Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

SD-WAN templates

Create an SD-WAN template with the required network parameters. Create the interface member and health-check servers before adding them to the SD-WAN template. See Interface members and Health-Check Servers.

To create a new SD-WAN template:
  1. Ensure that you are in the correct ADOM and that central SD-WAN management is enabled.
  2. Go to Device Manager > SD-WAN > SD-WAN Template.
  3. Click Create New in the content pane toolbar, or right-click and select Create New. The Create New page opens.

  4. Enter the following information and click OK to create the new SD-WAN template:

    Name

    Enter the name of the template.

    Description

    Enter a description of the template.

    SD-WAN Status

    Select On or Off.

    Interface Members

    Interface members can be added, edited, and removed. An interface member must be created before it can be added to a template, see Interface members.

    Performance SLA

    See Performance SLA.

    SD-WAN Rules

    See SD-WAN rules.

    Advanced Options

     

     

    fail-alert-interfaces

    Names of the FortiGate interfaces from which the link failure alert is sent for this interface.

     

    fail-detect

    Enable/disable fail detection features for this interface.

To edit an SD-WAN template:
  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Device Manager > SD-WAN > SD-WAN Template.
  3. Select the template from the list and click Edit in the toolbar, or right-click the template and select Edit. The Edit page opens.
  4. Edit the template as required, and click OK to apply your changes.
To delete an SD-WAN template:
  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Device Manager > SD-WAN > SD-WAN Template.
  3. Select the template from the list and click Delete in the toolbar, or right-click the template and select Delete.
  4. Click OK in the confirmation dialog box to delete the template or templates.
To import an SD-WAN template or templates:
  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Device Manager > SD-WAN > SD-WAN Template.
  3. Click Import. The Import SD-WAN templates screen is shown.

  4. Configure the following settings and click OK:
    • Name - specify a name for the SD-WAN template.
    • Device - select the FortiGate device from where to select the SD-WAN template.
    • Description - optionally provide a description.

    The SD-WAN template is imported and now visible in Device Manager > SD-WAN > SD-WAN Template.

    A prefix Import is automatically added to SD-WAN templates that are imported from the FortiGate devices.

Performance SLA

Create a Performance SLA in FortiManager that can be used to monitor the SD-WAN performance in FortiGate devices. You can also create a Performance SLA in FortiManager. If all links meet the SLA criteria, the FortiGate uses the first link, even if that link isn’t the best quality. If at any time, the link in use doesn’t meet the SLA criteria, and the next link in the configuration meets the SLA criteria, the FortiGate changes to that link. If the next link doesn’t meet the SLA criteria, the FortiGate uses the next link in the configuration if it meets the SLA criteria, and so on.

To create a new performance SLA:
  1. Ensure that you are in the correct ADOM and that central SD-WAN management is enabled.
  2. Go to Device Manager > SD-WAN > SD-WAN Template.
  3. Click Create New in the content pane toolbar, or right-click and select Create New. The Create New page opens.
  4. In the Performance SLA toolbar, click Create New. The Create Performance SLA dialog-box opens

  5. Enter the following information, and click OK to create the performance SLA:

    Name

    Enter the name of the performance SLA.

    Detect Protocol Select the detection method for the profile check:
    • Ping
    • TCP ECHO
    • UDP ECHO
    • HTTP
    • TWAMP
    Detect Server Enter the IP address of the WAN interface that you want to monitor.
    Member Select available interface members. The interfaces must already be added to the template.
    SLA

    Click Create New to create a new SLA. Enable and enter the Jitter Threshold (in milliseconds), Latency Threshold (in milliseconds), and Packet Loss Threshold (in percent), then click OK to create the SLA.

    SLAs can also be edited and deleted as required.

    Link Status

     

     

    Interval

    Status check interval, or the time between attempting to connect to the server, in seconds (1 - 3600, default = 1).

     

    Failure Before Inactive

    Specify the number of failures before the link becomes inactive (1 - 10, default = 5).

     

    Restore Link After

    Specify the number of successful responses received before server is considered recovered (1 - 10, default = 5).

    Action When Inactive

    Specify what happens with the WAN link becomes inactive.

     

    Update Static Route

    Select to update the static route when the WAN link becomes inactive.

     

    Cascade Interfaces

    Select to cascade interfaces when the WAN link becomes inactive.

    Advanced Options

     

     

    addr-mode

    Address mode (IPv4 or IPv6).

     

    http-get

    URL used to communicate with the server if the protocol if the protocol is HTTP.

     

    http-match

    Response string expected from the server if the protocol is HTTP.

