Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiGate / FortiOS 7.2.10 Administration Guide
    7.2.10
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.0

    Best quality strategy

    Best quality strategy

    When using Best Quality mode, SD-WAN will choose the best link to forward traffic by comparing the link-cost-factor. A link-cost factor is a specific metric of participating link(s) (such as, latency, packet loss, and so on) evaluated against a target that you define (such as a health-check server), for example, the latency of WAN1 and WAN2 to your datacenter. Below is a list of link-cost factors available to you:

    GUI

    CLI

    Description

    Latency

    latency

    Select a link based on latency.

    Jitter

    jitter

    Select a link based on jitter.

    Packet Loss

    packet-loss

    Select a link based on packet loss.

    Downstream

    inbandwidth

    Select a link based on available bandwidth of incoming traffic.

    Upstream

    outbandwidth

    Select a link based on available bandwidth of outgoing traffic.

    Bandwidth

    bibandwidth

    Select a link based on available bandwidth of bidirectional traffic.

    Customized profile

    custom-profile-1

    Select link based on customized profile. If selected, set the following weights:

    • packet-loss-weight: Coefficient of packet-loss.
    • latency-weight: Coefficient of latency.
    • jitter-weight: Coefficient of jitter.
    • bandwidth-weight: Coefficient of reciprocal of available bidirectional bandwidth.

    Although SD-WAN intelligence selects the best quality link according to the selected metric, by default a preference or advantage is given to the first configured SD-WAN member. This default is 10% and may be configured with the CLI command set link-cost-threshold 10.

    Example of how link-cost-threshold works:

    config system sdwan
    config members
        edit 1
            set interface "wan1"
        next
        edit 2
            set interface "wan2"
        next
    end
    config service
        edit 1
            set name "Best_Quality"
            set mode priority
            set priority-members 2 1
            set dst "DC_net"
            set health-check “DC_HealthCheck”
            set link-cost-factor latency
            set link-cost-threshold 10
        next 
    end
end

    In this example both WAN1 and WAN2 are assumed to have 200ms latency to the health-check server named DC_HealthCheck. Because WAN2 is specified before WAN1 in priority-members, SD-WAN parses the two interfaces metric as follows:

    • WAN1: 200ms
    • WAN2: 200ms / (1+10%) = ~182ms

    As a result, WAN2 is selected because the latency is lower.

    If the Downstream (inbandwidth), Upstream (outbandwidth), or Bandwidth (bibandwidth) quality criteria is used, the FortiGate uses the upstream and downstream bandwidth values configured on the member interfaces to calculate bandwidth.

    The interface bandwidth configuration can be done manually, or the interface speedtest can be used to populate the bandwidth values based on the speedtest results. See GUI speed test for details.

    To manually configure the upstream and downstream interface bandwidth values:
    config system interface
    edit <interface>
        set estimated-upstream-bandwidth <speed in kbps>
        set estimated-downstream-bandwidth <speed in kbps>
    next
end

    Example

    In this example, your wan1 and wan2 SD-WAN interfaces connect to two ISPs that both go to the public internet, and you want Gmail services to use the link with the least latency.

    To configure an SD-WAN rule to use Best Quality:

    1. On the FortiGate, add wan1 and wan2 as SD-WAN members, then add a policy and static route. See SD-WAN quick start for more details.

    2. Go to Network > SD-WAN, select the Performance SLAs tab, and click Create New.

    3. Enter a name for the performance SLA, such as google, and set the Server to google.com. See Health checks for more details.

    4. Click OK.

    5. Go to Network > SD-WAN, select the SD-WAN Rules tab, and click Create New.

    6. Enter a name for the rule, such as gmail.

    7. Configure the following settings:

      Internet Service

      Google-Gmail

      Strategy

      Best Quality

      Interface preference

      wan1 and wan2

      Measured SLA

      google

      Quality criteria

      Latency

    8. Click OK.

    To configure an SD-WAN rule to use priority:
    config system sdwan
    config health-check
        edit "google"
            set server "google.com"
            set members 1 2
        next
    end
    config service
        edit 1
            set name "gmail"
            set mode priority
            set internet-service enable
            set internet-service-id 65646
            set health-check "google"
            set link-cost-factor latency
            set priority-members 1 2
        next
    end
end
    To diagnose the Performance SLA status:
    FGT # diagnose sys sdwan health-check google
Health Check(google):
Seq(1): state(alive), packet-loss(0.000%) latency(14.563), jitter(4.334) sla_map=0x0
Seq(2): state(alive), packet-loss(0.000%) latency(12.633), jitter(6.265) sla_map=0x0

FGT # diagnose sys sdwan service 1
Service(1):

    TOS(0x0/0x0), protocol(0: 1->65535), Mode(priority), link-cost-facotr(latency), link-cost-threshold(10), health-check(google) Members:

        1: Seq_num(2), alive, latency: 12.633, selected
        2: Seq_num(1), alive, latency: 14.563, selected

    Internet Service: Google-Gmail(65646)

    As wan2 has a smaller latency, SD-WAN will put Seq_num(2) on top of Seq_num(1) and wan2 will be used to forward Gmail traffic.

