config system sdwan

Configure redundant Internet connections with multiple outbound links and health-check profiles.

config system sdwan

Description: Configure redundant Internet connections with multiple outbound links and health-check profiles.

set status [disable|enable]

set load-balance-mode [source-ip-based|weight-based|...]

set speedtest-bypass-routing [disable|enable]

set duplication-max-num {integer}

set neighbor-hold-down [enable|disable]

set neighbor-hold-down-time {integer}

set neighbor-hold-boot-time {integer}

set fail-detect [enable|disable]

set fail-alert-interfaces <name1>, <name2>, ...

config zone

Description: Configure SD-WAN zones.

edit <name>

set service-sla-tie-break [cfg-order|fib-best-match]

next

end

config members

Description: FortiGate interfaces added to the SD-WAN.

edit <seq-num>

set interface {string}

set zone {string}

set gateway {ipv4-address}

set source {ipv4-address}

set gateway6 {ipv6-address}

set source6 {ipv6-address}

set cost {integer}

set weight {integer}

set priority {integer}

set priority6 {integer}

set spillover-threshold {integer}

set ingress-spillover-threshold {integer}

set volume-ratio {integer}

set status [disable|enable]

set comment {var-string}

next

end

config health-check

Description: SD-WAN status checking or health checking. Identify a server on the Internet and determine how SD-WAN verifies that the FortiGate can communicate with it.

edit <name>

set probe-packets [disable|enable]

set addr-mode [ipv4|ipv6]

set system-dns [disable|enable]

set server {string}

set detect-mode [active|passive|...]

set protocol [ping|tcp-echo|...]

set port {integer}

set quality-measured-method [half-open|half-close]

set security-mode [none|authentication]

set user {string}

set password {password}

set packet-size {integer}

set ha-priority {integer}

set ftp-mode [passive|port]

set ftp-file {string}

set http-get {string}

set http-agent {string}

set http-match {string}

set dns-request-domain {string}

set dns-match-ip {ipv4-address}

set interval {integer}

set probe-timeout {integer}

set failtime {integer}

set recoverytime {integer}

set probe-count {integer}

set diffservcode {user}

set update-cascade-interface [enable|disable]

set update-static-route [enable|disable]

set sla-fail-log-period {integer}

set sla-pass-log-period {integer}

set threshold-warning-packetloss {integer}

set threshold-alert-packetloss {integer}

set threshold-warning-latency {integer}

set threshold-alert-latency {integer}

set threshold-warning-jitter {integer}

set threshold-alert-jitter {integer}

set members <seq-num1>, <seq-num2>, ...

config sla

Description: Service level agreement (SLA).

edit <id>

set link-cost-factor {option1}, {option2}, ...

set latency-threshold {integer}

set jitter-threshold {integer}

set packetloss-threshold {integer}

next

end

next

end

config neighbor

Description: Create SD-WAN neighbor from BGP neighbor table to control route advertisements according to SLA status.

edit <ip>

set member {integer}

set mode [sla|speedtest]

set role [standalone|primary|...]

set health-check {string}

set sla-id {integer}

next

end

config service

Description: Create SD-WAN rules (also called services) to control how sessions are distributed to interfaces in the SD-WAN.

edit <id>

set name {string}

set addr-mode [ipv4|ipv6]

set input-device <name1>, <name2>, ...

set input-device-negate [enable|disable]

set mode [auto|manual|...]

set minimum-sla-meet-members {integer}

set hash-mode [round-robin|source-ip-based|...]

set role [standalone|primary|...]

set standalone-action [enable|disable]

set quality-link {integer}

set tos {user}

set tos-mask {user}

set protocol {integer}

set start-port {integer}

set end-port {integer}

set route-tag {integer}

set dst <name1>, <name2>, ...

set dst-negate [enable|disable]

set src <name1>, <name2>, ...

set dst6 <name1>, <name2>, ...

set src6 <name1>, <name2>, ...

set src-negate [enable|disable]

set users <name1>, <name2>, ...

set groups <name1>, <name2>, ...

set internet-service [enable|disable]

set internet-service-custom <name1>, <name2>, ...

set internet-service-custom-group <name1>, <name2>, ...

set internet-service-name <name1>, <name2>, ...

set internet-service-group <name1>, <name2>, ...

