Fortinet black logo

Administration Guide

Configuring SD-WAN rules

Configuring SD-WAN rules

Configure SD-WAN rules to govern the steering of DSCP tag-based traffic to the appropriate interfaces. Traffic will be steered based on the Criteria configured as part of the SD-WAN rules configuration.

In our example, we configured three different SD-WAN rules to govern DSCP tagged traffic. We have one SD-WAN rule each for VoIP traffic, social media traffic (Facebook in this case), and all other web traffic. VoIP traffic is always steered to either of the two overlay SD-WAN zones - VPN_A_tunnel(Branch-HQ-A) or VPN_B_tunnel(Branch-HQ-B). Similarly, social media traffic and other web traffic is always steered to either of the two underlay SD-WAN zones - Internet_A(port1) or Internet_B(port5). The interface that is preferred by the system over another depends upon the Criteria configured in the SD-WAN rule definition.

We configured the following SD-WAN rules:

SD-WAN rule for VoIP traffic

To configure SD-WAN rule for DSCP tagged VoIP traffic using the CLI:

FortiGate # config sys sdwan

config service

edit 5

set name "VoIP-Steer"

set mode priority

set tos 0x70

set tos-mask 0xf0

set dst "all"

set health-check "Default_DNS"

set link-cost-factor jitter

set priority-members 4 3

end

The VoIP-Steer SD-WAN rule configured above governs the DSCP tagged VoIP traffic.

DSCP values commonly are 6-bit binary numbers that are padded with zeros at the end. Therefore, in this example, VoIP traffic with DSCP tag 011100 will become 01110000. This 8-bit binary number 01110000 is represented in its hexadecimal form 0x70 as the tos (Type of Service bit pattern) value. The tos-mask (Type of Service evaluated bits) hexadecimal value of 0xf0 (binary 11110000) is used to check the four most significant bits from the tos value in this case. Hence, the first four bits of the tos (0111) will be used to match the first four bits of the DSCP tag in our policy above. Only the non-zero bit positions are used for comparison and the zero bit positions are ignored from the tos-mask.

We used the Best Quality strategy to define the Criteria to select the preferred interface from the overlay SD-WAN zone. With the Best Quality strategy selected, the interface with the best measured performance is selected. The system prefers the interface with the least Jitter.

SD-WAN rule for VoIP traffic

To know more about configuring SD-WAN rules with the Best Quality strategy, refer to the Best quality strategy section.

SD-WAN rule for social media traffic

To configure SD-WAN rule for DSCP tagged social media traffic using the CLI:

FortiGate # config sys sdwan

config service

edit 3

set name "Facebook-DSCP-steer"

set tos 0x30

set tos-mask 0xf0

set dst "all"

set priority-members 2 1

end

The Facebook-DSCP-steer SD-WAN rule configured above governs the DSCP tagged social media traffic.

DSCP values commonly are 6-bit binary numbers that are padded with zeros at the end. Therefore, in this example, social media traffic with DSCP tag 001100 will become 00110000. This 8-bit binary number 00110000 is represented in its hexadecimal form 0x30 as the tos (Type of Service bit pattern) value. The tos-mask (Type of Service evaluated bits) hexadecimal value of 0xf0 (binary 11110000) is used to check the four most significant bits from the tos value in this case. Hence, the first four bits of the tos (0011) will be used to match the first four bits of the DSCP tag in our policy above. Only the non-zero bit positions are used for comparison and the zero bit positions are ignored from the tos-mask.

We used a manual strategy to select the preferred interface from the underlay SD-WAN zone. We manually select the preferred interface as Internet_B(port5) to steer all social media traffic to.

SD-WAN rule for social media traffic

To know more about configuring SD-WAN rules with static application steering with a manual strategy, refer to the Static application steering with a manual strategy section.

SD-WAN rule for other web traffic

To configure SD-WAN rule for all other web traffic using the CLI:

FortiGate # config sys sdwan

config service

edit 2

set name "All-traffic"

set mode sla

set dst "all"

config sla

edit "Default_DNS"

set id 1

next

end

set priority-members 1 2

end

The All-traffic SD-WAN rule configured above governs all other web traffic.

We used the Lowest Cost (SLA) strategy to define the Criteria to select the preferred interface from the underlay SD-WAN zone. With the Lowest Cost (SLA) strategy selected, the interface that meets the defined Performance SLA targets (Default_DNS in our case) is selected. When there is a tie, the interface with the lowest assigned Cost (Internet_A(port1) in our case) is selected.

SD-WAN rule for all other web traffic

To know more about configuring SD-WAN rules with the Lowest Cost (SLA) strategy, refer to the Lowest cost (SLA) strategy section.

