Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiManager 6.2.6 Administration Guide
    6.2.6
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.7
    5.2.6
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.12
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.8
    4.3.7
    4.3.6
    4.3.5
    4.3.4
    4.3.3
    4.3.2
    4.3.1
    4.3.0
    4.2.9
    4.2.8
    4.2.7
    4.2.6
    4.2.5
    4.2.4
    4.2.3
    4.2.2
    4.2.1
    4.2.0
    4.1.0
    4.0.3
    4.0.2
    4.0.1
    4.0.0

    SD-WAN templates

    SD-WAN templates

    Create an SD-WAN template with the required network parameters.

    Before creating SD-WAN templates:
    To create a new SD-WAN template:
    1. Ensure that you are in the correct ADOM and that central SD-WAN management is enabled.
    2. Go to Device Manager > SD-WAN > SD-WAN Template.
    3. Click Create New in the content pane toolbar, or right-click and select Create New. The Create New page opens.

    4. Enter the following information and click OK to create the new SD-WAN template:

      Name

      Enter the name of the template.

      Description

      Enter a description of the template.

      SD-WAN Status

      Select On or Off.

      Interface Members

      Interface members can be added, edited, and removed. An interface member must be created before it can be added to a template, see Interface members.

      Performance SLA

      See Performance SLA.

      Neighbor

      See Configure BGP Neighbor.

      SD-WAN Rules

      See SD-WAN rules.

      Advanced Options

      Configure the following advanced options:

      fail-detect

      Enable/disable fail detection features for this interface.

      neighbor-hold-boot-time

      Specify the interval.

      neighbor-hold-down

      Enable/disable neighbor hold down for this interface.

      neighbor-hold-down-time

      Specify the interval.
    To edit an SD-WAN template:
    1. If using ADOMs, ensure that you are in the correct ADOM.
    2. Go to Device Manager > SD-WAN > SD-WAN Template.
    3. Select the template from the list and click Edit in the toolbar, or right-click the template and select Edit. The Edit page opens.
    4. Edit the template as required, and click OK to apply your changes.
    To delete an SD-WAN template:
    1. If using ADOMs, ensure that you are in the correct ADOM.
    2. Go to Device Manager > SD-WAN > SD-WAN Template.
    3. Select the template from the list and click Delete in the toolbar, or right-click the template and select Delete.
    4. Click OK in the confirmation dialog box to delete the template or templates.
    To import an SD-WAN template or templates:
    1. If using ADOMs, ensure that you are in the correct ADOM.
    2. Go to Device Manager > SD-WAN > SD-WAN Template.
    3. Click Import. The Import SD-WAN templates screen is shown.

    4. Configure the following settings and click OK:
      • Name - specify a name for the SD-WAN template.
      • Device - select the FortiGate device from where to select the SD-WAN template.
      • Description - optionally provide a description.

      The SD-WAN template is imported and now visible in Device Manager > SD-WAN > SD-WAN Template.

      A prefix Import is automatically added to SD-WAN templates that are imported from the FortiGate devices.

    Performance SLA

    Create a Performance SLA in FortiManager that can be used to monitor the SD-WAN performance in FortiGate devices. You can also create a Performance SLA in FortiManager. If all links meet the SLA criteria, the FortiGate uses the first link, even if that link isn’t the best quality. If at any time, the link in use doesn’t meet the SLA criteria, and the next link in the configuration meets the SLA criteria, the FortiGate changes to that link. If the next link doesn’t meet the SLA criteria, the FortiGate uses the next link in the configuration if it meets the SLA criteria, and so on.

    To create a new performance SLA:
    1. Ensure that you are in the correct ADOM and that central SD-WAN management is enabled.
    2. Go to Device Manager > SD-WAN > SD-WAN Template.
    3. Click Create New in the content pane toolbar, or right-click and select Create New. The Create New page opens.
    4. In the Performance SLA toolbar, click Create New. The Create Performance SLA dialog-box opens

    5. Enter the following information, and click OK to create the performance SLA:

      Name

      Enter the name of the performance SLA.
      Detect Protocol Select the detection method for the profile check:
      • Ping
      • TCP ECHO
      • UDP ECHO
      • HTTP
      • TWAMP
      Detect Server Enter the IP address of the WAN interface that you want to monitor.
      Member Select available interface members. The interfaces must already be added to the template.
      SLA

      Click Create New to create a new SLA. Enable and enter the Jitter Threshold (in milliseconds), Latency Threshold (in milliseconds), and Packet Loss Threshold (in percent), then click OK to create the SLA.

      SLAs can also be edited and deleted as required.

      Link Status

      Interval

      Status check interval, or the time between attempting to connect to the server, in seconds (1 - 3600, default = 1).

      Failure Before Inactive

      Specify the number of failures before the link becomes inactive (1 - 10, default = 5).

