Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.0.2 Administration Guide
    7.0.2
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    SD-WAN configuration portability

    SD-WAN configuration portability

    When configuring SD-WAN, adding interfaces to members is optional.

    This allows the SD-WAN to be configured without associating any interfaces to SD-WAN members. It also allows a configuration to be copied directly from one device to another, without requiring the devices to have interfaces with the same names.

    After the configuration is created, add interfaces to the members make it functional.

    Example 1

    In this example, we create a template with two SD-WAN members configured without assigned interfaces that are used in a performance SLA and SD-WAN rule. The template can be used to configure new devices, as in Example 2. Interfaces are then assigned to the members, and the configuration becomes active.

    To create the SD-WAN members in the GUI:
    1. Go to Network > SD-WAN, select the SD-WAN Zones tab, and click Create New > SD-WAN Member.
    2. Leave all the settings set to their default values and click OK.

    3. Repeat the above steps to create a second member.

      The empty members are listed on the SD-WAN Zones tab.

      The members are disabled until interfaces are configured, but can still be used in performance SLAs and SD-WAN rules.

    To create a performance SLA in the GUI:
    1. Go to Network > SD-WAN and select the Performance SLAs tab.
    2. Click Create New.
    3. Configure the performance SLA, specifying the empty members as participants.

    4. Click OK.
    To create an SD-WAN rule in the GUI:
    1. Go to Network > SD-WAN, select the SD-WAN Rules tab, and click Create New.
    2. Configure the rule, adding both members to the Interface preference field:

    3. Click OK.
    To assign interfaces to the SD-WAN members in the GUI:
    1. Go to Network > SD-WAN and select the SD-WAN Zones tab.
    2. Edit the first member
    3. Set Interface to an actual interface.

    4. Click OK.
    5. Repeat the above steps to assign an interface to the second member.
    To configure the SD-WAN in the CLI:
    1. Create SD-WAN members:
      config system sdwan
    set status enable
    config members
        edit 1
        next
        edit 2
        next
    end
end
    2. Create a health check (performance SLA):
      config system sdwan
    config health-check
        edit "office"
            set server "office365.com"
            set protocol http
            set sla-fail-log-period 300
            set sla-pass-log-period 300
            set members 2 1
            config sla
                edit 1
                    set latency-threshold 300
                    set jitter-threshold 200
                next
                edit 2
                    set link-cost-factor latency
                    set latency-threshold 20
                next
            end
        next
    end
end
    3. Create a service (rule):
      config system sdwan
    config service
        edit 3
            set name "Office365"
            set mode sla
            set internet-service enable
            set internet-service-app-ctrl 33182
            config sla
                edit "office"
                    set id 2
                next
            end
            set priority-members 1 2
        next
    end
end

      The SD-WAN configuration can now be used in as a template for new spokes, as in Example 2.

    To assign interfaces to the SD-WAN members in the CLI:
    config system sdwan
    config members
        edit 1
            set interface "_OCVPN4-0.0"
        next
        edit 2
            set interface "_OCVPN4-0.1"
        next
    end
end
    Note

    If no SD-WAN zone is specified, members are added to the default virtual-wan-link zone.

    Example 2

    In this example, the configuration from Example 1 is copied onto a new FortiGate.

    Using the CLI console and the GUI

    To copy the SD-WAN configuration from the original FortiGate:
    1. Optionally, change the console screen paging setting. See Screen paging for details.
    2. Open the CLI console.
    3. If necessary, click Clear console to empty the console.
    4. Enter the following command:

      show system sdwan

    5. Either click Download and open the file in a text editor, or click Copy to clipboard and paste the content into a text editor.

    6. Edit the CLI configuration as necessary. For example, the first line that shows the show command should be deleted, and the default health checks can be removed.
    7. If required, save the CLI configuration as a text file.
    To paste the SD-WAN configuration onto a new FortiGate:
    1. Copy the SD-WAN configuration from the text editor.
    2. On the new FortiGate, open the CLI console.
    3. Press Ctrl + v to paste the CLI commands.
    4. In necessary, press Enter to apply the last end command.