set internet-service-app-ctrl <id1>, <id2>, ...

set internet-service-app-ctrl-group <name1>, <name2>, ...

set health-check <name1>, <name2>, ...

set link-cost-factor [latency|jitter|...]

set packet-loss-weight {integer}

set latency-weight {integer}

set jitter-weight {integer}

set bandwidth-weight {integer}

set link-cost-threshold {integer}

set hold-down-time {integer}

set dscp-forward [enable|disable]

set dscp-reverse [enable|disable]

set dscp-forward-tag {user}

set dscp-reverse-tag {user}

config sla

Description: Service level agreement (SLA).

edit <health-check>

set id {integer}

next

end

set priority-members <seq-num1>, <seq-num2>, ...

set priority-zone <name1>, <name2>, ...

set status [enable|disable]

set gateway [enable|disable]

set default [enable|disable]

set sla-compare-method [order|number]

set tie-break [zone|cfg-order|...]

set use-shortcut-sla [enable|disable]

next

end

config duplication

Description: Create SD-WAN duplication rule.

edit <id>

set service-id <id1>, <id2>, ...

set srcaddr <name1>, <name2>, ...

set dstaddr <name1>, <name2>, ...

set srcaddr6 <name1>, <name2>, ...

set dstaddr6 <name1>, <name2>, ...

set srcintf <name1>, <name2>, ...

set dstintf <name1>, <name2>, ...

set service <name1>, <name2>, ...

set packet-duplication [disable|force|...]

set packet-de-duplication [enable|disable]

next

end

end

config system sdwan

Parameter

Description

Type

Size

Default

status

Enable/disable SD-WAN.

option

-

disable

 

Option

Description

disable

Disable SD-WAN.

enable

Enable SD-WAN.

load-balance-mode

Algorithm or mode to use for load balancing Internet traffic to SD-WAN members.

option

-

source-ip-based

 

Option

Description

source-ip-based

Source IP load balancing. All traffic from a source IP is sent to the same interface.

weight-based

Weight-based load balancing. Interfaces with higher weights have higher priority and get more traffic.

usage-based

Usage-based load balancing. All traffic is sent to the first interface on the list. When the bandwidth on that interface exceeds the spill-over limit new traffic is sent to the next interface.

source-dest-ip-based

Source and destination IP load balancing. All traffic from a source IP to a destination IP is sent to the same interface.

measured-volume-based

Volume-based load balancing. Traffic is load balanced based on traffic volume (in bytes). More traffic is sent to interfaces with higher volume ratios.

speedtest-bypass-routing

Enable/disable bypass routing when speedtest on a SD-WAN member.

option

-

disable

 

Option

Description

disable

Disable SD-WAN.

enable

Enable SD-WAN.

duplication-max-num

Maximum number of interface members a packet is duplicated in the SD-WAN zone .

integer

Minimum value: 2 Maximum value: 4

2

neighbor-hold-down

Enable/disable hold switching from the secondary neighbor to the primary neighbor.

option

-

disable

 

Option

Description

enable

Enable hold switching from the secondary neighbor to the primary neighbor.

disable

Disable hold switching from the secondary neighbor to the primary neighbor.

neighbor-hold-down-time

Waiting period in seconds when switching from the secondary neighbor to the primary neighbor when hold-down is disabled. .

integer

Minimum value: 0 Maximum value: 10000000

0

neighbor-hold-boot-time

Waiting period in seconds when switching from the primary neighbor to the secondary neighbor from the neighbor start. .

integer

Minimum value: 0 Maximum value: 10000000

0

fail-detect

Enable/disable SD-WAN Internet connection status checking (failure detection).

option

-

disable

 

Option

Description

enable

Enable status checking.

disable

Disable status checking.

fail-alert-interfaces <name>

Physical interfaces that will be alerted.

