Fortinet white logo
Fortinet white logo

Administration Guide

Implicit rule

Implicit rule

SD-WAN rules define specific policy routing options to route traffic to an SD-WAN member. When no explicit SD-WAN rules are defined, or if none of the rules are matched, then the default implicit rule is used.

In an SD-WAN configuration, the default route usually points to the SD-WAN interface, so each active member's gateway is added to the routing table's default route. FortiOS uses equal-cost multipath (ECMP) to balance traffic between the interfaces. One of five load balancing algorithms can be selected:

Source IP (source-ip-based)

Traffic is divided equally between the interfaces, including the SD-WAN interface. Sessions that start at the same source IP address use the same path.

This is the default selection.

Sessions (weight-based)

The workload is distributing based on the number of sessions that are connected through the interface.

The weight that you assign to each interface is used to calculate the percentage of the total sessions that are allowed to connect through an interface, and the sessions are distributed to the interfaces accordingly.

The sessions with the same source and destination IP are forwarded to the same path if the device model and kernel version supports route cache. However, it is not guaranteed and the route cache could be refreshed in case network events take place. In most cases where route cache is not supported, the sessions with the same source and destination IP will be load balanced between SD-WAN member interfaces.

An interface's weight value cannot be zero.

Spillover (usage-based)

The interface is used until the traffic bandwidth exceeds the ingress and egress thresholds that you set for that interface. Additional traffic is then sent through the next SD-WAN interface member.

Source-Destination IP (source-dest-ip-based)

Traffic is divided equally between the interfaces. Sessions that start at the same source IP address and go to the same destination IP address use the same path.

Volume (measured-volume-based)

The workload is distributing based on the number of packets that are going through the interface.

The volume weight that you assign to each interface is used to calculate the percentage of the total bandwidth that is allowed to go through an interface, and the bandwidth is distributed to the interfaces accordingly.

An interface's volume value cannot be zero.

Note

You cannot exclude an interface from participating in load balancing using the implicit rule. If the weight or volume were set to zero in a previous FortiOS version, the value is treated as a one.

Interfaces with static routes can be excluded from ECMP if they are configured with a lower priority than other static routes.

Examples

The following four examples demonstrate how to use the implicit rules (load-balance mode).

Note

If no SD-WAN zone is specified, members are added to the default virtual-wan-link zone.

Example 1

Outgoing traffic is equally balanced between wan1 and wan2, using source-ip-based or source-dest-ip-based mode.

Using the GUI:
  1. On the FortiGate, enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static route. See SD-WAN quick start for details.
  2. Go to Network > SD-WAN and select the SD-WAN Rules tab.
  3. Edit the sd-wan rule (the last default rule).
  4. For the Load Balancing Algorithm, select either Source IP or Source-Destination IP.
  5. Click OK.
Using the CLI:
  1. Enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static route. See SD-WAN quick start for details.
  2. Set the load balancing algorithm:

    Source IP based:

    config system sdwan
        set load-balance-mode source-ip-based
    end

    Source-Destination IP based:

    config system sdwan
        set load-balance-mode source-dest-ip-based
    end

Example 2

Outgoing traffic is balanced between wan1 and wan2 with a customized ratio, using weight-based mode: wan1 runs 80% of the sessions, and wan2 runs 20% of the sessions.

Sessions with the same source and destination IP addresses (src-ip and dst-ip) will be forwarded to the same path, but will still be considered in later session ratio calculations.

Using the GUI:
  1. Go to Network > SD-WAN and select the SD-WAN Rules tab.
  2. Edit the sd-wan rule (the last default rule).
  3. For the Load Balancing Algorithm, select Sessions.
  4. Enter 80 in the wan1 field, and 20 in the wan2 field.

