Fortinet black logo

Administration Guide

Use SD-WAN rules for WAN link selection with load balancing

This example covers a use case where a user has multiple WAN links and wants to optimize the WAN link selection and performance while limiting the use of more expensive and bandwidth intensive interfaces, such as 5G or LTE.

In this scenario, the user has three WAN links. The goal is to balance the load between wan1 and wan2; however, wan3, which is quite costly to operate, should only be used if both wan1 and wan2 are unavailable.

This configuration involves the following steps:
  1. Configuring the SD-WAN members

  2. Configuring the manual SD-WAN rule

  3. Configuring a static route

  4. Configuring a firewall policy for SD-WAN

  5. Verifying the configuration

Configuring the SD-WAN members

SD-WAN must be enabled first, and member interfaces must be selected and added to a zone. See Configuring the SD-WAN interface for more information.

To configure the SD-WAN members in the GUI:
  1. Configure the wan1, wan2, and wan3 interfaces (see Interface settings for more details).

    1. Set the wan1 interface IP/Netmask to 172.16.200.1 255.255.255.0.

    2. Set the wan2 interface IP/Netmask to 10.1.100.1 255.255.255.0.

    3. Set the wan3 interface IP/Netmask to 13.13.13.1 255.255.255.0.

  2. Go to Network > SD-WAN, select the SD-WAN Zones tab, and click Create New > SD-WAN Member.

  3. Configure the wan1 SD-WAN member:

    1. Set the Interface to wan1.

    2. Leave the SD-WAN Zone as virtual-wan-link.

    3. Set the Gateway to 172.16.200.254.

    4. Set the Status to Enable

    5. Click OK.

  4. Repeat step 3 for wan2 and wan3.

    1. For wan2, set the Gateway to the ISP’s gateway, 10.1.100.254.

    2. For wan3, set the Gateway to the ISP’s gateway, 13.13.13.254.

To configure the SD-WAN members in the CLI:
config system sdwan
    set status enable
    config zone
        edit "virtual-wan-link"
        next
    end
    config members
        edit 1
            set interface "wan1"
            set gateway 172.16.200.254
        next
        edit 2
            set interface "wan2"
            set gateway 10.1.100.254
        next
        edit 3
            set interface "wan3"
            set gateway 13.13.13.254
        next
    end
end

Configuring the manual SD-WAN rule

SD-WAN rules define specific routing options to route traffic to an SD-WAN member. See SD-WAN rules and Manual strategy for more information.

To configure a manual SD-WAN rule in the GUI:
  1. Go to Network > SD-WAN, select the SD-WAN Rules tab, and click Create New.

  2. Configure the following settings:

    Name

    test

    Source > Address

    all

    Destination > Address

    all

    Interface selection strategy

    Manual

    Interface preference

    wan1, wan2

    Load balancing

    Enable this setting.

  3. Configure the other settings as needed.

  4. Click OK.

To configure a manual SD-WAN rule in the CLI:
config system sdwan
    config service
        edit 1
            set name "test"
            set load-balance enable
            set dst "all"
            set src "all"
            set priority-members 1 2
        next
    end
end

Configuring a static route

A default route for SD-WAN must be configured. See Adding a static route for more information.

To configure a static route for SD-WAN in the GUI:
  1. Go to Network > Static Routes and click Create New. The New Static Route page opens.

  2. Set the Destination to Subnet, and leave the IP address and subnet mask as 0.0.0.0/0.0.0.0.

  3. Set the Interface to the SD-WAN zone, virtual-wan-link.

  4. Set the Status to Enabled.

  5. Click OK.

To configure a static route for SD-WAN in the CLI:
config router static
    edit 1
        set distance 1
        set sdwan-zone "virtual-wan-link"
    next
end

Configuring a firewall policy for SD-WAN

A firewall policy must be configured that allows traffic from the organization's internal network to the SD-WAN zone. See Configuring firewall policies for SD-WAN for more information.