Once configured, verify your SD-WAN rules by navigating to Network > SD-WAN Rules:

SD-WAN rules configurations

Configuring SD-WAN rules

Configuring SD-WAN rules

Configure SD-WAN rules to govern the steering of DSCP tag-based traffic to the appropriate interfaces. Traffic will be steered based on the Criteria configured as part of the SD-WAN rules configuration.

In our example, we configured three different SD-WAN rules to govern DSCP tagged traffic. We have one SD-WAN rule each for VoIP traffic, social media traffic (Facebook in this case), and all other web traffic. VoIP traffic is always steered to either of the two overlay SD-WAN zones - VPN_A_tunnel(Branch-HQ-A) or VPN_B_tunnel(Branch-HQ-B). Similarly, social media traffic and other web traffic is always steered to either of the two underlay SD-WAN zones - Internet_A(port1) or Internet_B(port5). The interface that is preferred by the system over another depends upon the Criteria configured in the SD-WAN rule definition.

We configured the following SD-WAN rules:

SD-WAN rule for VoIP traffic

To configure SD-WAN rule for DSCP tagged VoIP traffic using the CLI:

FortiGate # config sys sdwan

config service

edit 5

set name "VoIP-Steer"

set mode priority

set tos 0x70

set tos-mask 0xf0

set dst "all"

set health-check "Default_DNS"

set link-cost-factor jitter

set priority-members 4 3

end

The VoIP-Steer SD-WAN rule configured above governs the DSCP tagged VoIP traffic.

DSCP values commonly are 6-bit binary numbers that are padded with zeros at the end. Therefore, in this example, VoIP traffic with DSCP tag 011100 will become 01110000. This 8-bit binary number 01110000 is represented in its hexadecimal form 0x70 as the tos (Type of Service bit pattern) value. The tos-mask (Type of Service evaluated bits) hexadecimal value of 0xf0 (binary 11110000) is used to check the four most significant bits from the tos value in this case. Hence, the first four bits of the tos (0111) will be used to match the first four bits of the DSCP tag in our policy above. Only the non-zero bit positions are used for comparison and the zero bit positions are ignored from the tos-mask.

We used the Best Quality strategy to define the Criteria to select the preferred interface from the overlay SD-WAN zone. With the Best Quality strategy selected, the interface with the best measured performance is selected. The system prefers the interface with the least Jitter.

SD-WAN rule for VoIP traffic

To know more about configuring SD-WAN rules with the Best Quality strategy, refer to the Best quality strategy section.

SD-WAN rule for social media traffic

To configure SD-WAN rule for DSCP tagged social media traffic using the CLI:

FortiGate # config sys sdwan

config service

edit 3

set name "Facebook-DSCP-steer"

set tos 0x30

set tos-mask 0xf0

set dst "all"

set priority-members 2 1

end

The Facebook-DSCP-steer SD-WAN rule configured above governs the DSCP tagged social media traffic.

DSCP values commonly are 6-bit binary numbers that are padded with zeros at the end. Therefore, in this example, social media traffic with DSCP tag 001100 will become 00110000. This 8-bit binary number 00110000 is represented in its hexadecimal form 0x30 as the tos (Type of Service bit pattern) value. The tos-mask (Type of Service evaluated bits) hexadecimal value of 0xf0 (binary 11110000) is used to check the four most significant bits from the tos value in this case. Hence, the first four bits of the tos (0011) will be used to match the first four bits of the DSCP tag in our policy above. Only the non-zero bit positions are used for comparison and the zero bit positions are ignored from the tos-mask.

We used a manual strategy to select the preferred interface from the underlay SD-WAN zone. We manually select the preferred interface as Internet_B(port5) to steer all social media traffic to.

SD-WAN rule for social media traffic

To know more about configuring SD-WAN rules with static application steering with a manual strategy, refer to the Static application steering with a manual strategy section.

SD-WAN rule for other web traffic

To configure SD-WAN rule for all other web traffic using the CLI:

FortiGate # config sys sdwan

config service

edit 2

set name "All-traffic"

set mode sla

set dst "all"

config sla

edit "Default_DNS"

set id 1

next

end

set priority-members 1 2

end

The All-traffic SD-WAN rule configured above governs all other web traffic.

We used the Lowest Cost (SLA) strategy to define the Criteria to select the preferred interface from the underlay SD-WAN zone. With the Lowest Cost (SLA) strategy selected, the interface that meets the defined Performance SLA targets (Default_DNS in our case) is selected. When there is a tie, the interface with the lowest assigned Cost (Internet_A(port1) in our case) is selected.

SD-WAN rule for all other web traffic

To know more about configuring SD-WAN rules with the Lowest Cost (SLA) strategy, refer to the Lowest cost (SLA) strategy section.

Once configured, verify your SD-WAN rules by navigating to Network > SD-WAN Rules:

SD-WAN rules configurations