  5. Click OK.
Using the CLI:
config system sdwan
    set load-balance-mode weight-based
    config members
        edit 1
            set interface "wan1"
            set weight 80
        next
        edit 2
            set interface "wan2"
            set weight 20
        next
    end
end

Example 3

Outgoing traffic is balanced between wan1 and wan2 with a customized ratio, using measured-volume-based mode: wan1 runs 80% of the volume, and wan2 runs 20% of the volume.

Using the GUI:
  1. Go to Network > SD-WAN and select the SD-WAN Rules tab.
  2. Edit the sd-wan rule (the last default rule).
  3. For the Load Balancing Algorithm, select Volume.
  4. Enter 80 in the wan1 field, and 20 in the wan2 field.
  5. Click OK.
Using the CLI:
config system sdwan
    set load-balance-mode measured-volume-based
    config members
        edit 1
            set interface "wan1"
            set volume-ratio 80
        next
        edit 2
            set interface "wan2"
            set volume-ratio 20
        next
    end
end

Example 4

Load balancing can be used to reduce costs when internet connections are charged at different rates. For example, if wan2 charges based on volume usage and wan1 charges a fixed monthly fee, we can use wan1 at its maximum bandwidth, and use wan2 for overflow.

In this example, wan1's bandwidth is 10Mbps down and 2Mbps up. Traffic will use wan1 until it reaches its spillover limit, then it will start to use wan2. Note that auto‑asic‑offload must be disabled in the firewall policy.

Using the GUI:
  1. On the FortiGate, enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static route. See SD-WAN quick start for details.
  2. Go to Network > SD-WAN and select the SD-WAN Rules tab.
  3. Edit the sd-wan rule (the last default rule).
  4. For the Load Balancing Algorithm, select Spillover.
  5. Enter 10000 in the wan1 Ingress Spillover Threshold field, and 2000 in the wan1 Egress Spillover Threshold field.

  6. Click OK.
Using the CLI:
config system sdwan
    set load-balance-mode usage-based
    config members
        edit 1
            set interface "wan1"
            set spillover-threshold 2000
            set ingress-spillover-threshold 10000
        next
    end
end

Implicit rule

Implicit rule

SD-WAN rules define specific policy routing options to route traffic to an SD-WAN member. When no explicit SD-WAN rules are defined, or if none of the rules are matched, then the default implicit rule is used.

In an SD-WAN configuration, the default route usually points to the SD-WAN interface, so each active member's gateway is added to the routing table's default route. FortiOS uses equal-cost multipath (ECMP) to balance traffic between the interfaces. One of five load balancing algorithms can be selected:

Source IP (source-ip-based)

Traffic is divided equally between the interfaces, including the SD-WAN interface. Sessions that start at the same source IP address use the same path.

This is the default selection.

Sessions (weight-based)

The workload is distributing based on the number of sessions that are connected through the interface.

The weight that you assign to each interface is used to calculate the percentage of the total sessions that are allowed to connect through an interface, and the sessions are distributed to the interfaces accordingly.

The sessions with the same source and destination IP are forwarded to the same path if the device model and kernel version supports route cache. However, it is not guaranteed and the route cache could be refreshed in case network events take place. In most cases where route cache is not supported, the sessions with the same source and destination IP will be load balanced between SD-WAN member interfaces.

An interface's weight value cannot be zero.

Spillover (usage-based)

The interface is used until the traffic bandwidth exceeds the ingress and egress thresholds that you set for that interface. Additional traffic is then sent through the next SD-WAN interface member.

Source-Destination IP (source-dest-ip-based)

Traffic is divided equally between the interfaces. Sessions that start at the same source IP address and go to the same destination IP address use the same path.

Volume (measured-volume-based)

The workload is distributing based on the number of packets that are going through the interface.

The volume weight that you assign to each interface is used to calculate the percentage of the total bandwidth that is allowed to go through an interface, and the bandwidth is distributed to the interfaces accordingly.

An interface's volume value cannot be zero.