    Previous
    Next

    More Links

    GUI speed test

    Best quality strategy

    Best quality strategy

    When using Best Quality mode, SD-WAN will choose the best link to forward traffic by comparing the link-cost-factor. A link-cost factor is a specific metric of participating link(s) (such as, latency, packet loss, and so on) evaluated against a target that you define (such as a health-check server), for example, the latency of WAN1 and WAN2 to your datacenter. Below is a list of link-cost factors available to you:

    GUI

    CLI

    Description

    Latency

    latency

    Select a link based on latency.

    Jitter

    jitter

    Select a link based on jitter.

    Packet Loss

    packet-loss

    Select a link based on packet loss.

    Downstream

    inbandwidth

    Select a link based on available bandwidth of incoming traffic.

    Upstream

    outbandwidth

    Select a link based on available bandwidth of outgoing traffic.

    Bandwidth

    bibandwidth

    Select a link based on available bandwidth of bidirectional traffic.

    Customized profile

    custom-profile-1

    Select link based on customized profile. If selected, set the following weights:

    • packet-loss-weight: Coefficient of packet-loss.
    • latency-weight: Coefficient of latency.
    • jitter-weight: Coefficient of jitter.
    • bandwidth-weight: Coefficient of reciprocal of available bidirectional bandwidth.

    Although SD-WAN intelligence selects the best quality link according to the selected metric, by default a preference or advantage is given to the first configured SD-WAN member. This default is 10% and may be configured with the CLI command set link-cost-threshold 10.

    Example of how link-cost-threshold works:

    config system sdwan
    config members
        edit 1
            set interface "wan1"
        next
        edit 2
            set interface "wan2"
        next
    end
    config service
        edit 1
            set name "Best_Quality"
            set mode priority
            set priority-members 2 1
            set dst "DC_net"
            set health-check “DC_HealthCheck”
            set link-cost-factor latency
            set link-cost-threshold 10
        next 
    end
end

    In this example both WAN1 and WAN2 are assumed to have 200ms latency to the health-check server named DC_HealthCheck. Because WAN2 is specified before WAN1 in priority-members, SD-WAN parses the two interfaces metric as follows:

    • WAN1: 200ms
    • WAN2: 200ms / (1+10%) = ~182ms

    As a result, WAN2 is selected because the latency is lower.

    If the Downstream (inbandwidth), Upstream (outbandwidth), or Bandwidth (bibandwidth) quality criteria is used, the FortiGate uses the upstream and downstream bandwidth values configured on the member interfaces to calculate bandwidth.

    The interface bandwidth configuration can be done manually, or the interface speedtest can be used to populate the bandwidth values based on the speedtest results. See GUI speed test for details.

    To manually configure the upstream and downstream interface bandwidth values:
    config system interface
    edit <interface>
        set estimated-upstream-bandwidth <speed in kbps>
        set estimated-downstream-bandwidth <speed in kbps>
    next
end

    Example

    In this example, your wan1 and wan2 SD-WAN interfaces connect to two ISPs that both go to the public internet, and you want Gmail services to use the link with the least latency.

    To configure an SD-WAN rule to use Best Quality:

    1. On the FortiGate, add wan1 and wan2 as SD-WAN members, then add a policy and static route. See SD-WAN quick start for more details.

    2. Go to Network > SD-WAN, select the Performance SLAs tab, and click Create New.

    3. Enter a name for the performance SLA, such as google, and set the Server to google.com. See Health checks for more details.

    4. Click OK.

    5. Go to Network > SD-WAN, select the SD-WAN Rules tab, and click Create New.

    6. Enter a name for the rule, such as gmail.

    7. Configure the following settings:

      Internet Service

      Google-Gmail

      Strategy

      Best Quality

      Interface preference

      wan1 and wan2

      Measured SLA

      google

      Quality criteria

      Latency

    8. Click OK.

    To configure an SD-WAN rule to use priority:
    config system sdwan
    config health-check
        edit "google"
            set server "google.com"
            set members 1 2
        next
    end
    config service
        edit 1
            set name "gmail"
            set mode priority
            set internet-service enable
            set internet-service-id 65646
            set health-check "google"
            set link-cost-factor latency
            set priority-members 1 2
        next
    end
end
    To diagnose the Performance SLA status:
    FGT # diagnose sys sdwan health-check google
Health Check(google):
Seq(1): state(alive), packet-loss(0.000%) latency(14.563), jitter(4.334) sla_map=0x0
Seq(2): state(alive), packet-loss(0.000%) latency(12.633), jitter(6.265) sla_map=0x0

FGT # diagnose sys sdwan service 1
Service(1):

    TOS(0x0/0x0), protocol(0: 1->65535), Mode(priority), link-cost-facotr(latency), link-cost-threshold(10), health-check(google) Members:

        1: Seq_num(2), alive, latency: 12.633, selected
        2: Seq_num(1), alive, latency: 14.563, selected

    Internet Service: Google-Gmail(65646)

    As wan2 has a smaller latency, SD-WAN will put Seq_num(2) on top of Seq_num(1) and wan2 will be used to forward Gmail traffic.

    Previous
    Next