2>, ...
              set internet-service-app-ctrl <id1>, <id2>, ...
              set internet-service-app-ctrl-group <name1>, <name2>, ...
              set health-check <name1>, <name2>, ...
              set link-cost-factor [latency|jitter|...]
              set packet-loss-weight {integer}
              set latency-weight {integer}
              set jitter-weight {integer}
              set bandwidth-weight {integer}
              set link-cost-threshold {integer}
              set hold-down-time {integer}
              set dscp-forward [enable|disable]
              set dscp-reverse [enable|disable]
              set dscp-forward-tag {user}
              set dscp-reverse-tag {user}
              config sla
                  Description: Service level agreement (SLA).
                  edit <health-check>
                      set id {integer}
                  next
              end
              set priority-members <seq-num1>, <seq-num2>, ...
              set status [enable|disable]
              set gateway [enable|disable]
              set default [enable|disable]
              set sla-compare-method [order|number]
              set tie-break [zone|cfg-order|...]
          next
      end
      config duplication
          Description: Create SD-WAN duplication rule.
          edit <id>
              set service-id <id1>, <id2>, ...
              set srcaddr <name1>, <name2>, ...
              set dstaddr <name1>, <name2>, ...
              set srcaddr6 <name1>, <name2>, ...
              set dstaddr6 <name1>, <name2>, ...
              set srcintf <name1>, <name2>, ...
              set dstintf <name1>, <name2>, ...
              set service <name1>, <name2>, ...
              set packet-duplication [disable|force|...]
              set packet-de-duplication [enable|disable]
          next
      end
  end

config system sdwan

Parameter Name Description Type Size
status Enable/disable SD-WAN.
disable: Disable SD-WAN.
enable: Enable SD-WAN.
option -
load-balance-mode Algorithm or mode to use for load balancing Internet traffic to SD-WAN members.
source-ip-based: Source IP load balancing. All traffic from a source IP is sent to the same interface.
weight-based: Weight-based load balancing. Interfaces with higher weights have higher priority and get more traffic.
usage-based: Usage-based load balancing. All traffic is sent to the first interface on the list. When the bandwidth on that interface exceeds the spill-over limit new traffic is sent to the next interface.
source-dest-ip-based: Source and destination IP load balancing. All traffic from a source IP to a destination IP is sent to the same interface.
measured-volume-based: Volume-based load balancing. Traffic is load balanced based on traffic volume (in bytes). More traffic is sent to interfaces with higher volume ratios.
option -
duplication-max-num Maximum number of interface members a packet is duplicated in the SD-WAN zone (2 - 4, default = 2; if set to 3, the original packet plus 2 more copies are created). integer Minimum value: 2 Maximum value: 4
neighbor-hold-down Enable/disable hold switching from the secondary neighbor to the primary neighbor.
enable: Enable hold switching from the secondary neighbor to the primary neighbor.
disable: Disable hold switching from the secondary neighbor to the primary neighbor.
option -
neighbor-hold-down-time Waiting period in seconds when switching from the secondary neighbor to the primary neighbor when hold-down is disabled. (0 - 10000000, default = 0). integer Minimum value: 0 Maximum value: 10000000
neighbor-hold-boot-time Waiting period in seconds when switching from the primary neighbor to the secondary neighbor from the neighbor start. (0 - 10000000, default = 0). integer Minimum value: 0 Maximum value: 10000000
fail-detect Enable/disable SD-WAN Internet connection status checking (failure detection).
enable: Enable status checking.
disable: Disable status checking.
option -
fail-alert-interfaces <name> Physical interfaces that will be alerted.
Physical interface name.
string Maximum length: 79

config zone

Parameter Name Description Type Size
service-sla-tie-break Method of selecting member if more than one meets the SLA.
cfg-order: Members that meet the SLA are selected in the order they are configured.
fib-best-match: Members that meet the SLA are selected that match the longest prefix in the routing table.
option -