      Restore Link After

      Specify the number of successful responses received before server is considered recovered (1 - 10, default = 5).

      Action When Inactive

      		 Specify what happens with the WAN link becomes inactive.

      Update Static Route

      		 Select to update the static route when the WAN link becomes inactive.

      Cascade Interfaces

      		 Select to cascade interfaces when the WAN link becomes inactive.

      Advanced Options

      addr-mode

      Address mode (IPv4 or IPv6).

      http-get

      URL used to communicate with the server if the protocol if the protocol is HTTP.

      http-match

      Response string expected from the server if the protocol is HTTP.

      interval

      Status check interval, or the time between attempting to connect to the server, in seconds (1 - 3600, default = 5).

      packet-size

      Packet size of a TWAMP test session (64 - 1024).

      threshold-alert-jitter

      Alert threshold for jitter (ms, default = 0), range [0-4294967295].

      threshold-alert-latency

      Alert threshold for latency, in milliseconds (0 - 4294967295, default = 0).

      threshold-alert-packetloss

      Alert threshold for packet loss, in percent (0 - 100, default = 0).

      threshold-warning-jitter

      Warning threshold for jitter, in milliseconds (0 - 4294967295, default = 0).

      threshold-warning-latency

      Warning threshold for latency, in milliseconds (0 - 4294967295, default = 0).

      threshold-warning-packetloss

      Warning threshold for packet loss, in percent (0 - 100, default = 0).

    SD-WAN rules

    Configure SD-WAN rules for WAN links by specifying the required network parameters. The SD-WAN rules are applied to the FortiGate device when the SD-WAN template is applied.

    To create a new SD-WAN rule:
    1. Ensure that you are in the correct ADOM and that central SD-WAN management is enabled.
    2. Go to Device Manager > SD-WAN > SD-WAN Template.
    3. Click Create New in the content pane toolbar, or right-click and select Create New. The Create New page opens.
    4. In the SD-WAN Rules toolbar, click Create New. The Create New SD-WAN Rule dialog-box opens.

    5. Enter the following information, then click OK to create the new SD-WAN rule:

      Name

      Enter the name of the rule.
      Source

      Address

      Add one or more address from the drop-down.

      Users

      Add one or more users from the drop-down.

      User Groups

      Add one or more groups from the drop-down.

      Destination

      Address

      Select an address or addresses from the drop-down list. This option is only available when Destination is Address.

      Internet Service

      Select a service or services from the drop-down list. This option is only available when Destination is Internet Service.

      Internet Service Group

      Select a service group or groups from the drop-down list. This option is only available when Destination is Internet Service.

      Custom Internet Service

      Select a service or services from the drop-down list. This option is only available when Destination is Internet Service.

      Custom Internet Service Group

      Select a service group or groups from the drop-down list. This option is only available when Destination is Internet Service.

      Application

      Select an application or applications from the drop-down list. This option is only available when Destination is Internet Service.

      Application Group

      Select an application group or groups from the drop-down list. This option is only available when Destination is Internet Service.
      Protocol

      Select the protocol, of specify the protocol number.
      Port Range

      Enter the port range. This option is only available when the protocol is TCP or UDP.
      Type of Service

      Specify the type of service and bit mask. This option is only available the protocol is set to Specify.
      Outgoing Interface Select Best Quality or Minimum Quality (SLA).

      Interface Members

      Select interface members.
      Status Check

      This option is only available when the outgoing interface is Best Quality.

      Require SLA Target

      This option is only available when the outgoing interface is Minimum Quality (SLA).

      Advanced Options

      addr-mode

      Address mode (IPv4 or IPv6).

      bandwidth-weight

      Coefficient of reciprocal of available bidirectional bandwidth in the formula of custom-profile-1, range [0-10000000].

      dscp-forward

      Enable/disable forward traffic DSCP tag.

      dscp-forward-tag

      Forward traffic DSCP tag.

      dscp-reverse

      Enable/disable reverse traffic DSCP tag.

      dscp-reverse-tag

      verse traffic DSCP tag.

      dst-negate

      Enable/disable negation of destination address match.

      dst6

      Destination IPv6 address name.

      input-device

      Source interface name.

      internet-service-ctrl

      Control-based Internet Service ID list.

      internet-service-ctrl-group

      Control-based Internet Service ID, range [0-4294967295].

      internet-service-custom-group

      Custom Internet Service group list.

      internet-service-group

      Internet Service group list.

      jitter-weight

      Coefficient of jitter in the formula of custom-profile-1, range [0-10000000].

      latency-weight

      Coefficient of latency in the formula of custom-profile-1, range[0-10000000].

      link-cost-threshold

      Percentage threshold change of link cost values that will result in policy route regeneration (0 - 10000000, default = 10).

      packet-loss-weight

      Coefficient of packet-loss in the formula of custom-profile-1, range[0-10000000].

      route-tag

      IPv4 route map route-tag, range [0-4294967295].

      src-negate

      Enable/disable negation of source address match.

      src6

      Source IPv6 address name.

      status

      Enable/disable SD-WAN service.
    Previous
    Next

    SD-WAN templates

    SD-WAN templates

    Create an SD-WAN template with the required network parameters.