     

    interval

    Status check interval, or the time between attempting to connect to the server, in seconds (1 - 3600, default = 5).

     

    packet-size

    Packet size of a TWAMP test session (64 - 1024).

     

    threshold-alert-jitter

    Alert threshold for jitter (ms, default = 0), range [0-4294967295].

     

    threshold-alert-latency

    Alert threshold for latency, in milliseconds (0 - 4294967295, default = 0).

     

    threshold-alert-packetloss

    Alert threshold for packet loss, in percent (0 - 100, default = 0).

     

    threshold-warning-jitter

    Warning threshold for jitter, in milliseconds (0 - 4294967295, default = 0).

     

    threshold-warning-latency

    Warning threshold for latency, in milliseconds (0 - 4294967295, default = 0).

     

    threshold-warning-packetloss

    Warning threshold for packet loss, in percent (0 - 100, default = 0).

SD-WAN rules

Configure SD-WAN rules for WAN links by specifying the required network parameters. The SD-WAN rules are applied to the FortiGate device when the SD-WAN template is applied.

To create a new SD-WAN rule:
  1. Ensure that you are in the correct ADOM and that central SD-WAN management is enabled.
  2. Go to Device Manager > SD-WAN > SD-WAN Template.
  3. Click Create New in the content pane toolbar, or right-click and select Create New. The Create New page opens.
  4. In the SD-WAN Rules toolbar, click Create New. The Create New SD-WAN Rule dialog-box opens.

  5. Enter the following information, then click OK to create the new SD-WAN rule:

    Name

    Enter the name of the rule.

    Source  

     

    Address

    Add one or more address from the drop-down.

     

    Users

    Add one or more users from the drop-down.

     

    User Groups

    Add one or more groups from the drop-down.

    Destination  

     

    Address

    Select an address or addresses from the drop-down list. This option is only available when Destination is Address.

     

    Internet Service

    Select a service or services from the drop-down list. This option is only available when Destination is Internet Service.

     

    Internet Service Group

    Select a service group or groups from the drop-down list. This option is only available when Destination is Internet Service.

     

    Custom Internet Service

    Select a service or services from the drop-down list. This option is only available when Destination is Internet Service.

     

    Custom Internet Service Group

    Select a service group or groups from the drop-down list. This option is only available when Destination is Internet Service.

     

    Application

    Select an application or applications from the drop-down list. This option is only available when Destination is Internet Service.

     

    Application Group

    Select an application group or groups from the drop-down list. This option is only available when Destination is Internet Service.

    Protocol

    Select the protocol, of specify the protocol number.

    Port Range

    Enter the port range. This option is only available when the protocol is TCP or UDP.

    Type of Service

    Specify the type of service and bit mask. This option is only available the protocol is set to Specify.

    Outgoing Interface Select Best Quality or Minimum Quality (SLA).

    Interface Members

    Select interface members.

    Status Check

    This option is only available when the outgoing interface is Best Quality.

    Require SLA Target

    This option is only available when the outgoing interface is Minimum Quality (SLA).

    Advanced Options

     

     

    addr-mode

    Address mode (IPv4 or IPv6).

     

    bandwidth-weight

    Coefficient of reciprocal of available bidirectional bandwidth in the formula of custom-profile-1, range [0-10000000].

     

    dscp-forward

    Enable/disable forward traffic DSCP tag.

     

    dscp-forward-tag

    Forward traffic DSCP tag.

     

    dscp-reverse

    Enable/disable reverse traffic DSCP tag.

     

    dscp-reverse-tag

    verse traffic DSCP tag.

     

    dst-negate

    Enable/disable negation of destination address match.

     

    dst6

    Destination IPv6 address name.

     

    input-device

    Source interface name.

     

    internet-service-ctrl

    Control-based Internet Service ID list.

     

    internet-service-ctrl-group

    Control-based Internet Service ID, range [0-4294967295].

     

    internet-service-custom-group

    Custom Internet Service group list.

     

    internet-service-group

    Internet Service group list.

     

    jitter-weight

    Coefficient of jitter in the formula of custom-profile-1, range [0-10000000].

     

    latency-weight

    Coefficient of latency in the formula of custom-profile-1, range[0-10000000].

     

    link-cost-threshold

    Percentage threshold change of link cost values that will result in policy route regeneration (0 - 10000000, default = 10).

     

    packet-loss-weight

    Coefficient of packet-loss in the formula of custom-profile-1, range[0-10000000].

     

    route-tag

    IPv4 route map route-tag, range [0-4294967295].

     

    src-negate

    Enable/disable negation of source address match.

     

    src6

    Source IPv6 address name.

     

    status

    Enable/disable SD-WAN service.