config members

Parameter Name Description Type Size
interface Interface name. string Maximum length: 15
zone Zone name. string Maximum length: 35
gateway The default gateway for this interface. Usually the default gateway of the Internet service provider that this interface is connected to. ipv4-address Not Specified
source Source IP address used in the health-check packet to the server. ipv4-address Not Specified
gateway6 IPv6 gateway. ipv6-address Not Specified
source6 Source IPv6 address used in the health-check packet to the server. ipv6-address Not Specified
cost Cost of this interface for services in SLA mode (0 - 4294967295, default = 0). integer Minimum value: 0 Maximum value: 4294967295
weight Weight of this interface for weighted load balancing. (1 - 255) More traffic is directed to interfaces with higher weights. integer Minimum value: 1 Maximum value: 255
priority Priority of the interface (0 - 65535). Used for SD-WAN rules or priority rules. integer Minimum value: 0 Maximum value: 65535
spillover-threshold Egress spillover threshold for this interface (0 - 16776000 kbit/s). When this traffic volume threshold is reached, new sessions spill over to other interfaces in the SD-WAN. integer Minimum value: 0 Maximum value: 16776000
ingress-spillover-threshold Ingress spillover threshold for this interface (0 - 16776000 kbit/s). When this traffic volume threshold is reached, new sessions spill over to other interfaces in the SD-WAN. integer Minimum value: 0 Maximum value: 16776000
volume-ratio Measured volume ratio (this value / sum of all values = percentage of link volume, 1 - 255). integer Minimum value: 1 Maximum value: 255
status Enable/disable this interface in the SD-WAN.
disable: Disable this interface in the SD-WAN.
enable: Enable this interface in the SD-WAN.
option -
comment Comments. var-string Maximum length: 255