    Before creating SD-WAN templates:
    To create a new SD-WAN template:
    1. Ensure that you are in the correct ADOM and that central SD-WAN management is enabled.
    2. Go to Device Manager > SD-WAN > SD-WAN Template.
    3. Click Create New in the content pane toolbar, or right-click and select Create New. The Create New page opens.

    4. Enter the following information and click OK to create the new SD-WAN template:

      Name

      Enter the name of the template.

      Description

      Enter a description of the template.

      SD-WAN Status

      Select On or Off.

      Interface Members

      Interface members can be added, edited, and removed. An interface member must be created before it can be added to a template, see Interface members.

      Performance SLA

      See Performance SLA.

      Neighbor

      See Configure BGP Neighbor.

      SD-WAN Rules

      See SD-WAN rules.

      Advanced Options

      Configure the following advanced options:

      fail-detect

      Enable/disable fail detection features for this interface.

      neighbor-hold-boot-time

      Specify the interval.

      neighbor-hold-down

      Enable/disable neighbor hold down for this interface.

      neighbor-hold-down-time

      Specify the interval.
    To edit an SD-WAN template:
    1. If using ADOMs, ensure that you are in the correct ADOM.
    2. Go to Device Manager > SD-WAN > SD-WAN Template.
    3. Select the template from the list and click Edit in the toolbar, or right-click the template and select Edit. The Edit page opens.
    4. Edit the template as required, and click OK to apply your changes.
    To delete an SD-WAN template:
    1. If using ADOMs, ensure that you are in the correct ADOM.
    2. Go to Device Manager > SD-WAN > SD-WAN Template.
    3. Select the template from the list and click Delete in the toolbar, or right-click the template and select Delete.
    4. Click OK in the confirmation dialog box to delete the template or templates.
    To import an SD-WAN template or templates:
    1. If using ADOMs, ensure that you are in the correct ADOM.
    2. Go to Device Manager > SD-WAN > SD-WAN Template.
    3. Click Import. The Import SD-WAN templates screen is shown.

    4. Configure the following settings and click OK:
      • Name - specify a name for the SD-WAN template.
      • Device - select the FortiGate device from where to select the SD-WAN template.
      • Description - optionally provide a description.

      The SD-WAN template is imported and now visible in Device Manager > SD-WAN > SD-WAN Template.

      A prefix Import is automatically added to SD-WAN templates that are imported from the FortiGate devices.

    Performance SLA

    Create a Performance SLA in FortiManager that can be used to monitor the SD-WAN performance in FortiGate devices. You can also create a Performance SLA in FortiManager. If all links meet the SLA criteria, the FortiGate uses the first link, even if that link isn’t the best quality. If at any time, the link in use doesn’t meet the SLA criteria, and the next link in the configuration meets the SLA criteria, the FortiGate changes to that link. If the next link doesn’t meet the SLA criteria, the FortiGate uses the next link in the configuration if it meets the SLA criteria, and so on.

    To create a new performance SLA:
    1. Ensure that you are in the correct ADOM and that central SD-WAN management is enabled.
    2. Go to Device Manager > SD-WAN > SD-WAN Template.
    3. Click Create New in the content pane toolbar, or right-click and select Create New. The Create New page opens.
    4. In the Performance SLA toolbar, click Create New. The Create Performance SLA dialog-box opens

    5. Enter the following information, and click OK to create the performance SLA:

      Name

      Enter the name of the performance SLA.
      Detect Protocol Select the detection method for the profile check:
      • Ping
      • TCP ECHO
      • UDP ECHO
      • HTTP
      • TWAMP
      Detect Server Enter the IP address of the WAN interface that you want to monitor.
      Member Select available interface members. The interfaces must already be added to the template.
      SLA

      Click Create New to create a new SLA. Enable and enter the Jitter Threshold (in milliseconds), Latency Threshold (in milliseconds), and Packet Loss Threshold (in percent), then click OK to create the SLA.

      SLAs can also be edited and deleted as required.

      Link Status

      Interval

      Status check interval, or the time between attempting to connect to the server, in seconds (1 - 3600, default = 1).

      Failure Before Inactive

      Specify the number of failures before the link becomes inactive (1 - 10, default = 5).

      Restore Link After

      Specify the number of successful responses received before server is considered recovered (1 - 10, default = 5).

      Action When Inactive

      		 Specify what happens with the WAN link becomes inactive.

      Update Static Route

      		 Select to update the static route when the WAN link becomes inactive.