Physical interface name.

string

Maximum length: 79

config zone

Parameter

Description

Type

Size

Default

service-sla-tie-break

Method of selecting member if more than one meets the SLA.

option

-

cfg-order

 

Option

Description

cfg-order

Members that meet the SLA are selected in the order they are configured.

fib-best-match

Members that meet the SLA are selected that match the longest prefix in the routing table.

config members

Parameter

Description

Type

Size

Default

interface

Interface name.

string

Maximum length: 15

zone

Zone name.

string

Maximum length: 35

virtual-wan-link

gateway

The default gateway for this interface. Usually the default gateway of the Internet service provider that this interface is connected to.

ipv4-address

Not Specified

0.0.0.0

source

Source IP address used in the health-check packet to the server.

ipv4-address

Not Specified

0.0.0.0

gateway6

IPv6 gateway.

ipv6-address

Not Specified

::

source6

Source IPv6 address used in the health-check packet to the server.

ipv6-address

Not Specified

::

cost

Cost of this interface for services in SLA mode .

integer

Minimum value: 0 Maximum value: 4294967295

0

weight

Weight of this interface for weighted load balancing. More traffic is directed to interfaces with higher weights.

integer

Minimum value: 1 Maximum value: 255

1

priority

Priority of the interface for IPv4 . Used for SD-WAN rules or priority rules.

integer

Minimum value: 0 Maximum value: 65535

0

priority6

Priority of the interface for IPv6 . Used for SD-WAN rules or priority rules.

integer

Minimum value: 1 Maximum value: 65535

1024

spillover-threshold

Egress spillover threshold for this interface . When this traffic volume threshold is reached, new sessions spill over to other interfaces in the SD-WAN.

integer

Minimum value: 0 Maximum value: 16776000

0

ingress-spillover-threshold

Ingress spillover threshold for this interface . When this traffic volume threshold is reached, new sessions spill over to other interfaces in the SD-WAN.

integer

Minimum value: 0 Maximum value: 16776000

0

volume-ratio

Measured volume ratio .

integer

Minimum value: 1 Maximum value: 255

1

status

Enable/disable this interface in the SD-WAN.

option

-

enable

 

Option

Description

disable

Disable this interface in the SD-WAN.

enable

Enable this interface in the SD-WAN.

comment

Comments.

var-string

Maximum length: 255

config health-check

Parameter

Description

Type

Size

Default

probe-packets

Enable/disable transmission of probe packets.

option

-

enable

 

Option

Description

disable

Disable transmission of probe packets.

enable

Enable transmission of probe packets.

addr-mode

Address mode (IPv4 or IPv6).

option

-

ipv4

 

Option

Description

ipv4

IPv4 mode.

ipv6

IPv6 mode.

system-dns

Enable/disable system DNS as the probe server.

option

-

disable

 

Option

Description

disable

Disable system DNS as the probe server.

enable

Enable system DNS as the probe server.

server

IP address or FQDN name of the server.

string

Maximum length: 79

detect-mode

The mode determining how to detect the server.

option

-

active

 

Option

Description

active

The probes are sent actively.

passive

The traffic measures health without probes.

prefer-passive

The probes are sent in case of no new traffic.

protocol

Protocol used to determine if the FortiGate can communicate with the server.

option

-

ping

 

Option

Description

ping

Use PING to test the link with the server.

tcp-echo

Use TCP echo to test the link with the server.

udp-echo

Use UDP echo to test the link with the server.

http

Use HTTP-GET to test the link with the server.

twamp

Use TWAMP to test the link with the server.

dns

Use DNS query to test the link with the server.

tcp-connect

Use a full TCP connection to test the link with the server.

ftp

Use FTP to test the link with the server.

port

Port number used to communicate with the server over the selected protocol .

integer

Minimum value: 0 Maximum value: 65535

0

quality-measured-method

Method to measure the quality of tcp-connect.

option

-

half-open

 

Option

Description

half-open

Measure the round trip between syn and ack.

half-close

Measure the round trip between fin and ack.

security-mode

Twamp controller security mode.

option

-

none

 

Option

Description

none

Unauthenticated mode.

authentication

Authenticated mode.

user

The user name to access probe server.

string

Maximum length: 64

password

Twamp controller password in authentication mode

password

Not Specified

packet-size

Packet size of a twamp test session,

integer

Minimum value: 64 Maximum value: 1024

64

ha-priority

HA election priority .

integer

Minimum value: 1 Maximum value: 50

1

ftp-mode

FTP mode.

option

-

passive

 

Option

Description

passive

The FTP health-check initiates and establishes the data connection.

port

The FTP server initiates and establishes the data connection.

ftp-file

Full path and file name on the FTP server to download for FTP health-check to probe.

string

Maximum length: 254

http-get

URL used to communicate with the server if the protocol if the protocol is HTTP.