config health-check

Parameter Name Description Type Size
probe-packets Enable/disable transmission of probe packets.
disable: Disable transmission of probe packets.
enable: Enable transmission of probe packets.
option -
addr-mode Address mode (IPv4 or IPv6).
ipv4: IPv4 mode.
ipv6: IPv6 mode.
option -
system-dns Enable/disable system DNS as the probe server.
disable: Disable system DNS as the probe server.
enable: Enable system DNS as the probe server.
option -
server IP address or FQDN name of the server. string Maximum length: 79
protocol Protocol used to determine if the FortiGate can communicate with the server.
ping: Use PING to test the link with the server.
tcp-echo: Use TCP echo to test the link with the server.
udp-echo: Use UDP echo to test the link with the server.
http: Use HTTP-GET to test the link with the server.
twamp: Use TWAMP to test the link with the server.
dns: Use DNS query to test the link with the server.
tcp-connect: Use a full TCP connection to test the link with the server.
ftp: Use FTP to test the link with the server.
option -
port Port number used to communicate with the server over the selected protocol (0-65535, default = 0, auto select. http, twamp: 80, udp-echo, tcp-echo: 7, dns: 53, ftp: 21). integer Minimum value: 0 Maximum value: 65535
quality-measured-method Method to measure the quality of tcp-connect.
half-open: Measure the round trip between syn and ack.
half-close: Measure the round trip between fin and ack.
option -
security-mode Twamp controller security mode.
none: Unauthenticated mode.
authentication: Authenticated mode.
option -
user The user name to access probe server. string Maximum length: 64
password Twamp controller password in authentication mode password Not Specified
packet-size Packet size of a twamp test session, integer Minimum value: 64 Maximum value: 1024
ha-priority HA election priority (1 - 50). integer Minimum value: 1 Maximum value: 50
ftp-mode FTP mode.
passive: The FTP health-check initiates and establishes the data connection.
port: The FTP server initiates and establishes the data connection.
option -
ftp-file Full path and file name on the FTP server to download for FTP health-check to probe. string Maximum length: 254
http-get URL used to communicate with the server if the protocol if the protocol is HTTP. string Maximum length: 1024
http-agent String in the http-agent field in the HTTP header. string Maximum length: 1024
http-match Response string expected from the server if the protocol is HTTP. string Maximum length: 1024
dns-request-domain Fully qualified domain name to resolve for the DNS probe. string Maximum length: 255
dns-match-ip Response IP expected from DNS server if the protocol is DNS. ipv4-address Not Specified
interval Status check interval in milliseconds, or the time between attempting to connect to the server (500 - 3600*1000 msec, default = 500). integer Minimum value: 500 Maximum value: 3600000
probe-timeout Time to wait before a probe packet is considered lost (500 - 3600*1000 msec, default = 500). integer Minimum value: 500 Maximum value: 3600000
failtime Number of failures before server is considered lost (1 - 3600, default = 5). integer Minimum value: 1 Maximum value: 3600
recoverytime Number of successful responses received before server is considered recovered (1 - 3600, default = 5). integer Minimum value: 1 Maximum value: 3600
probe-count Number of most recent probes that should be used to calculate latency and jitter (5 - 30, default = 30). integer Minimum value: 5 Maximum value: 30
diffservcode Differentiated services code point (DSCP) in the IP header of the probe packet. user Not Specified
update-cascade-interface Enable/disable update cascade interface.
enable: Enable update cascade interface.
disable: Disable update cascade interface.
option -
update-static-route Enable/disable updating the static route.
enable: Enable updating the static route.
disable: Disable updating the static route.
option -
sla-fail-log-period Time interval in seconds that SLA fail log messages will be generated (0 - 3600, default = 0). integer Minimum value: 0 Maximum value: 3600
sla-pass-log-period Time interval in seconds that SLA pass log messages will be generated (0 - 3600, default = 0). integer Minimum value: 0 Maximum value: 3600
threshold-warning-packetloss Warning threshold for packet loss (percentage, default = 0). integer Minimum value: 0 Maximum value: 100
threshold-alert-packetloss Alert threshold for packet loss (percentage, default = 0). integer Minimum value: 0 Maximum value: 100
threshold-warning-latency Warning threshold for latency (ms, default = 0). integer Minimum value: 0 Maximum value: 4294967295
threshold-alert-latency Alert threshold for latency (ms, default = 0). integer Minimum value: 0 Maximum value: 4294967295
threshold-warning-jitter Warning threshold for jitter (ms, default = 0). integer Minimum value: 0 Maximum value: 4294967295
threshold-alert-jitter Alert threshold for jitter (ms, default = 0). integer Minimum value: 0 Maximum value: 4294967295
members <seq-num> Member sequence number list.
Member sequence number.
integer Minimum value: 0 Maximum value: 4294967295

config sla

Parameter Name Description Type Size
link-cost-factor Criteria on which to base link selection.
latency: Select link based on latency.
jitter: Select link based on jitter.
packet-loss: Select link based on packet loss.
option -
latency-threshold Latency for SLA to make decision in milliseconds. (0 - 10000000, default = 5). integer Minimum value: 0 Maximum value: 10000000
jitter-threshold Jitter for SLA to make decision in milliseconds. (0 - 10000000, default = 5). integer Minimum value: 0 Maximum value: 10000000
packetloss-threshold Packet loss for SLA to make decision in percentage. (0 - 100, default = 0). integer Minimum value: 0 Maximum value: 100
id SLA ID. integer Minimum value: 0 Maximum value: 4294967295

config neighbor

Parameter Name Description Type Size
member Member sequence number. integer Minimum value: 0 Maximum value: 4294967295
role Role of neighbor.
standalone: Standalone neighbor.
primary: Primary neighbor.
secondary: Secondary neighbor.
option -
health-check SD-WAN health-check name. string Maximum length: 35
sla-id SLA ID. integer Minimum value: 0 Maximum value: 4294967295

