Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • User Guide

    Home FortiPortal 5.3.6 User Guide
    5.3.6
    7.4.1
    7.4.0
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.0.15
    6.0.14
    6.0.13
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.3.8
    5.3.7
    5.3.6
    5.3.5
    5.3.4
    5.3.3
    5.3.2
    5.3.0
    5.2.0
    4.1.0

    Configuring an SD-WAN for a group of interfaces

    Configuring an SD-WAN for a group of interfaces

    To configure an SD-WAN for a group of interfaces:
    1. Select Configuration from the SD-WAN tree.
    2. Enable the SD-WAN status. See Enable the SD-WAN status.
    3. Define which physical FortiPortal interfaces belong to the SD-WAN. See Define which physical FortiPortal interfaces belong to the SD-WAN.
    4. Define a new performance service level agreement (SLA). See Define a new performance SLA.
    5. Define SD-WAN rules to control how sessions are distributed to physical interfaces in the SD-WAN. See Define SD-WAN rules.

    Enable the SD-WAN status

    The SD-WAN pane on the SD-WAN > Configuration page displays the SD-WAN status, whether any physical interfaces will be alerted if the SD-WAN fails, and whether the SD-WAN Internet connection will be checked.

    To change these settings in the GUI:
    1. Select Edit.
    2. Select Enable to enable the SD-WAN status.
    3. Select a physical interface to alert if the SD-WAN fails, None, or any.
    4. Select Enable or Disable to change whether the SD-WAN Internet connection is checked.
    5. Select Save to make your changes.

    Define which physical FortiPortal interfaces belong to the SD-WAN

    Use the Interface Members area on the SD-WAN > Configuration page to define which physical FortiPortal interfaces belong to the SD-WAN.

    SD-WAN interfaces are the ports and interfaces that are used to run traffic. At least one interface must be configured for SD-WAN to function; up to 255 member interfaces can be configured.

    In the Interface Members area, the following actions are available:

    • Create New—define a new interface member
    • Edit—change the settings for an existing interface member
    • Delete—delete an interface member
    To add a new interface member:
    1. Select Configuration from the SD-WAN tree.
    2. Right-click an interface member and select Create New. If the table is blank, right-click under the column headings and select Create New.
    3. Enter values in the relevant fields. See Interface member fields .
    4. Select Save.
    Interface member fields

    The Create New Interface Member and Edit Interface Member forms contain the following fields:

    Settings

    Guidelines

    Member

    Required. Select one of the available physical interfaces.

    Weight

    Weight of this interface for weighted load balancing. More traffic is directed to interfaces with higher weights. The weight must be in the range of 0-255.

    Gateway IP

    Enter the IPv4 address of the default gateway for this interface. Usually the default gateway of the Internet service provider that this interface is connected to.

    Status

    Enable or disable this interface in the SD-WAN.

    Estimated Upstream Bandwidth

    Select the link based on the available bandwidth of outgoing traffic.

    Estimated Downstream Bandwidth

    Select the link based on the available bandwidth of incoming traffic.

    Advanced Options

    gateway6

    Enter the IPv6 address of the default gateway for this interface. Usually the default gateway of the Internet service provider that this interface is connected to.

    priority

    Assign interfaces a priority based on the priority assigned to the interface.

    seq-num

    Member sequence number. The range is 0-4294967295.

    source

    Source IPv4 address name.

    source6

    Source IPv6 address name.

    volume-ratio

    Measured volume ratio (this value / sum of all values = percentage of link volume). The range is 0-255.

    Define a new performance SLA

    Use the Performance SLA area on the SD-WAN > Configuration page to configure SLA management.

    If all links meet the SLA criteria, the FortiPortal unit uses the first link, even if that link is not the best quality link. If at any time, the link in use does not meet the SLA criteria, and the next link in the configuration meets the SLA criteria, the FortiPortal unit changes to that link. If the next link does not meet the SLA criteria, the FortiPortal unit uses the next link in the configuration if it meets the SLA criteria, and so on.