Note

You cannot exclude an interface from participating in load balancing using the implicit rule. If the weight or volume were set to zero in a previous FortiOS version, the value is treated as a one.

Interfaces with static routes can be excluded from ECMP if they are configured with a lower priority than other static routes.

Examples

The following four examples demonstrate how to use the implicit rules (load-balance mode).

Note

If no SD-WAN zone is specified, members are added to the default virtual-wan-link zone.

Example 1

Outgoing traffic is equally balanced between wan1 and wan2, using source-ip-based or source-dest-ip-based mode.

Using the GUI:
  1. On the FortiGate, enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static route. See SD-WAN quick start for details.
  2. Go to Network > SD-WAN and select the SD-WAN Rules tab.
  3. Edit the sd-wan rule (the last default rule).
  4. For the Load Balancing Algorithm, select either Source IP or Source-Destination IP.
  5. Click OK.
Using the CLI:
  1. Enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static route. See SD-WAN quick start for details.
  2. Set the load balancing algorithm:

    Source IP based:

    config system sdwan
        set load-balance-mode source-ip-based
    end

    Source-Destination IP based:

    config system sdwan
        set load-balance-mode source-dest-ip-based
    end

Example 2

Outgoing traffic is balanced between wan1 and wan2 with a customized ratio, using weight-based mode: wan1 runs 80% of the sessions, and wan2 runs 20% of the sessions.

Sessions with the same source and destination IP addresses (src-ip and dst-ip) will be forwarded to the same path, but will still be considered in later session ratio calculations.

Using the GUI:
  1. Go to Network > SD-WAN and select the SD-WAN Rules tab.
  2. Edit the sd-wan rule (the last default rule).
  3. For the Load Balancing Algorithm, select Sessions.
  4. Enter 80 in the wan1 field, and 20 in the wan2 field.

  5. Click OK.
Using the CLI:
config system sdwan
    set load-balance-mode weight-based
    config members
        edit 1
            set interface "wan1"
            set weight 80
        next
        edit 2
            set interface "wan2"
            set weight 20
        next
    end
end

Example 3

Outgoing traffic is balanced between wan1 and wan2 with a customized ratio, using measured-volume-based mode: wan1 runs 80% of the volume, and wan2 runs 20% of the volume.

Using the GUI:
  1. Go to Network > SD-WAN and select the SD-WAN Rules tab.
  2. Edit the sd-wan rule (the last default rule).
  3. For the Load Balancing Algorithm, select Volume.
  4. Enter 80 in the wan1 field, and 20 in the wan2 field.
  5. Click OK.
Using the CLI:
config system sdwan
    set load-balance-mode measured-volume-based
    config members
        edit 1
            set interface "wan1"
            set volume-ratio 80
        next
        edit 2
            set interface "wan2"
            set volume-ratio 20
        next
    end
end

Example 4

Load balancing can be used to reduce costs when internet connections are charged at different rates. For example, if wan2 charges based on volume usage and wan1 charges a fixed monthly fee, we can use wan1 at its maximum bandwidth, and use wan2 for overflow.

In this example, wan1's bandwidth is 10Mbps down and 2Mbps up. Traffic will use wan1 until it reaches its spillover limit, then it will start to use wan2. Note that auto‑asic‑offload must be disabled in the firewall policy.

Using the GUI:
  1. On the FortiGate, enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static route. See SD-WAN quick start for details.
  2. Go to Network > SD-WAN and select the SD-WAN Rules tab.
  3. Edit the sd-wan rule (the last default rule).
  4. For the Load Balancing Algorithm, select Spillover.
  5. Enter 10000 in the wan1 Ingress Spillover Threshold field, and 2000 in the wan1 Egress Spillover Threshold field.

  6. Click OK.
Using the CLI:
config system sdwan
    set load-balance-mode usage-based
    config members
        edit 1
            set interface "wan1"
            set spillover-threshold 2000
            set ingress-spillover-threshold 10000
        next
    end
end