config service

Parameter Name Description Type Size
name SD-WAN rule name. string Maximum length: 35
addr-mode Address mode (IPv4 or IPv6).
ipv4: IPv4 mode.
ipv6: IPv6 mode.
option -
input-device <name> Source interface name.
Interface name.
string Maximum length: 79
input-device-negate Enable/disable negation of input device match.
enable: Enable negation of input device match.
disable: Disable negation of input device match.
option -
mode Control how the SD-WAN rule sets the priority of interfaces in the SD-WAN.
auto: Assign interfaces a priority based on quality.
manual: Assign interfaces a priority manually.
priority: Assign interfaces a priority based on the link-cost-factor quality of the interface.
sla: Assign interfaces a priority based on selected SLA settings.
load-balance: Distribute traffic among all available links based on round robin. ADVPN feature is not supported in the mode.
option -
minimum-sla-meet-members Minimum number of members which meet SLA. integer Minimum value: 0 Maximum value: 255
hash-mode Hash algorithm for selected priority members for load balance mode.
round-robin: All traffic are distributed to selected interfaces in equal portions and circular order.
source-ip-based: All traffic from a source IP is sent to the same interface.
source-dest-ip-based: All traffic from a source IP to a destination IP is sent to the same interface.
inbandwidth: All traffic are distributed to a selected interface with most available bandwidth for incoming traffic.
outbandwidth: All traffic are distributed to a selected interface with most available bandwidth for outgoing traffic.
bibandwidth: All traffic are distributed to a selected interface with most available bandwidth for both incoming and outgoing traffic.
option -
role Service role to work with neighbor.
standalone: Standalone service.
primary: Primary service for primary neighbor.
secondary: Secondary service for secondary neighbor.
option -
standalone-action Enable/disable service when selected neighbor role is standalone while service role is not standalone.
enable: Enable service when selected neighbor role is standalone.
disable: Disable service when selected neighbor role is standalone.
option -
quality-link Quality grade. integer Minimum value: 0 Maximum value: 255
tos Type of service bit pattern. user Not Specified
tos-mask Type of service evaluated bits. user Not Specified
protocol Protocol number. integer Minimum value: 0 Maximum value: 255
start-port Start destination port number. integer Minimum value: 0 Maximum value: 65535
end-port End destination port number. integer Minimum value: 0 Maximum value: 65535
route-tag IPv4 route map route-tag. integer Minimum value: 0 Maximum value: 4294967295
dst <name> Destination address name.
Address or address group name.
string Maximum length: 79
dst-negate Enable/disable negation of destination address match.
enable: Enable destination address negation.
disable: Disable destination address negation.
option -
src <name> Source address name.
Address or address group name.
string Maximum length: 79
dst6 <name> Destination address6 name.
Address6 or address6 group name.
string Maximum length: 79
src6 <name> Source address6 name.
Address6 or address6 group name.
string Maximum length: 79
src-negate Enable/disable negation of source address match.
enable: Enable source address negation.
disable: Disable source address negation.
option -
users <name> User name.
User name.
string Maximum length: 79
groups <name> User groups.
Group name.
string Maximum length: 79
internet-service Enable/disable use of Internet service for application-based load balancing.
enable: Enable cloud service to support application-based load balancing.
disable: Disable cloud service to support application-based load balancing.
option -
internet-service-custom <name> Custom Internet service name list.
Custom Internet service name.
string Maximum length: 79
internet-service-custom-group <name> Custom Internet Service group list.
Custom Internet Service group name.
string Maximum length: 79
internet-service-name <name> Internet service name list.
Internet service name.
string Maximum length: 79
internet-service-group <name> Internet Service group list.
Internet Service group name.
string Maximum length: 79
internet-service-app-ctrl <id> Application control based Internet Service ID list.
Application control based Internet Service ID.
integer Minimum value: 0 Maximum value: 4294967295
internet-service-app-ctrl-group <name> Application control based Internet Service group list.
Application control based Internet Service group name.
string Maximum length: 79
health-check <name> Health check list.
Health check name.
string Maximum length: 79
link-cost-factor Link cost factor.
latency: Select link based on latency.
jitter: Select link based on jitter.
packet-loss: Select link based on packet loss.
inbandwidth: Select link based on available bandwidth of incoming traffic.
outbandwidth: Select link based on available bandwidth of outgoing traffic.
bibandwidth: Select link based on available bandwidth of bidirectional traffic.
custom-profile-1: Select link based on customized profile.
option -
packet-loss-weight Coefficient of packet-loss in the formula of custom-profile-1. integer Minimum value: 0 Maximum value: 10000000
latency-weight Coefficient of latency in the formula of custom-profile-1. integer Minimum value: 0 Maximum value: 10000000
jitter-weight Coefficient of jitter in the formula of custom-profile-1. integer Minimum value: 0 Maximum value: 10000000
bandwidth-weight Coefficient of reciprocal of available bidirectional bandwidth in the formula of custom-profile-1. integer Minimum value: 0 Maximum value: 10000000
link-cost-threshold Percentage threshold change of link cost values that will result in policy route regeneration (0 - 10000000, default = 10). integer Minimum value: 0 Maximum value: 10000000
hold-down-time Waiting period in seconds when switching from the back-up member to the primary member (0 - 10000000, default = 0). integer Minimum value: 0 Maximum value: 10000000
dscp-forward Enable/disable forward traffic DSCP tag.
enable: Enable use of forward DSCP tag.
disable: Disable use of forward DSCP tag.
option -
dscp-reverse Enable/disable reverse traffic DSCP tag.
enable: Enable use of reverse DSCP tag.
disable: Disable use of reverse DSCP tag.
option -
dscp-forward-tag Forward traffic DSCP tag. user Not Specified
dscp-reverse-tag Reverse traffic DSCP tag. user Not Specified
priority-members <seq-num> Member sequence number list.
Member sequence number.
integer Minimum value: 0 Maximum value: 4294967295
status Enable/disable SD-WAN service.
enable: Enable SD-WAN service.
disable: Disable SD-WAN service.
option -
gateway Enable/disable SD-WAN service gateway.
enable: Enable SD-WAN service gateway.
disable: Disable SD-WAN service gateway.
option -
default Enable/disable use of SD-WAN as default service.
enable: Enable use of SD-WAN as default service.
disable: Disable use of SD-WAN as default service.
option -
sla-compare-method Method to compare SLA value for SLA mode.
order: Compare SLA value based on the order of health-check.
number: Compare SLA value based on the number of satisfied health-check. Limits health-checks to only configured member interfaces.
option -
tie-break Method of selecting member if more than one meets the SLA.
zone: Use the setting that is configured for the members' zone.
cfg-order: Members that meet the SLA are selected in the order they are configured.
fib-best-match: Members that meet the SLA are selected that match the longest prefix in the routing table.
option -