To configure the firewall policy for SD-WAN in the GUI:
  1. Go to Policy & Objects > Firewall Policy and click Create New.

  2. Configure the following settings:

    Name

    sd-wan

    Incoming interface

    port1

    Outgoing interface

    virtual-wan-link

    Source

    all

    Destination

    all

    Schedule

    always

    Service

    ALL

    Action

    ACCEPT

    NAT

    Enable and select NAT.

    IP Pool Configuration

    Use Outgoing Interface Address

    Enable this policy

    Enable this setting.

  3. Configure the other settings as needed.

  4. Click OK.

To configure the firewall policy for SD-WAN in the CLI:
config firewall policy
    edit 1
        set name "sd-wan"
        set srcintf "port1"
        set dstintf "virtual-wan-link"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end

Verifying the configuration

To verify the SD-WAN member status:
# diagnose sys sdwan member 
Member(1): interface: wan1, flags=0x0 , gateway: 172.16.200.254, priority: 1 1024, weight: 0
Member(2): interface: wan2, flags=0x0 , gateway: 10.1.100.254, priority: 1 1024, weight: 0
Member(3): interface: wan3, flags=0x0 , gateway: 13.13.13.254, priority: 1 1024, weight: 0
To verify the configuration when both wan1 and wan2 are up:
  1. Verify the SD-WAN service rules status:

    # diagnose sys sdwan service
    Service(1): Address Mode(IPV4) flags=0x24200 use-shortcut-sla use-shortcut
     Tie break: cfg
      Gen(1), TOS(0x0/0x0), Protocol(0): src(1->65535):dst(1->65535), Mode(manual  hash-mode=round-robin)
      Members(2): 
        1: Seq_num(2 wan2 virtual-wan-link), alive, gid(1), selected
        2: Seq_num(1 wan1 virtual-wan-link), alive, gid(1), selected
      Src address(1): 
            0.0.0.0-255.255.255.255
    
      Dst address(1): 
            0.0.0.0-255.255.255.255

    This output indicates that both wan1 and wan2 are operational.

  2. Verify the policy route list:

    # diagnose firewall proute list
    list route policy info(vf=root):
    
    id=2130706433(0x7f000001) vwl_service=1(test) vwl_mbr_seq=1 2 dscp_tag=0xfc 0xfc flags=0x10 load-balance hash-mode=round-robin  tos=0x00 tos_mask=0x00 protocol=0 port=src(0->0):dst(0->0) iif=0(any) 
    path(2): oif=3(wan1) num_pass=0, oif=6(wan2) num_pass=0
    source(1): 0.0.0.0-255.255.255.255 
    destination(1): 0.0.0.0-255.255.255.255 
    hit_count=154 last_used=2023-11-09 06:16:

    This output indicates that both wan1 and wan2 are used to steer traffic.

To verify the configuration when wan2 is down and wan1 is up:
  1. Verify the SD-WAN service rules status:

    # diagnose sys sdwan service
    
    Service(1): Address Mode(IPV4) flags=0x24200 use-shortcut-sla use-shortcut
     Tie break: cfg
      Gen(1), TOS(0x0/0x0), Protocol(0): src(1->65535):dst(1->65535), Mode(manual  hash-mode=round-robin)
      Members(2): 
        1: Seq_num(1 wan1 virtual-wan-link), alive, gid(1), selected
        2: Seq_num(2 wan2 virtual-wan-link), dead, gid(1)
      Src address(1): 
            0.0.0.0-255.255.255.255
    
      Dst address(1): 
            0.0.0.0-255.255.255.25

    This output indicates that wan1 is operational, and wan2 is not.

  2. Verify the policy route list:

    # diagnose firewall proute list
    list route policy info(vf=root):
    
    id=2130706433(0x7f000001) vwl_service=1(test) vwl_mbr_seq=1 dscp_tag=0xfc 0xfc flags=0x10 load-balance hash-mode=round-robin  tos=0x00 tos_mask=0x00 protocol=0 port=src(0->0):dst(0->0) iif=0(any) 
    path(1): oif=3(wan1) num_pass=0
    source(1): 0.0.0.0-255.255.255.255 
    destination(1): 0.0.0.0-255.255.255.255 
    hit_count=482 last_used=2023-11-09 06:27:08

    This output indicates that wan1 is used to steer traffic.