SD-WAN templates

Create an SD-WAN template with the required network parameters. Create the interface member and health-check servers before adding them to the SD-WAN template. See Interface members and Health-Check Servers.

To create a new SD-WAN template:
  1. Ensure that you are in the correct ADOM and that central SD-WAN management is enabled.
  2. Go to Device Manager > SD-WAN > SD-WAN Template.
  3. Click Create New in the content pane toolbar, or right-click and select Create New. The Create New page opens.

  4. Enter the following information and click OK to create the new SD-WAN template:

    Name

    Enter the name of the template.

    Description

    Enter a description of the template.

    SD-WAN Status

    Select On or Off.

    Interface Members

    Interface members can be added, edited, and removed. An interface member must be created before it can be added to a template, see Interface members.

    Performance SLA

    See Performance SLA.

    SD-WAN Rules

    See SD-WAN rules.

    Advanced Options

     

     

    fail-alert-interfaces

    Names of the FortiGate interfaces from which the link failure alert is sent for this interface.

     

    fail-detect

    Enable/disable fail detection features for this interface.

To edit an SD-WAN template:
  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Device Manager > SD-WAN > SD-WAN Template.
  3. Select the template from the list and click Edit in the toolbar, or right-click the template and select Edit. The Edit page opens.
  4. Edit the template as required, and click OK to apply your changes.
To delete an SD-WAN template:
  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Device Manager > SD-WAN > SD-WAN Template.
  3. Select the template from the list and click Delete in the toolbar, or right-click the template and select Delete.
  4. Click OK in the confirmation dialog box to delete the template or templates.
To import an SD-WAN template or templates:
  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Device Manager > SD-WAN > SD-WAN Template.
  3. Click Import. The Import SD-WAN templates screen is shown.

  4. Configure the following settings and click OK:
    • Name - specify a name for the SD-WAN template.
    • Device - select the FortiGate device from where to select the SD-WAN template.
    • Description - optionally provide a description.

    The SD-WAN template is imported and now visible in Device Manager > SD-WAN > SD-WAN Template.

    A prefix Import is automatically added to SD-WAN templates that are imported from the FortiGate devices.

Performance SLA

Create a Performance SLA in FortiManager that can be used to monitor the SD-WAN performance in FortiGate devices. You can also create a Performance SLA in FortiManager. If all links meet the SLA criteria, the FortiGate uses the first link, even if that link isn’t the best quality. If at any time, the link in use doesn’t meet the SLA criteria, and the next link in the configuration meets the SLA criteria, the FortiGate changes to that link. If the next link doesn’t meet the SLA criteria, the FortiGate uses the next link in the configuration if it meets the SLA criteria, and so on.

To create a new performance SLA:
  1. Ensure that you are in the correct ADOM and that central SD-WAN management is enabled.
  2. Go to Device Manager > SD-WAN > SD-WAN Template.
  3. Click Create New in the content pane toolbar, or right-click and select Create New. The Create New page opens.
  4. In the Performance SLA toolbar, click Create New. The Create Performance SLA dialog-box opens

  5. Enter the following information, and click OK to create the performance SLA:

    Name

    Enter the name of the performance SLA.

    Detect Protocol Select the detection method for the profile check:
    • Ping
    • TCP ECHO
    • UDP ECHO
    • HTTP
    • TWAMP
    Detect Server Enter the IP address of the WAN interface that you want to monitor.
    Member Select available interface members. The interfaces must already be added to the template.
    SLA

    Click Create New to create a new SLA. Enable and enter the Jitter Threshold (in milliseconds), Latency Threshold (in milliseconds), and Packet Loss Threshold (in percent), then click OK to create the SLA.

    SLAs can also be edited and deleted as required.

    Link Status

     

     

    Interval

    Status check interval, or the time between attempting to connect to the server, in seconds (1 - 3600, default = 1).

     

    Failure Before Inactive

    Specify the number of failures before the link becomes inactive (1 - 10, default = 5).

     

    Restore Link After

    Specify the number of successful responses received before server is considered recovered (1 - 10, default = 5).

    Action When Inactive

    Specify what happens with the WAN link becomes inactive.

     

    Update Static Route

    Select to update the static route when the WAN link becomes inactive.

     

    Cascade Interfaces

    Select to cascade interfaces when the WAN link becomes inactive.

    Advanced Options

     

     

    addr-mode

    Address mode (IPv4 or IPv6).

     

    http-get

    URL used to communicate with the server if the protocol if the protocol is HTTP.

     

    http-match

    Response string expected from the server if the protocol is HTTP.

     

    interval

    Status check interval, or the time between attempting to connect to the server, in seconds (1 - 3600, default = 5).