config duplication

Parameter Name Description Type Size
service-id <id> SD-WAN service rule ID list.
SD-WAN service rule ID.
integer Minimum value: 0 Maximum value: 4294967295
srcaddr <name> Source address or address group names.
Address or address group name.
string Maximum length: 79
dstaddr <name> Destination address or address group names.
Address or address group name.
string Maximum length: 79
srcaddr6 <name> Source address6 or address6 group names.
Address6 or address6 group name.
string Maximum length: 79
dstaddr6 <name> Destination address6 or address6 group names.
Address6 or address6 group name.
string Maximum length: 79
srcintf <name> Incoming (ingress) interfaces or zones.
Interface, zone or SDWAN zone name.
string Maximum length: 79
dstintf <name> Outgoing (egress) interfaces or zones.
Interface, zone or SDWAN zone name.
string Maximum length: 79
service <name> Service and service group name.
Service and service group name.
string Maximum length: 79
packet-duplication Configure packet duplication method.
disable: Disable packet duplication.
force: Duplicate packets across all interface members of the SD-WAN zone.
on-demand: Duplicate packets across all interface members of the SD-WAN zone based on the link quality.
option -
packet-de-duplication Enable/disable discarding of packets that have been duplicated.
enable: Enable discarding of packets that have been duplicated.
disable: Disable discarding of packets that have been duplicated.
option -