To verify the configuration when wan1 is down and wan2 is up:
  1. Verify the SD-WAN service rules status:

    # diagnose sys sdwan service
    
    Service(1): Address Mode(IPV4) flags=0x24200 use-shortcut-sla use-shortcut
     Tie break: cfg
      Gen(1), TOS(0x0/0x0), Protocol(0): src(1->65535):dst(1->65535), Mode(manual  hash-mode=round-robin)
      Members(2):
        1: Seq_num(2 wan2 virtual-wan-link), alive, gid(1), selected
        2: Seq_num(1 wan1 virtual-wan-link), dead, gid(1)
      Src address(1):
            0.0.0.0-255.255.255.255
    
      Dst address(1):
            0.0.0.0-255.255.255.255

    This output indicates that wan2 is operational, and wan1 is not.

  2. Verify the policy route list:

    # diagnose firewall  proute list
    list route policy info(vf=root):
    
    id=2130706433(0x7f000001) vwl_service=1(test) vwl_mbr_seq=2 dscp_tag=0xfc 0xfc flags=0x10 load-balance has
    h-mode=round-robin  tos=0x00 tos_mask=0x00 protocol=0 port=src(0->0):dst(0->0) iif=0(any)
    path(1): oif=6(wan2) num_pass=0
    source(1): 0.0.0.0-255.255.255.255
    destination(1): 0.0.0.0-255.255.255.255
    hit_count=903 last_used=2023-11-09 06:41:55

    This output indicates that wan2 is used to steer traffic.

To verify the configuration when both wan1 and wan2 down, and traffic is steered using wan3:
# diagnose sniffer packet wan3
Using Original Sniffing Mode
interfaces=[wan3]
filters=[none]
3.144417 13.13.13.1.52665 -> 204.79.197.239.443: 1610731732 ack 236747780 
3.155250 204.79.197.239.443 -> 13.13.13.1.52665: ack 1610731733 
5.047264 13.13.13.1.52613 -> 20.185.212.106.443: 1421254032 ack 3784884456 
5.126008 20.185.212.106.443 -> 13.13.13.1.52613: ack 1421254033

This output indicates that wan3 is used to steer traffic.

To verify the configuration when either wan1 or wan2 is restored, and traffic ceases to be steered through wan3:
  1. Verify the SD-WAN service rules status:

    # diagnose sys sdwan service
    
    Service(1): Address Mode(IPV4) flags=0x24200 use-shortcut-sla use-shortcut
     Tie break: cfg
      Gen(1), TOS(0x0/0x0), Protocol(0): src(1->65535):dst(1->65535), Mode(manual  hash-mode=round-robin)
      Members(2):
        1: Seq_num(1 wan1 virtual-wan-link), alive, gid(1), selected
        2: Seq_num(2 wan2 virtual-wan-link), dead, gid(1)
      Src address(1):
            0.0.0.0-255.255.255.255
    
      Dst address(1):
            0.0.0.0-255.255.255.255

    This output indicates that wan1 is operational.

  2. Verify the policy route list:

    # diagnose firewall  proute list
    list route policy info(vf=root):
    
    id=2130706433(0x7f000001) vwl_service=1(test) vwl_mbr_seq=1 dscp_tag=0xfc 0xfc flags=0x10 load-balance has
    h-mode=round-robin  tos=0x00 tos_mask=0x00 protocol=0 port=src(0->0):dst(0->0) iif=0(any)
    path(1): oif=3(wan1) num_pass=0
    source(1): 0.0.0.0-255.255.255.255
    destination(1): 0.0.0.0-255.255.255.255
    hit_count=986 last_used=2023-11-09 06:45:13

    This output indicates that wan1 is used to steer traffic.