    In Performance SLA area, the following actions are available:

    • Create New—define a new performance SLA
    • Edit—change an existing performance SLA
    • Delete—delete a performance SLA
    To add a new performance SLA:
    1. Select Configuration from the SD-WAN tree.
    2. Right-click a performance SLA and select Create New. If the table is blank, right-click under the column headings and select Create New.
    3. Enter values in the relevant fields. See Performance SLA fields.
    4. Select Save.
    Performance SLA fields

    The Create New Performance SLA and Edit Performance SLA forms contain the following fields:

    Settings

    Guidelines

    Name

    Required. Name of the performance SLA.

    Detect Protocol

    Required. Protocol used to determine if the FortiPortal unit can communicate with the server. Select Ping, TCP ECHO, UDP ECHO, HTTP, or TWAMP.

    Detect Server

    Required. IPv4 address of the server.

    Detect Server 2

    IPv4 address of an optional second server.

    Members

    Required. Select the interfaces from the Available Members list and then select > to move them to the Selected Members list.

    SLA

    Configure the SLA. See SLA fields.

    Link Status

    interval

    Status check interval, which is the time between attempting to connect to the server. The default is 5 seconds; the range is 1 - 3600 seconds.

    Failure Before Inactive

    Number of failures before server is considered lost. The default is 5; the range is 1 - 10.

    Restore Link After

    Number of successful responses received before server is considered recovered. The default is 5; the range is 1 - 10.

    Action When Inactive

    Update Static Route

    Enable or disable updating the static route.

    Update Cascade Interface

    Enable or disable update cascade interface.

    Advanced Options

    http-get

    URL used to communicate with the server if the protocol if the protocol is HTTP.

    http-match

    Response string expected from the server if the protocol is HTTP.

    interval

    Status check interval, or the time between attempting to connect to the server. The default is 5 seconds; the range is 1 - 3600 seconds.

    packet-size

    Packet size of a Two-Way Active Measurement Protocol (TWAMP) test session. The range is 64-1024.

    threshold-alert-jitter

    Alert threshold for jitter. The default is 0 ms; the range is 0-4294967295 ms.

    threshold-alert-latency

    Alert threshold for latency. The default is 0 ms; the range is 0-4294967295 ms.

    threshold-alert-packetloss

    Alert threshold for packet loss. The default is 0 percent; the range is 0-100 percent.

    threshold-warning-jitter

    Warning threshold for jitter. The default is 0 ms ; the range is 0-4294967295 ms.

    threshold-warning-latency

    Warning threshold for latency. The default is 0 ms; the range is 0-4294967295 ms.

    threshold-warning-packetloss

    Warning threshold for packet loss. The default is 0 percent; the range is 0-100 percent.
    To add a new SLA:
    1. Select Configuration from the SD-WAN tree.
    2. Right-click a performance SLA and select Create New. If the table is blank, right-click under the column headings and select Create New.
    3. Right-click under the column headings in the SLA area and select Create New.
    4. Enter values in the relevant fields. See SLA fields.
    5. Select Save to save your SLA configuration.
    6. Select Save to save your performance SLA configuration.
    SLA fields

    The Create New SLA and Edit SLA forms contain the following fields:

    Settings

    Guidelines

    link-cost-factor

    Required. Criteria on which to base link selection. You can select one or more of the threshold values to use: Jitter Threshold, Latency Threshold, and Packet Loss Threshold. You need to enter a threshold value for each criterion that you select.

    Jitter Threshold

    Jitter for SLA to make decision in milliseconds. The default is 5; the range is 0-10000000.

    Latency Threshold

    Latency for SLA to make decision in milliseconds. The default is 5; the range is 0- 10000000.

    Packet Loss Threshold

    Packet loss for SLA to make decision in percentage. The default is 0; the range is 0-100.

    Define SD-WAN rules

    Use the SD-WAN Rules area on the SD-WAN > Configuration page to configure SD-WAN rules or priority rules (also called services) to control how sessions are distributed to physical interfaces in the SD-WAN.