      The SD-WAN configuration is copied to the new FortiGate.

      If the interfaces do not exist, the SD-WAN members are created without interfaces, and are disabled until interfaces are configured.

    To assign interfaces to the SD-WAN members:
    1. Go to Network > SD-WAN and select the SD-WAN Zones tab.
    2. Edit the first member
    3. Set Interface to an actual interface.
    4. Click OK.
    5. Repeat the above steps to assign an interface to the second member.

    Using a terminal emulator

    The following instructions use PuTTy. The steps may vary in other terminal emulators.

    To copy the SD-WAN configuration from the original FortiGate:
    1. Connect to the FortiGate. See Connecting to the CLI for details.
    2. Enter the following command:

      show system sdwan

    3. Select the output, press Ctrl + c to copy it, and then paste it into a text editor.
    4. Edit the CLI configuration as necessary. For example, the default health checks can be removed.
    5. If required, save the CLI configuration as a text file.
    To paste the SD-WAN configuration onto a new FortiGate:
    1. Connect to the new FortiGate. See Connecting to the CLI for details.
    2. Copy the SD-WAN configuration from the text editor.
    3. Right-click to paste the SD-WAN configuration.
    4. In necessary, press Enter to apply the last end command.

      The SD-WAN configuration is copied to the new FortiGate.

      If the interfaces do not exist, the SD-WAN members are created without interfaces, and are disabled until interfaces are configured.

    To assign interfaces to the SD-WAN members in the CLI:
    config system sdwan
    config members
        edit 1
            set interface "_OCVPN4-0.0"
        next
        edit 2
            set interface "_OCVPN4-0.1"
        next
    end
end
    Note

    If no SD-WAN zone is specified, members are added to the default virtual-wan-link zone.
    Previous
    Next

    More Links

    Configuring the SD-WAN interface

    SD-WAN configuration portability

    SD-WAN configuration portability

    When configuring SD-WAN, adding interfaces to members is optional.

    This allows the SD-WAN to be configured without associating any interfaces to SD-WAN members. It also allows a configuration to be copied directly from one device to another, without requiring the devices to have interfaces with the same names.

    After the configuration is created, add interfaces to the members make it functional.

    Example 1

    In this example, we create a template with two SD-WAN members configured without assigned interfaces that are used in a performance SLA and SD-WAN rule. The template can be used to configure new devices, as in Example 2. Interfaces are then assigned to the members, and the configuration becomes active.

    To create the SD-WAN members in the GUI:
    1. Go to Network > SD-WAN, select the SD-WAN Zones tab, and click Create New > SD-WAN Member.
    2. Leave all the settings set to their default values and click OK.

    3. Repeat the above steps to create a second member.

      The empty members are listed on the SD-WAN Zones tab.

      The members are disabled until interfaces are configured, but can still be used in performance SLAs and SD-WAN rules.

    To create a performance SLA in the GUI:
    1. Go to Network > SD-WAN and select the Performance SLAs tab.
    2. Click Create New.
    3. Configure the performance SLA, specifying the empty members as participants.

    4. Click OK.
    To create an SD-WAN rule in the GUI:
    1. Go to Network > SD-WAN, select the SD-WAN Rules tab, and click Create New.
    2. Configure the rule, adding both members to the Interface preference field:

    3. Click OK.
    To assign interfaces to the SD-WAN members in the GUI:
    1. Go to Network > SD-WAN and select the SD-WAN Zones tab.
    2. Edit the first member
    3. Set Interface to an actual interface.