This example covers a use case where a user has multiple WAN links and wants to optimize the WAN link selection and performance while limiting the use of more expensive and bandwidth intensive interfaces, such as 5G or LTE.

In this scenario, the user has three WAN links. The goal is to balance the load between wan1 and wan2; however, wan3, which is quite costly to operate, should only be used if both wan1 and wan2 are unavailable.

This configuration involves the following steps:
  1. Configuring the SD-WAN members

  2. Configuring the manual SD-WAN rule

  3. Configuring a static route

  4. Configuring a firewall policy for SD-WAN

  5. Verifying the configuration

Configuring the SD-WAN members

SD-WAN must be enabled first, and member interfaces must be selected and added to a zone. See Configuring the SD-WAN interface for more information.

To configure the SD-WAN members in the GUI:
  1. Configure the wan1, wan2, and wan3 interfaces (see Interface settings for more details).

    1. Set the wan1 interface IP/Netmask to 172.16.200.1 255.255.255.0.

    2. Set the wan2 interface IP/Netmask to 10.1.100.1 255.255.255.0.

    3. Set the wan3 interface IP/Netmask to 13.13.13.1 255.255.255.0.

  2. Go to Network > SD-WAN, select the SD-WAN Zones tab, and click Create New > SD-WAN Member.

  3. Configure the wan1 SD-WAN member:

    1. Set the Interface to wan1.

    2. Leave the SD-WAN Zone as virtual-wan-link.

    3. Set the Gateway to 172.16.200.254.

    4. Set the Status to Enable

    5. Click OK.

  4. Repeat step 3 for wan2 and wan3.

    1. For wan2, set the Gateway to the ISP’s gateway, 10.1.100.254.

    2. For wan3, set the Gateway to the ISP’s gateway, 13.13.13.254.

To configure the SD-WAN members in the CLI:
config system sdwan
    set status enable
    config zone
        edit "virtual-wan-link"
        next
    end
    config members
        edit 1
            set interface "wan1"
            set gateway 172.16.200.254
        next
        edit 2
            set interface "wan2"
            set gateway 10.1.100.254
        next
        edit 3
            set interface "wan3"
            set gateway 13.13.13.254
        next
    end
end

Configuring the manual SD-WAN rule

SD-WAN rules define specific routing options to route traffic to an SD-WAN member. See SD-WAN rules and Manual strategy for more information.

To configure a manual SD-WAN rule in the GUI:
  1. Go to Network > SD-WAN, select the SD-WAN Rules tab, and click Create New.

  2. Configure the following settings:

    Name

    test

    Source > Address

    all

    Destination > Address

    all

    Interface selection strategy

    Manual

    Interface preference

    wan1, wan2

    Load balancing

    Enable this setting.

  3. Configure the other settings as needed.

  4. Click OK.

To configure a manual SD-WAN rule in the CLI:
config system sdwan
    config service
        edit 1
            set name "test"
            set load-balance enable
            set dst "all"
            set src "all"
            set priority-members 1 2
        next
    end
end

Configuring a static route

A default route for SD-WAN must be configured. See Adding a static route for more information.

To configure a static route for SD-WAN in the GUI:
  1. Go to Network > Static Routes and click Create New. The New Static Route page opens.

  2. Set the Destination to Subnet, and leave the IP address and subnet mask as 0.0.0.0/0.0.0.0.

  3. Set the Interface to the SD-WAN zone, virtual-wan-link.

  4. Set the Status to Enabled.

  5. Click OK.

To configure a static route for SD-WAN in the CLI:
config router static
    edit 1
        set distance 1
        set sdwan-zone "virtual-wan-link"
    next
end

Configuring a firewall policy for SD-WAN

A firewall policy must be configured that allows traffic from the organization's internal network to the SD-WAN zone. See Configuring firewall policies for SD-WAN for more information.

To configure the firewall policy for SD-WAN in the GUI:
  1. Go to Policy & Objects > Firewall Policy and click Create New.

