SD-WAN templates
Create an SD-WAN template with the required network parameters. Create the interface member and health-check servers before adding them to the SD-WAN template. See Interface members and Health-Check Servers.
To create a new SD-WAN template:
- Ensure that you are in the correct ADOM and that central SD-WAN management is enabled.
- Go to Device Manager > SD-WAN > SD-WAN Template.
- Click Create New in the content pane toolbar, or right-click and select Create New. The Create New page opens.
- Enter the following information and click OK to create the new SD-WAN template:
Name
Enter the name of the template.
Description
Enter a description of the template.
SD-WAN Status
Select On or Off.
Interface Members
Interface members can be added, edited, and removed. An interface member must be created before it can be added to a template, see Interface members.
Performance SLA
See Performance SLA.
SD-WAN Rules
See SD-WAN rules.
Advanced Options
fail-alert-interfaces
Names of the FortiGate interfaces from which the link failure alert is sent for this interface.
fail-detect
Enable/disable fail detection features for this interface.
To edit an SD-WAN template:
- If using ADOMs, ensure that you are in the correct ADOM.
- Go to Device Manager > SD-WAN > SD-WAN Template.
- Select the template from the list and click Edit in the toolbar, or right-click the template and select Edit. The Edit page opens.
- Edit the template as required, and click OK to apply your changes.
To delete an SD-WAN template or templates:
- If using ADOMs, ensure that you are in the correct ADOM.
- Go to Device Manager > SD-WAN > SD-WAN Template.
- Select the template or templates from the list and click Delete in the toolbar, or right-click the template and select Delete.
- Click OK in the confirmation dialog box to delete the template or templates.
Performance SLA
Create a Performance SLA in FortiManager that can be used to monitor the SD-WAN performance in FortiGate devices. You can also create a Performance SLA in FortiManager. If all links meet the SLA criteria, the FortiGate uses the first link, even if that link isn’t the best quality. If at any time, the link in use doesn’t meet the SLA criteria, and the next link in the configuration meets the SLA criteria, the FortiGate changes to that link. If the next link doesn’t meet the SLA criteria, the FortiGate uses the next link in the configuration if it meets the SLA criteria, and so on.
To create a new performance SLA:
- Ensure that you are in the correct ADOM and that central SD-WAN management is enabled.
- Go to Device Manager > SD-WAN > SD-WAN Template.
- Click Create New in the content pane toolbar, or right-click and select Create New. The Create New page opens.
- In the Performance SLA toolbar, click Create New. The Create Performance SLA dialog-box opens
- Enter the following information, and click OK to create the performance SLA:
Name
Enter the name of the performance SLA.
Detect Protocol Select the detection method for the profile check: - Ping
- TCP ECHO
- UDP ECHO
- HTTP
- TWAMP
Detect Server Enter the IP address of the WAN interface that you want to monitor. Member Select available interface members. The interfaces must already be added to the template. SLA Click Create New to create a new SLA. Enable and enter the Jitter Threshold (in milliseconds), Latency Threshold (in milliseconds), and Packet Loss Threshold (in percent), then click OK to create the SLA.
SLAs can also be edited and deleted as required.
Link Status
Interval
Status check interval, or the time between attempting to connect to the server (1 - 3600 sec, default = 5), range [1-3600].
Failure Before Inactive
Specify the number of failures before the link becomes inactive (maximum = 10).
Restore Link After
Action When Inactive
Specify what happens with the WAN link becomes inactive. Update Static Route
Select to update the static route when the WAN link becomes inactive. Cascade Interfaces
Select to cascade interfaces when the WAN link becomes inactive. Advanced Options
addr-mode
Address mode (IPv4 or IPv6).
http-get
URL used to communicate with the server if the protocol if the protocol is HTTP.
http-match
Response string expected from the server if the protocol is HTTP.
interval
Status check interval, or the time between attempting to connect to the server (1 - 3600 sec, default = 5).
packet-size
Packet size of a twamp test session, range [64-1024].
threshold-alert-jitter
Alert threshold for jitter (ms, default = 0), range [0-4294967295].
threshold-alert-latency
Alert threshold for latency (ms, default = 0), range[0-4294967295].
threshold-alert-packetloss
Alert threshold for packet loss (percentage, default = 0), range[0-100].
threshold-warning-jitter
Warning threshold for jitter (ms, default = 0), range [0-4294967295].
threshold-warning-latency
Warning threshold for latency (ms, default = 0), range [0-4294967295].
threshold-warning-packetloss
Warning threshold for packet loss (percentage, default = 0), range [0-100].
SD-WAN rules
Configure SD-WAN rules for WAN links by specifying the required network parameters. The SD-WAN rules are applied to the FortiGate device when the SD-WAN template is applied.
To create a new SD-WAN rule:
- Ensure that you are in the correct ADOM and that central SD-WAN management is enabled.
- Go to Device Manager > SD-WAN > SD-WAN Template.
- Click Create New in the content pane toolbar, or right-click and select Create New. The Create New page opens.
- In the SD-WAN Rules toolbar, click Create New. The Create New SD-WAN Rule dialog-box opens.
- Enter the following information, then click OK to create the new SD-WAN rule:
Name
Enter the name of the rule.
Source Address
Add one or more address from the drop-down.
Users
Add one or more users from the drop-down.
User Groups
Add one or more groups from the drop-down.
Destination Address
This option is only available when Destination is Address.
Internet Service
This option is only available when Destination is Internet Service.
Internet Service Group
This option is only available when Destination is Internet Service.
Custom Internet Service
This option is only available when Destination is Internet Service.
Application Control Turn on application control. Application
This option is only available when Application Control is turned on.
Application Group
This option is only available when Application Control is turned on.
Protocol If Specify is selected, set the protocol number.
Port Range This option is only available when Protocol is TCP or UDP.
Type of Service This option is only available when Protocol is Specify.
Outgoing Interface Select Priority or SLA. WAN LLB Member Status Check This option is only available when Outgoing Interface is Priority.
SLA This option is only available when Outgoing Interface is SLA.
Advanced Options
addr-mode
Address mode (IPv4 or IPv6).
bandwidth-weight
Coefficient of reciprocal of available bidirectional bandwidth in the formula of custom-profile-1, range [0-10000000].
dscp-forward
Enable/disable forward traffic DSCP tag.
dscp-forward-tag
Forward traffic DSCP tag.
dscp-reverse
Enable/disable reverse traffic DSCP tag.
dscp-reverse-tag
verse traffic DSCP tag.
dst-negate
Enable/disable negation of destination address match.
dst6
Destination IPv6 address name.
input-device
Source interface name.
internet-service-ctrl
Control-based Internet Service ID list.
internet-service-ctrl-group
Control-based Internet Service ID, range [0-4294967295].
internet-service-custom-group
Custom Internet Service group list.
internet-service-group
Internet Service group list.
jitter-weight
Coefficient of jitter in the formula of custom-profile-1, range [0-10000000].
latency-weight
Coefficient of latency in the formula of custom-profile-1, range[0-10000000].
link-cost-threshold
Percentage threshold change of link cost values that will result in policy route regeneration (0 - 10000000, default = 10).
packet-loss-weight
Coefficient of packet-loss in the formula of custom-profile-1, range[0-10000000].
route-tag
IPv4 route map route-tag, range [0-4294967295].
src-negate
Enable/disable negation of source address match.
src6
Source IPv6 address name.
status
Enable/disable SD-WAN service.