string

Maximum length: 1024

/

http-agent

String in the http-agent field in the HTTP header.

string

Maximum length: 1024

Chrome/ Safari/

http-match

Response string expected from the server if the protocol is HTTP.

string

Maximum length: 1024

dns-request-domain

Fully qualified domain name to resolve for the DNS probe.

string

Maximum length: 255

www.example.com

dns-match-ip

Response IP expected from DNS server if the protocol is DNS.

ipv4-address

Not Specified

0.0.0.0

interval

Status check interval in milliseconds, or the time between attempting to connect to the server .

integer

Minimum value: 500 Maximum value: 3600000

500

probe-timeout

Time to wait before a probe packet is considered lost .

integer

Minimum value: 500 Maximum value: 3600000

500

failtime

Number of failures before server is considered lost .

integer

Minimum value: 1 Maximum value: 3600

5

recoverytime

Number of successful responses received before server is considered recovered .

integer

Minimum value: 1 Maximum value: 3600

5

probe-count

Number of most recent probes that should be used to calculate latency and jitter .

integer

Minimum value: 5 Maximum value: 30

30

diffservcode

Differentiated services code point (DSCP) in the IP header of the probe packet.

user

Not Specified

update-cascade-interface

Enable/disable update cascade interface.

option

-

enable

 

Option

Description

enable

Enable update cascade interface.

disable

Disable update cascade interface.

update-static-route

Enable/disable updating the static route.

option

-

enable

 

Option

Description

enable

Enable updating the static route.

disable

Disable updating the static route.

sla-fail-log-period

Time interval in seconds that SLA fail log messages will be generated .

integer

Minimum value: 0 Maximum value: 3600

0

sla-pass-log-period

Time interval in seconds that SLA pass log messages will be generated .

integer

Minimum value: 0 Maximum value: 3600

0

threshold-warning-packetloss

Warning threshold for packet loss .

integer

Minimum value: 0 Maximum value: 100

0

threshold-alert-packetloss

Alert threshold for packet loss .

integer

Minimum value: 0 Maximum value: 100

0

threshold-warning-latency

Warning threshold for latency .

integer

Minimum value: 0 Maximum value: 4294967295

0

threshold-alert-latency

Alert threshold for latency .

integer

Minimum value: 0 Maximum value: 4294967295

0

threshold-warning-jitter

Warning threshold for jitter .

integer

Minimum value: 0 Maximum value: 4294967295

0

threshold-alert-jitter

Alert threshold for jitter .

integer

Minimum value: 0 Maximum value: 4294967295

0

members <seq-num>

Member sequence number list.

Member sequence number.

integer

Minimum value: 0 Maximum value: 4294967295

config sla

Parameter

Description

Type

Size

Default

id

SLA ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

config neighbor

Parameter

Description

Type

Size

Default

member

Member sequence number.

integer

Minimum value: 0 Maximum value: 4294967295

0

mode

What metric to select the neighbor.

option

-

sla

 

Option

Description

sla

Select neighbor based on SLA link quality.

speedtest

Select neighbor based on the speedtest status.

role

Role of neighbor.

option

-

standalone

 

Option

Description

standalone

Standalone neighbor.

primary

Primary neighbor.

secondary

Secondary neighbor.

health-check

SD-WAN health-check name.

string

Maximum length: 35

sla-id

SLA ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

config service

Parameter

Description

Type

Size

Default

name

SD-WAN rule name.

string

Maximum length: 35

addr-mode

Address mode (IPv4 or IPv6).

option

-

ipv4

 

Option

Description

ipv4

IPv4 mode.

ipv6

IPv6 mode.

input-device <name>

Source interface name.

Interface name.

string

Maximum length: 79

input-device-negate

Enable/disable negation of input device match.

option

-

disable

 

Option

Description

enable

Enable negation of input device match.

disable

Disable negation of input device match.

mode

Control how the SD-WAN rule sets the priority of interfaces in the SD-WAN.

option

-

manual

 

Option

Description

auto

Assign interfaces a priority based on quality.

manual

Assign interfaces a priority manually.

priority

Assign interfaces a priority based on the link-cost-factor quality of the interface.

sla

Assign interfaces a priority based on selected SLA settings.

load-balance

Distribute traffic among all available links based on round robin. ADVPN feature is not supported in the mode.