    In the SD-WAN Rules area, the following actions are available:

    • Create New—define a new SD-WAN rule
    • Edit—change an existing SD-WAN rule
    • Delete—delete an SD-WAN rule
    To add a new SD-WAN rule:
    1. Select Configuration from the SD-WAN tree.
    2. Right-click an SD-WAN rule and select Create New. If the table is blank, right-click under the column headings and select Create New.
    3. Enter values in the relevant fields. See Performance SLA fields.
    4. Select Save.
    SD-WAN rule fields

    The Create New SD-WAN Rules and Edit SD-WAN Rules forms contain the following fields:

    Settings

    Guidelines

    Name

    Required. Priority rule name.

    Source Address

    Select the source addresses from the Available list and then select > to move them to the Selected list.

    User

    Select the users from the Available list and then select > to move them to the Selected list.

    User group

    Select the user groups from the Available list and then select > to move them to the Selected list.

    Destination

    Required. Select Address to use destination addresses or select Internet Service to use destination Internet services.

    Address

    Required. Available if Destination is set to Address. Select the destination addresses from the Available list and then select > to move them to the Selected list.

    Protocol

    Required. Available if Destination is set to Address. Select TCP, UDP, ANY, or Specify. If you select Specify, enter the protocol number, type of service, and bit mask.

    Internet Service

    Available if Destination is set to Internet Service. Select the Internet services from the Available list and then select > to move them to the Selected list.

    Internet Service Group

    Available if Destination is set to Internet Service. Select the Internet service groups from the Available list and then select > to move them to the Selected list.

    Custom Internet Service

    Available if Destination is set to Internet Service. Select the custom Internet services from the Available list and then select > to move them to the Selected list.

    Custom Internet Service Group

    Required. Available if Destination is set to Internet Service. Select the custom Internet service groups from the Available list and then select > to move them to the Selected list.

    Application

    Available if Destination is set to Internet Service. Select the applications from the Available list and then select > to move them to the Selected list.

    Application Group

    Available if Destination is set to Internet Service. Select the application groups from the Available list and then select > to move them to the Selected list.

    Outgoing Interface

    Required. Select Best Quality or Minimum Quality (SLA).

    Interface Members

    Required. Select the interfaces from the Available list and then select > to move them to the Selected list.

    Status Check

    Required. Available if Outgoing Interface is set to Best Quality. Select the appropriate performance SLA to use for the status check.

    Required SLA Target

    Required. Available if Outgoing Interface is set to Minimum Quality (SLA). Select the appropriate performance SLA from the drop-down list.
    Previous
    Next

    Configuring an SD-WAN for a group of interfaces

    Configuring an SD-WAN for a group of interfaces

    To configure an SD-WAN for a group of interfaces:
    1. Select Configuration from the SD-WAN tree.
    2. Enable the SD-WAN status. See Enable the SD-WAN status.
    3. Define which physical FortiPortal interfaces belong to the SD-WAN. See Define which physical FortiPortal interfaces belong to the SD-WAN.
    4. Define a new performance service level agreement (SLA). See Define a new performance SLA.
    5. Define SD-WAN rules to control how sessions are distributed to physical interfaces in the SD-WAN. See Define SD-WAN rules.

    Enable the SD-WAN status

    The SD-WAN pane on the SD-WAN > Configuration page displays the SD-WAN status, whether any physical interfaces will be alerted if the SD-WAN fails, and whether the SD-WAN Internet connection will be checked.

    To change these settings in the GUI:
    1. Select Edit.
    2. Select Enable to enable the SD-WAN status.
    3. Select a physical interface to alert if the SD-WAN fails, None, or any.
    4. Select Enable or Disable to change whether the SD-WAN Internet connection is checked.
    5. Select Save to make your changes.

    Define which physical FortiPortal interfaces belong to the SD-WAN

    Use the Interface Members area on the SD-WAN > Configuration page to define which physical FortiPortal interfaces belong to the SD-WAN.

    SD-WAN interfaces are the ports and interfaces that are used to run traffic. At least one interface must be configured for SD-WAN to function; up to 255 member interfaces can be configured.

    In the Interface Members area, the following actions are available:

    • Create New—define a new interface member
    • Edit—change the settings for an existing interface member
    • Delete—delete an interface member
    To add a new interface member:
    1. Select Configuration from the SD-WAN tree.
    2. Right-click an interface member and select Create New. If the table is blank, right-click under the column headings and select Create New.
    3. Enter values in the relevant fields. See Interface member fields .
    4. Select Save.
    Interface member fields

    The Create New Interface Member and Edit Interface Member forms contain the following fields:

    Settings

    Guidelines

    Member

    Required. Select one of the available physical interfaces.