    4. Click OK.
    5. Repeat the above steps to assign an interface to the second member.
    To configure the SD-WAN in the CLI:
    1. Create SD-WAN members:
      config system sdwan
    set status enable
    config members
        edit 1
        next
        edit 2
        next
    end
end
    2. Create a health check (performance SLA):
      config system sdwan
    config health-check
        edit "office"
            set server "office365.com"
            set protocol http
            set sla-fail-log-period 300
            set sla-pass-log-period 300
            set members 2 1
            config sla
                edit 1
                    set latency-threshold 300
                    set jitter-threshold 200
                next
                edit 2
                    set link-cost-factor latency
                    set latency-threshold 20
                next
            end
        next
    end
end
    3. Create a service (rule):
      config system sdwan
    config service
        edit 3
            set name "Office365"
            set mode sla
            set internet-service enable
            set internet-service-app-ctrl 33182
            config sla
                edit "office"
                    set id 2
                next
            end
            set priority-members 1 2
        next
    end
end

      The SD-WAN configuration can now be used in as a template for new spokes, as in Example 2.

    To assign interfaces to the SD-WAN members in the CLI:
    config system sdwan
    config members
        edit 1
            set interface "_OCVPN4-0.0"
        next
        edit 2
            set interface "_OCVPN4-0.1"
        next
    end
end
    Note

    If no SD-WAN zone is specified, members are added to the default virtual-wan-link zone.

    Example 2

    In this example, the configuration from Example 1 is copied onto a new FortiGate.

    Using the CLI console and the GUI

    To copy the SD-WAN configuration from the original FortiGate:
    1. Optionally, change the console screen paging setting. See Screen paging for details.
    2. Open the CLI console.
    3. If necessary, click Clear console to empty the console.
    4. Enter the following command:

      show system sdwan

    5. Either click Download and open the file in a text editor, or click Copy to clipboard and paste the content into a text editor.

    6. Edit the CLI configuration as necessary. For example, the first line that shows the show command should be deleted, and the default health checks can be removed.
    7. If required, save the CLI configuration as a text file.
    To paste the SD-WAN configuration onto a new FortiGate:
    1. Copy the SD-WAN configuration from the text editor.
    2. On the new FortiGate, open the CLI console.
    3. Press Ctrl + v to paste the CLI commands.
    4. In necessary, press Enter to apply the last end command.

      The SD-WAN configuration is copied to the new FortiGate.

      If the interfaces do not exist, the SD-WAN members are created without interfaces, and are disabled until interfaces are configured.

    To assign interfaces to the SD-WAN members:
    1. Go to Network > SD-WAN and select the SD-WAN Zones tab.
    2. Edit the first member
    3. Set Interface to an actual interface.
    4. Click OK.
    5. Repeat the above steps to assign an interface to the second member.

    Using a terminal emulator

    The following instructions use PuTTy. The steps may vary in other terminal emulators.

    To copy the SD-WAN configuration from the original FortiGate:
    1. Connect to the FortiGate. See Connecting to the CLI for details.
    2. Enter the following command:

      show system sdwan

    3. Select the output, press Ctrl + c to copy it, and then paste it into a text editor.
    4. Edit the CLI configuration as necessary. For example, the default health checks can be removed.
    5. If required, save the CLI configuration as a text file.
    To paste the SD-WAN configuration onto a new FortiGate:
    1. Connect to the new FortiGate. See Connecting to the CLI for details.
    2. Copy the SD-WAN configuration from the text editor.
    3. Right-click to paste the SD-WAN configuration.
    4. In necessary, press Enter to apply the last end command.

      The SD-WAN configuration is copied to the new FortiGate.

      If the interfaces do not exist, the SD-WAN members are created without interfaces, and are disabled until interfaces are configured.

    To assign interfaces to the SD-WAN members in the CLI:
    config system sdwan
    config members
        edit 1
            set interface "_OCVPN4-0.0"
        next
        edit 2
            set interface "_OCVPN4-0.1"
        next
    end
end
    Note

    If no SD-WAN zone is specified, members are added to the default virtual-wan-link zone.
    Previous
    Next