minimum-sla-meet-members

Minimum number of members which meet SLA.

integer

Minimum value: 0 Maximum value: 255

0

hash-mode

Hash algorithm for selected priority members for load balance mode.

option

-

round-robin

 

Option

Description

round-robin

All traffic are distributed to selected interfaces in equal portions and circular order.

source-ip-based

All traffic from a source IP is sent to the same interface.

source-dest-ip-based

All traffic from a source IP to a destination IP is sent to the same interface.

inbandwidth

All traffic are distributed to a selected interface with most available bandwidth for incoming traffic.

outbandwidth

All traffic are distributed to a selected interface with most available bandwidth for outgoing traffic.

bibandwidth

All traffic are distributed to a selected interface with most available bandwidth for both incoming and outgoing traffic.

role

Service role to work with neighbor.

option

-

standalone

 

Option

Description

standalone

Standalone service.

primary

Primary service for primary neighbor.

secondary

Secondary service for secondary neighbor.

standalone-action

Enable/disable service when selected neighbor role is standalone while service role is not standalone.

option

-

disable

 

Option

Description

enable

Enable service when selected neighbor role is standalone.

disable

Disable service when selected neighbor role is standalone.

quality-link

Quality grade.

integer

Minimum value: 0 Maximum value: 255

0

tos

Type of service bit pattern.

user

Not Specified

tos-mask

Type of service evaluated bits.

user

Not Specified

protocol

Protocol number.

integer

Minimum value: 0 Maximum value: 255

0

start-port

Start destination port number.

integer

Minimum value: 0 Maximum value: 65535

1

end-port

End destination port number.

integer

Minimum value: 0 Maximum value: 65535

65535

route-tag

IPv4 route map route-tag.

integer

Minimum value: 0 Maximum value: 4294967295

0

dst <name>

Destination address name.

Address or address group name.

string

Maximum length: 79

dst-negate

Enable/disable negation of destination address match.

option

-

disable

 

Option

Description

enable

Enable destination address negation.

disable

Disable destination address negation.

src <name>

Source address name.

Address or address group name.

string

Maximum length: 79

dst6 <name>

Destination address6 name.

Address6 or address6 group name.

string

Maximum length: 79

src6 <name>

Source address6 name.

Address6 or address6 group name.

string

Maximum length: 79

src-negate

Enable/disable negation of source address match.

option

-

disable

 

Option

Description

enable

Enable source address negation.

disable

Disable source address negation.

users <name>

User name.

User name.

string

Maximum length: 79

groups <name>

User groups.

Group name.

string

Maximum length: 79

internet-service

Enable/disable use of Internet service for application-based load balancing.

option

-

disable

 

Option

Description

enable

Enable cloud service to support application-based load balancing.

disable

Disable cloud service to support application-based load balancing.

internet-service-custom <name>

Custom Internet service name list.

Custom Internet service name.

string

Maximum length: 79

internet-service-custom-group <name>

Custom Internet Service group list.

Custom Internet Service group name.

string

Maximum length: 79

internet-service-name <name>

Internet service name list.

Internet service name.

string

Maximum length: 79

internet-service-group <name>

Internet Service group list.

Internet Service group name.

string

Maximum length: 79

internet-service-app-ctrl <id>

Application control based Internet Service ID list.

Application control based Internet Service ID.

integer

Minimum value: 0 Maximum value: 4294967295

internet-service-app-ctrl-group <name>

Application control based Internet Service group list.

Application control based Internet Service group name.

string

Maximum length: 79

health-check <name>

Health check list.

Health check name.

string

Maximum length: 79

link-cost-factor

Link cost factor.

option

-

latency

 

Option

Description

latency

Select link based on latency.

jitter

Select link based on jitter.

packet-loss

Select link based on packet loss.

inbandwidth

Select link based on available bandwidth of incoming traffic.

outbandwidth

Select link based on available bandwidth of outgoing traffic.

bibandwidth

Select link based on available bandwidth of bidirectional traffic.

custom-profile-1

Select link based on customized profile.

packet-loss-weight

Coefficient of packet-loss in the formula of custom-profile-1.

integer

Minimum value: 0 Maximum value: 10000000

0

latency-weight

Coefficient of latency in the formula of custom-profile-1.

integer

Minimum value: 0 Maximum value: 10000000