    Weight

    Weight of this interface for weighted load balancing. More traffic is directed to interfaces with higher weights. The weight must be in the range of 0-255.

    Gateway IP

    Enter the IPv4 address of the default gateway for this interface. Usually the default gateway of the Internet service provider that this interface is connected to.

    Status

    Enable or disable this interface in the SD-WAN.

    Estimated Upstream Bandwidth

    Select the link based on the available bandwidth of outgoing traffic.

    Estimated Downstream Bandwidth

    Select the link based on the available bandwidth of incoming traffic.

    Advanced Options

    gateway6

    Enter the IPv6 address of the default gateway for this interface. Usually the default gateway of the Internet service provider that this interface is connected to.

    priority

    Assign interfaces a priority based on the priority assigned to the interface.

    seq-num

    Member sequence number. The range is 0-4294967295.

    source

    Source IPv4 address name.

    source6

    Source IPv6 address name.

    volume-ratio

    Measured volume ratio (this value / sum of all values = percentage of link volume). The range is 0-255.

    Define a new performance SLA

    Use the Performance SLA area on the SD-WAN > Configuration page to configure SLA management.

    If all links meet the SLA criteria, the FortiPortal unit uses the first link, even if that link is not the best quality link. If at any time, the link in use does not meet the SLA criteria, and the next link in the configuration meets the SLA criteria, the FortiPortal unit changes to that link. If the next link does not meet the SLA criteria, the FortiPortal unit uses the next link in the configuration if it meets the SLA criteria, and so on.

    In Performance SLA area, the following actions are available:

    • Create New—define a new performance SLA
    • Edit—change an existing performance SLA
    • Delete—delete a performance SLA
    To add a new performance SLA:
    1. Select Configuration from the SD-WAN tree.
    2. Right-click a performance SLA and select Create New. If the table is blank, right-click under the column headings and select Create New.
    3. Enter values in the relevant fields. See Performance SLA fields.
    4. Select Save.
    Performance SLA fields

    The Create New Performance SLA and Edit Performance SLA forms contain the following fields:

    Settings

    Guidelines

    Name

    Required. Name of the performance SLA.

    Detect Protocol

    Required. Protocol used to determine if the FortiPortal unit can communicate with the server. Select Ping, TCP ECHO, UDP ECHO, HTTP, or TWAMP.

    Detect Server

    Required. IPv4 address of the server.

    Detect Server 2

    IPv4 address of an optional second server.

    Members

    Required. Select the interfaces from the Available Members list and then select > to move them to the Selected Members list.

    SLA

    Configure the SLA. See SLA fields.

    Link Status

    interval

    Status check interval, which is the time between attempting to connect to the server. The default is 5 seconds; the range is 1 - 3600 seconds.

    Failure Before Inactive

    Number of failures before server is considered lost. The default is 5; the range is 1 - 10.

    Restore Link After

    Number of successful responses received before server is considered recovered. The default is 5; the range is 1 - 10.

    Action When Inactive

    Update Static Route

    Enable or disable updating the static route.

    Update Cascade Interface

    Enable or disable update cascade interface.

    Advanced Options

    http-get

    URL used to communicate with the server if the protocol if the protocol is HTTP.

    http-match

    Response string expected from the server if the protocol is HTTP.

    interval

    Status check interval, or the time between attempting to connect to the server. The default is 5 seconds; the range is 1 - 3600 seconds.

    packet-size

    Packet size of a Two-Way Active Measurement Protocol (TWAMP) test session. The range is 64-1024.

    threshold-alert-jitter

    Alert threshold for jitter. The default is 0 ms; the range is 0-4294967295 ms.

    threshold-alert-latency

    Alert threshold for latency. The default is 0 ms; the range is 0-4294967295 ms.

    threshold-alert-packetloss

    Alert threshold for packet loss. The default is 0 percent; the range is 0-100 percent.

    threshold-warning-jitter

    Warning threshold for jitter. The default is 0 ms ; the range is 0-4294967295 ms.