     

    packet-size

    Packet size of a TWAMP test session (64 - 1024).

     

    threshold-alert-jitter

    Alert threshold for jitter (ms, default = 0), range [0-4294967295].

     

    threshold-alert-latency

    Alert threshold for latency, in milliseconds (0 - 4294967295, default = 0).

     

    threshold-alert-packetloss

    Alert threshold for packet loss, in percent (0 - 100, default = 0).

     

    threshold-warning-jitter

    Warning threshold for jitter, in milliseconds (0 - 4294967295, default = 0).

     

    threshold-warning-latency

    Warning threshold for latency, in milliseconds (0 - 4294967295, default = 0).

     

    threshold-warning-packetloss

    Warning threshold for packet loss, in percent (0 - 100, default = 0).

SD-WAN rules

Configure SD-WAN rules for WAN links by specifying the required network parameters. The SD-WAN rules are applied to the FortiGate device when the SD-WAN template is applied.

To create a new SD-WAN rule:
  1. Ensure that you are in the correct ADOM and that central SD-WAN management is enabled.
  2. Go to Device Manager > SD-WAN > SD-WAN Template.
  3. Click Create New in the content pane toolbar, or right-click and select Create New. The Create New page opens.
  4. In the SD-WAN Rules toolbar, click Create New. The Create New SD-WAN Rule dialog-box opens.

  5. Enter the following information, then click OK to create the new SD-WAN rule:

    Name

    Enter the name of the rule.

    Source  

     

    Address

    Add one or more address from the drop-down.

     

    Users

    Add one or more users from the drop-down.

     

    User Groups

    Add one or more groups from the drop-down.

    Destination  

     

    Address

    Select an address or addresses from the drop-down list. This option is only available when Destination is Address.

     

    Internet Service

    Select a service or services from the drop-down list. This option is only available when Destination is Internet Service.

     

    Internet Service Group

    Select a service group or groups from the drop-down list. This option is only available when Destination is Internet Service.

     

    Custom Internet Service

    Select a service or services from the drop-down list. This option is only available when Destination is Internet Service.

     

    Custom Internet Service Group

    Select a service group or groups from the drop-down list. This option is only available when Destination is Internet Service.

     

    Application

    Select an application or applications from the drop-down list. This option is only available when Destination is Internet Service.

     

    Application Group

    Select an application group or groups from the drop-down list. This option is only available when Destination is Internet Service.

    Protocol

    Select the protocol, of specify the protocol number.

    Port Range

    Enter the port range. This option is only available when the protocol is TCP or UDP.

    Type of Service

    Specify the type of service and bit mask. This option is only available the protocol is set to Specify.

    Outgoing Interface Select Best Quality or Minimum Quality (SLA).

    Interface Members

    Select interface members.

    Status Check

    This option is only available when the outgoing interface is Best Quality.

    Require SLA Target

    This option is only available when the outgoing interface is Minimum Quality (SLA).

    Advanced Options

     

     

    addr-mode

    Address mode (IPv4 or IPv6).

     

    bandwidth-weight

    Coefficient of reciprocal of available bidirectional bandwidth in the formula of custom-profile-1, range [0-10000000].

     

    dscp-forward

    Enable/disable forward traffic DSCP tag.

     

    dscp-forward-tag

    Forward traffic DSCP tag.

     

    dscp-reverse

    Enable/disable reverse traffic DSCP tag.

     

    dscp-reverse-tag

    verse traffic DSCP tag.

     

    dst-negate

    Enable/disable negation of destination address match.

     

    dst6

    Destination IPv6 address name.

     

    input-device

    Source interface name.

     

    internet-service-ctrl

    Control-based Internet Service ID list.

     

    internet-service-ctrl-group

    Control-based Internet Service ID, range [0-4294967295].

     

    internet-service-custom-group

    Custom Internet Service group list.

     

    internet-service-group

    Internet Service group list.

     

    jitter-weight

    Coefficient of jitter in the formula of custom-profile-1, range [0-10000000].

     

    latency-weight

    Coefficient of latency in the formula of custom-profile-1, range[0-10000000].

     

    link-cost-threshold

    Percentage threshold change of link cost values that will result in policy route regeneration (0 - 10000000, default = 10).

     

    packet-loss-weight

    Coefficient of packet-loss in the formula of custom-profile-1, range[0-10000000].

     

    route-tag

    IPv4 route map route-tag, range [0-4294967295].

     

    src-negate

    Enable/disable negation of source address match.

     

    src6

    Source IPv6 address name.

     

    status

    Enable/disable SD-WAN service.