Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.2.8 Administration Guide
    7.2.8
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Duplicate packets on other zone members

    Duplicate packets on other zone members

    When duplication rules are used, packets are duplicated on other good links within the SD-WAN zone and de-duplicated on the destination FortiGate. Use force mode to force duplication on other links within the SD-WAN zone, or use on-demand mode to trigger duplication only when SLA fails on the selected member.

    The duplication rule is configured in the CLI by using the config duplication command. The following options can be configured:

    Parameter

    Description

    srcaddr

    Source address or address group names.

    dstaddr

    Destination address or address group names.

    srcaddr6

    Source IPv6 address or IPv6 address group names.

    dstaddr6

    Destination IPv6 address or IPv6 address group names.

    srcintf

    Incoming (ingress) interfaces or zones.

    dstintf

    Outgoing (egress) interfaces or zones.

    service

    Service and service group names.

    packet-duplication

    Configure packet duplication method.

    • disable: Disable packet duplication (default).
    • force: Duplicate packets across all interface members of the SD-WAN zone.
    • on-demand: Duplicate packets across all interface members of the SD-WAN zone based on the link quality.

    packet-de-duplication

    Enable/disable discarding of packets that have been duplicated (default = disable).

    The duplication-max-num <integer> option under config system sdwan is the maximum number of interface members that a packet is duplicated on in the SD-WAN zone (2 - 4, default = 2). If this value is set to 3, the original packet plus two more copies are created. If there are three member interfaces in the SD-WAN zone and the duplication-max-num is set to 2, the packet duplication follows the configuration order, so the packets are duplicated on the second member.

    Example

    The packet duplication feature works best in a spoke-spoke or hub-and-spoke topology. In this example, a hub-and-spoke ADVPN topology is used. Before shortcuts are established, Hub 1 forwards the duplicate packets from Spoke 1 to Spoke 2. Once shortcuts are established, Hub 1 is transparent, and duplicate packets are exchanged directly between the spokes.

    To configure packet duplication between Spoke 1 and Spoke 2:
    1. Configure Spoke 1:
      config system sdwan
    set status enable
    config zone
        edit "virtual-wan-link"
        next
        edit "sdwanzone_v4"
        next
    end
    config members
        edit 1
            set interface "t1"
            set zone "sdwanzone_v4"
        next
        edit 4
            set interface "t21"
            set zone "sdwanzone_v4"
        next
        edit 2
            set interface "t2"
            set zone "sdwanzone_v4"
        next
    end
    config health-check
        edit "h1"
            set server "10.34.1.1"
            set interval 1000
            set failtime 10
            set members 1 2
            config sla
                edit 1
                    set packetloss-threshold 40
                next
            end
        next
    end
    config duplication
        edit 1
            set srcaddr "all"
            set dstaddr "all"
            set srcintf "port1"
            set dstintf "sdwanzone_v4"
            set service "ALL"
            set packet-duplication force
            set packet-de-duplication enable
        next
    end
end
    2. Configure Spoke 2 with similar settings.
    Previous
    Next

    More Links

    Duplicate packets based on SD-WAN rules

    Duplicate packets on other zone members

    Duplicate packets on other zone members

    When duplication rules are used, packets are duplicated on other good links within the SD-WAN zone and de-duplicated on the destination FortiGate. Use force mode to force duplication on other links within the SD-WAN zone, or use on-demand mode to trigger duplication only when SLA fails on the selected member.

    The duplication rule is configured in the CLI by using the config duplication command. The following options can be configured:

    Parameter

    Description

    srcaddr

    Source address or address group names.

    dstaddr

    Destination address or address group names.

    srcaddr6

    Source IPv6 address or IPv6 address group names.

    dstaddr6

    Destination IPv6 address or IPv6 address group names.

    srcintf

    Incoming (ingress) interfaces or zones.

    dstintf

    Outgoing (egress) interfaces or zones.

    service

    Service and service group names.

    packet-duplication

    Configure packet duplication method.

    • disable: Disable packet duplication (default).
    • force: Duplicate packets across all interface members of the SD-WAN zone.
    • on-demand: Duplicate packets across all interface members of the SD-WAN zone based on the link quality.

    packet-de-duplication

    Enable/disable discarding of packets that have been duplicated (default = disable).

    The duplication-max-num <integer> option under config system sdwan is the maximum number of interface members that a packet is duplicated on in the SD-WAN zone (2 - 4, default = 2). If this value is set to 3, the original packet plus two more copies are created. If there are three member interfaces in the SD-WAN zone and the duplication-max-num is set to 2, the packet duplication follows the configuration order, so the packets are duplicated on the second member.

    Example

    The packet duplication feature works best in a spoke-spoke or hub-and-spoke topology. In this example, a hub-and-spoke ADVPN topology is used. Before shortcuts are established, Hub 1 forwards the duplicate packets from Spoke 1 to Spoke 2. Once shortcuts are established, Hub 1 is transparent, and duplicate packets are exchanged directly between the spokes.

    To configure packet duplication between Spoke 1 and Spoke 2:
    1. Configure Spoke 1:
      config system sdwan
    set status enable
    config zone
        edit "virtual-wan-link"
        next
        edit "sdwanzone_v4"
        next
    end
    config members
        edit 1
            set interface "t1"
            set zone "sdwanzone_v4"
        next
        edit 4
            set interface "t21"
            set zone "sdwanzone_v4"
        next
        edit 2
            set interface "t2"
            set zone "sdwanzone_v4"
        next
    end
    config health-check
        edit "h1"
            set server "10.34.1.1"
            set interval 1000
            set failtime 10
            set members 1 2
            config sla
                edit 1
                    set packetloss-threshold 40
                next
            end
        next
    end
    config duplication
        edit 1
            set srcaddr "all"
            set dstaddr "all"
            set srcintf "port1"
            set dstintf "sdwanzone_v4"
            set service "ALL"
            set packet-duplication force
            set packet-de-duplication enable
        next
    end
end
    2. Configure Spoke 2 with similar settings.
    Previous
    Next