    threshold-warning-latency

    Warning threshold for latency. The default is 0 ms; the range is 0-4294967295 ms.

    threshold-warning-packetloss

    Warning threshold for packet loss. The default is 0 percent; the range is 0-100 percent.
    To add a new SLA:
    1. Select Configuration from the SD-WAN tree.
    2. Right-click a performance SLA and select Create New. If the table is blank, right-click under the column headings and select Create New.
    3. Right-click under the column headings in the SLA area and select Create New.
    4. Enter values in the relevant fields. See SLA fields.
    5. Select Save to save your SLA configuration.
    6. Select Save to save your performance SLA configuration.
    SLA fields

    The Create New SLA and Edit SLA forms contain the following fields:

    Settings

    Guidelines

    link-cost-factor

    Required. Criteria on which to base link selection. You can select one or more of the threshold values to use: Jitter Threshold, Latency Threshold, and Packet Loss Threshold. You need to enter a threshold value for each criterion that you select.

    Jitter Threshold

    Jitter for SLA to make decision in milliseconds. The default is 5; the range is 0-10000000.

    Latency Threshold

    Latency for SLA to make decision in milliseconds. The default is 5; the range is 0- 10000000.

    Packet Loss Threshold

    Packet loss for SLA to make decision in percentage. The default is 0; the range is 0-100.

    Define SD-WAN rules

    Use the SD-WAN Rules area on the SD-WAN > Configuration page to configure SD-WAN rules or priority rules (also called services) to control how sessions are distributed to physical interfaces in the SD-WAN.

    In the SD-WAN Rules area, the following actions are available:

    • Create New—define a new SD-WAN rule
    • Edit—change an existing SD-WAN rule
    • Delete—delete an SD-WAN rule
    To add a new SD-WAN rule:
    1. Select Configuration from the SD-WAN tree.
    2. Right-click an SD-WAN rule and select Create New. If the table is blank, right-click under the column headings and select Create New.
    3. Enter values in the relevant fields. See Performance SLA fields.
    4. Select Save.
    SD-WAN rule fields

    The Create New SD-WAN Rules and Edit SD-WAN Rules forms contain the following fields:

    Settings

    Guidelines

    Name

    Required. Priority rule name.

    Source Address

    Select the source addresses from the Available list and then select > to move them to the Selected list.

    User

    Select the users from the Available list and then select > to move them to the Selected list.

    User group

    Select the user groups from the Available list and then select > to move them to the Selected list.

    Destination

    Required. Select Address to use destination addresses or select Internet Service to use destination Internet services.

    Address

    Required. Available if Destination is set to Address. Select the destination addresses from the Available list and then select > to move them to the Selected list.

    Protocol

    Required. Available if Destination is set to Address. Select TCP, UDP, ANY, or Specify. If you select Specify, enter the protocol number, type of service, and bit mask.

    Internet Service

    Available if Destination is set to Internet Service. Select the Internet services from the Available list and then select > to move them to the Selected list.

    Internet Service Group

    Available if Destination is set to Internet Service. Select the Internet service groups from the Available list and then select > to move them to the Selected list.

    Custom Internet Service

    Available if Destination is set to Internet Service. Select the custom Internet services from the Available list and then select > to move them to the Selected list.

    Custom Internet Service Group

    Required. Available if Destination is set to Internet Service. Select the custom Internet service groups from the Available list and then select > to move them to the Selected list.

    Application

    Available if Destination is set to Internet Service. Select the applications from the Available list and then select > to move them to the Selected list.

    Application Group

    Available if Destination is set to Internet Service. Select the application groups from the Available list and then select > to move them to the Selected list.

    Outgoing Interface

    Required. Select Best Quality or Minimum Quality (SLA).

    Interface Members

    Required. Select the interfaces from the Available list and then select > to move them to the Selected list.

    Status Check

    Required. Available if Outgoing Interface is set to Best Quality. Select the appropriate performance SLA to use for the status check.

    Required SLA Target

    Required. Available if Outgoing Interface is set to Minimum Quality (SLA). Select the appropriate performance SLA from the drop-down list.
    Previous
    Next