      Cascade Interfaces

      		 Select to cascade interfaces when the WAN link becomes inactive.

      Advanced Options

      addr-mode

      Address mode (IPv4 or IPv6).

      http-get

      URL used to communicate with the server if the protocol if the protocol is HTTP.

      http-match

      Response string expected from the server if the protocol is HTTP.

      interval

      Status check interval, or the time between attempting to connect to the server, in seconds (1 - 3600, default = 5).

      packet-size

      Packet size of a TWAMP test session (64 - 1024).

      threshold-alert-jitter

      Alert threshold for jitter (ms, default = 0), range [0-4294967295].

      threshold-alert-latency

      Alert threshold for latency, in milliseconds (0 - 4294967295, default = 0).

      threshold-alert-packetloss

      Alert threshold for packet loss, in percent (0 - 100, default = 0).

      threshold-warning-jitter

      Warning threshold for jitter, in milliseconds (0 - 4294967295, default = 0).

      threshold-warning-latency

      Warning threshold for latency, in milliseconds (0 - 4294967295, default = 0).

      threshold-warning-packetloss

      Warning threshold for packet loss, in percent (0 - 100, default = 0).

    SD-WAN rules

    Configure SD-WAN rules for WAN links by specifying the required network parameters. The SD-WAN rules are applied to the FortiGate device when the SD-WAN template is applied.

    To create a new SD-WAN rule:
    1. Ensure that you are in the correct ADOM and that central SD-WAN management is enabled.
    2. Go to Device Manager > SD-WAN > SD-WAN Template.
    3. Click Create New in the content pane toolbar, or right-click and select Create New. The Create New page opens.
    4. In the SD-WAN Rules toolbar, click Create New. The Create New SD-WAN Rule dialog-box opens.

    5. Enter the following information, then click OK to create the new SD-WAN rule:

      Name

      Enter the name of the rule.
      Source

      Address

      Add one or more address from the drop-down.

      Users

      Add one or more users from the drop-down.

      User Groups

      Add one or more groups from the drop-down.

      Destination

      Address

      Select an address or addresses from the drop-down list. This option is only available when Destination is Address.

      Internet Service

      Select a service or services from the drop-down list. This option is only available when Destination is Internet Service.

      Internet Service Group

      Select a service group or groups from the drop-down list. This option is only available when Destination is Internet Service.

      Custom Internet Service

      Select a service or services from the drop-down list. This option is only available when Destination is Internet Service.

      Custom Internet Service Group

      Select a service group or groups from the drop-down list. This option is only available when Destination is Internet Service.

      Application

      Select an application or applications from the drop-down list. This option is only available when Destination is Internet Service.

      Application Group

      Select an application group or groups from the drop-down list. This option is only available when Destination is Internet Service.
      Protocol

      Select the protocol, of specify the protocol number.
      Port Range

      Enter the port range. This option is only available when the protocol is TCP or UDP.
      Type of Service

      Specify the type of service and bit mask. This option is only available the protocol is set to Specify.
      Outgoing Interface Select Best Quality or Minimum Quality (SLA).

      Interface Members

      Select interface members.
      Status Check

      This option is only available when the outgoing interface is Best Quality.

      Require SLA Target

      This option is only available when the outgoing interface is Minimum Quality (SLA).

      Advanced Options

      addr-mode

      Address mode (IPv4 or IPv6).

      bandwidth-weight

      Coefficient of reciprocal of available bidirectional bandwidth in the formula of custom-profile-1, range [0-10000000].

      dscp-forward

      Enable/disable forward traffic DSCP tag.

      dscp-forward-tag

      Forward traffic DSCP tag.

      dscp-reverse

      Enable/disable reverse traffic DSCP tag.

      dscp-reverse-tag

      verse traffic DSCP tag.

      dst-negate

      Enable/disable negation of destination address match.

      dst6

      Destination IPv6 address name.

      input-device

      Source interface name.

      internet-service-ctrl

      Control-based Internet Service ID list.

      internet-service-ctrl-group

      Control-based Internet Service ID, range [0-4294967295].

      internet-service-custom-group

      Custom Internet Service group list.

      internet-service-group

      Internet Service group list.

      jitter-weight

      Coefficient of jitter in the formula of custom-profile-1, range [0-10000000].

      latency-weight

      Coefficient of latency in the formula of custom-profile-1, range[0-10000000].

      link-cost-threshold

      Percentage threshold change of link cost values that will result in policy route regeneration (0 - 10000000, default = 10).

      packet-loss-weight

      Coefficient of packet-loss in the formula of custom-profile-1, range[0-10000000].

      route-tag

      IPv4 route map route-tag, range [0-4294967295].

      src-negate

      Enable/disable negation of source address match.

      src6

      Source IPv6 address name.

      status

      Enable/disable SD-WAN service.
    Previous
    Next