Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • SD-WAN Deployment for MSSPs

    Home FortiGate / FortiOS 7.2.0 SD-WAN Deployment for MSSPs
    7.2.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0

    Best-route mode for SD-WAN

    Best-route mode for SD-WAN

    The rule #2 guarantees that, by default, the SD-WAN rules will not select a member that does not have a valid route to the destination. However, as we have explicitly highlighted, by default, SD-WAN rules look for any valid route through the member in question, even if that route is not the best route that exists in the routing table.

    To be even more precise, the SD-WAN rules look for the best available route via the member in question (even if it is not the best available route globally).

    For example, imagine that the SD-WAN receives a session destined to 10.4.1.1. The matched SD-WAN rule must select between the members (in the order of preference): H1_MPLS, H2_MPLS, and H3_MPLS. Consider the following routing table snippet:

    S*  0.0.0.0/0  [1/0] via 192.2.0.2, port1, [1/1]
               [1/0] via H1_MPLS tunnel 172.16.1.5, [10/1]
               [1/0] via H2_MPLS tunnel 172.16.2.5, [10/1]
               [1/0] via H3_MPLS tunnel 172.16.3.5, [10/1]

B  10.4.1.0/24 [200/0] via 10.200.1.2 (recursive via H3_MPLS tunnel 172.16.3.5)

    Clearly, the best route to our destination is the route towards 10.4.1.0/24 through H3_MPLS. But will the SD-WAN select this member?

    According to the rule #2, the answer is not by default. Indeed, the SD-WAN rule will check the members in the order of preference, and for each member, it will look for the best route to the destination through that member.

    What is the best route towards 10.4.1.1 through H1_MPLS? Does it exist? Yes, it's the default route!
    It is a perfectly valid route, therefore the H1_MPLS overlay will be selected, providing that it does not violate the configured SLA target.

    If this is not the desired behavior, we can instruct the SD-WAN rule to consider only the routes that are the best routes globally, by configuring the advanced option tie-break fib-best-match:

    Adding this option to the rule in the above example, will guarantee the selection of H3_MPLS.

    Previous
    Next

    Best-route mode for SD-WAN

    Best-route mode for SD-WAN

    The rule #2 guarantees that, by default, the SD-WAN rules will not select a member that does not have a valid route to the destination. However, as we have explicitly highlighted, by default, SD-WAN rules look for any valid route through the member in question, even if that route is not the best route that exists in the routing table.

    To be even more precise, the SD-WAN rules look for the best available route via the member in question (even if it is not the best available route globally).

    For example, imagine that the SD-WAN receives a session destined to 10.4.1.1. The matched SD-WAN rule must select between the members (in the order of preference): H1_MPLS, H2_MPLS, and H3_MPLS. Consider the following routing table snippet:

    S*  0.0.0.0/0  [1/0] via 192.2.0.2, port1, [1/1]
               [1/0] via H1_MPLS tunnel 172.16.1.5, [10/1]
               [1/0] via H2_MPLS tunnel 172.16.2.5, [10/1]
               [1/0] via H3_MPLS tunnel 172.16.3.5, [10/1]

B  10.4.1.0/24 [200/0] via 10.200.1.2 (recursive via H3_MPLS tunnel 172.16.3.5)

    Clearly, the best route to our destination is the route towards 10.4.1.0/24 through H3_MPLS. But will the SD-WAN select this member?

    According to the rule #2, the answer is not by default. Indeed, the SD-WAN rule will check the members in the order of preference, and for each member, it will look for the best route to the destination through that member.

    What is the best route towards 10.4.1.1 through H1_MPLS? Does it exist? Yes, it's the default route!
    It is a perfectly valid route, therefore the H1_MPLS overlay will be selected, providing that it does not violate the configured SLA target.

    If this is not the desired behavior, we can instruct the SD-WAN rule to consider only the routes that are the best routes globally, by configuring the advanced option tie-break fib-best-match:

    Adding this option to the rule in the above example, will guarantee the selection of H3_MPLS.

    Previous
    Next