  2. Configure the following settings:

    Name

    sd-wan

    Incoming interface

    port1

    Outgoing interface

    virtual-wan-link

    Source

    all

    Destination

    all

    Schedule

    always

    Service

    ALL

    Action

    ACCEPT

    NAT

    Enable and select NAT.

    IP Pool Configuration

    Use Outgoing Interface Address

    Enable this policy

    Enable this setting.

  3. Configure the other settings as needed.

  4. Click OK.

To configure the firewall policy for SD-WAN in the CLI:
config firewall policy
    edit 1
        set name "sd-wan"
        set srcintf "port1"
        set dstintf "virtual-wan-link"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end

Verifying the configuration

To verify the SD-WAN member status:
# diagnose sys sdwan member 
Member(1): interface: wan1, flags=0x0 , gateway: 172.16.200.254, priority: 1 1024, weight: 0
Member(2): interface: wan2, flags=0x0 , gateway: 10.1.100.254, priority: 1 1024, weight: 0
Member(3): interface: wan3, flags=0x0 , gateway: 13.13.13.254, priority: 1 1024, weight: 0
To verify the configuration when both wan1 and wan2 are up:
  1. Verify the SD-WAN service rules status:

    # diagnose sys sdwan service
    Service(1): Address Mode(IPV4) flags=0x24200 use-shortcut-sla use-shortcut
     Tie break: cfg
      Gen(1), TOS(0x0/0x0), Protocol(0): src(1->65535):dst(1->65535), Mode(manual  hash-mode=round-robin)
      Members(2): 
        1: Seq_num(2 wan2 virtual-wan-link), alive, gid(1), selected
        2: Seq_num(1 wan1 virtual-wan-link), alive, gid(1), selected
      Src address(1): 
            0.0.0.0-255.255.255.255
    
      Dst address(1): 
            0.0.0.0-255.255.255.255

    This output indicates that both wan1 and wan2 are operational.

  2. Verify the policy route list:

    # diagnose firewall proute list
    list route policy info(vf=root):
    
    id=2130706433(0x7f000001) vwl_service=1(test) vwl_mbr_seq=1 2 dscp_tag=0xfc 0xfc flags=0x10 load-balance hash-mode=round-robin  tos=0x00 tos_mask=0x00 protocol=0 port=src(0->0):dst(0->0) iif=0(any) 
    path(2): oif=3(wan1) num_pass=0, oif=6(wan2) num_pass=0
    source(1): 0.0.0.0-255.255.255.255 
    destination(1): 0.0.0.0-255.255.255.255 
    hit_count=154 last_used=2023-11-09 06:16:

    This output indicates that both wan1 and wan2 are used to steer traffic.

To verify the configuration when wan2 is down and wan1 is up:
  1. Verify the SD-WAN service rules status:

    # diagnose sys sdwan service
    
    Service(1): Address Mode(IPV4) flags=0x24200 use-shortcut-sla use-shortcut
     Tie break: cfg
      Gen(1), TOS(0x0/0x0), Protocol(0): src(1->65535):dst(1->65535), Mode(manual  hash-mode=round-robin)
      Members(2): 
        1: Seq_num(1 wan1 virtual-wan-link), alive, gid(1), selected
        2: Seq_num(2 wan2 virtual-wan-link), dead, gid(1)
      Src address(1): 
            0.0.0.0-255.255.255.255
    
      Dst address(1): 
            0.0.0.0-255.255.255.25

    This output indicates that wan1 is operational, and wan2 is not.

  2. Verify the policy route list:

    # diagnose firewall proute list
    list route policy info(vf=root):
    
    id=2130706433(0x7f000001) vwl_service=1(test) vwl_mbr_seq=1 dscp_tag=0xfc 0xfc flags=0x10 load-balance hash-mode=round-robin  tos=0x00 tos_mask=0x00 protocol=0 port=src(0->0):dst(0->0) iif=0(any) 
    path(1): oif=3(wan1) num_pass=0
    source(1): 0.0.0.0-255.255.255.255 
    destination(1): 0.0.0.0-255.255.255.255 
    hit_count=482 last_used=2023-11-09 06:27:08

    This output indicates that wan1 is used to steer traffic.

To verify the configuration when wan1 is down and wan2 is up:
  1. Verify the SD-WAN service rules status:

    # diagnose sys sdwan service
    
    Service(1): Address Mode(IPV4) flags=0x24200 use-shortcut-sla use-shortcut
     Tie break: cfg
      Gen(1), TOS(0x0/0x0), Protocol(0): src(1->65535):dst(1->65535), Mode(manual  hash-mode=round-robin)
      Members(2):
        1: Seq_num(2 wan2 virtual-wan-link), alive, gid(1), selected
        2: Seq_num(1 wan1 virtual-wan-link), dead, gid(1)
      Src address(1):
            0.0.0.0-255.255.255.255
    
      Dst address(1):
            0.0.0.0-255.255.255.255

    This output indicates that wan2 is operational, and wan1 is not.

  2. Verify the policy route list:

    # diagnose firewall  proute list
    list route policy info(vf=root):
    
    id=2130706433(0x7f000001) vwl_service=1(test) vwl_mbr_seq=2 dscp_tag=0xfc 0xfc flags=0x10 load-balance has
    h-mode=round-robin  tos=0x00 tos_mask=0x00 protocol=0 port=src(0->0):dst(0->0) iif=0(any)
    path(1): oif=6(wan2) num_pass=0
    source(1): 0.0.0.0-255.255.255.255
    destination(1): 0.0.0.0-255.255.255.255
    hit_count=903 last_used=2023-11-09 06:41:55

    This output indicates that wan2 is used to steer traffic.

To verify the configuration when both wan1 and wan2 down, and traffic is steered using wan3:
# diagnose sniffer packet wan3
Using Original Sniffing Mode
interfaces=[wan3]
filters=[none]
3.144417 13.13.13.1.52665 -> 204.79.197.239.443: 1610731732 ack 236747780 
3.155250 204.79.197.239.443 -> 13.13.13.1.52665: ack 1610731733 
5.047264 13.13.13.1.52613 -> 20.185.212.106.443: 1421254032 ack 3784884456 
5.126008 20.185.212.106.443 -> 13.13.13.1.52613: ack 1421254033

This output indicates that wan3 is used to steer traffic.

To verify the configuration when either wan1 or wan2 is restored, and traffic ceases to be steered through wan3:
  1. Verify the SD-WAN service rules status:

    # diagnose sys sdwan service
    
    Service(1): Address Mode(IPV4) flags=0x24200 use-shortcut-sla use-shortcut
     Tie break: cfg
      Gen(1), TOS(0x0/0x0), Protocol(0): src(1->65535):dst(1->65535), Mode(manual  hash-mode=round-robin)
      Members(2):
        1: Seq_num(1 wan1 virtual-wan-link), alive, gid(1), selected
        2: Seq_num(2 wan2 virtual-wan-link), dead, gid(1)
      Src address(1):
            0.0.0.0-255.255.255.255
    
      Dst address(1):
            0.0.0.0-255.255.255.255

    This output indicates that wan1 is operational.

  2. Verify the policy route list:

    # diagnose firewall  proute list
    list route policy info(vf=root):
    
    id=2130706433(0x7f000001) vwl_service=1(test) vwl_mbr_seq=1 dscp_tag=0xfc 0xfc flags=0x10 load-balance has
    h-mode=round-robin  tos=0x00 tos_mask=0x00 protocol=0 port=src(0->0):dst(0->0) iif=0(any)
    path(1): oif=3(wan1) num_pass=0
    source(1): 0.0.0.0-255.255.255.255
    destination(1): 0.0.0.0-255.255.255.255
    hit_count=986 last_used=2023-11-09 06:45:13

    This output indicates that wan1 is used to steer traffic.