Fortinet white logo
Fortinet white logo

CLI Reference

config system sdwan

config system sdwan

Configure redundant Internet connections with multiple outbound links and health-check profiles.

config system sdwan

Description: Configure redundant Internet connections with multiple outbound links and health-check profiles.

set status [disable|enable]

set load-balance-mode [source-ip-based|weight-based|...]

set duplication-max-num {integer}

set neighbor-hold-down [enable|disable]

set neighbor-hold-down-time {integer}

set neighbor-hold-boot-time {integer}

set fail-detect [enable|disable]

set fail-alert-interfaces <name1>, <name2>, ...

config zone

Description: Configure SD-WAN zones.

edit <name>

set service-sla-tie-break [cfg-order|fib-best-match]

next

end

config members

Description: FortiGate interfaces added to the SD-WAN.

edit <seq-num>

set interface {string}

set zone {string}

set gateway {ipv4-address}

set source {ipv4-address}

set gateway6 {ipv6-address}

set source6 {ipv6-address}

set cost {integer}

set weight {integer}

set priority {integer}

set spillover-threshold {integer}

set ingress-spillover-threshold {integer}

set volume-ratio {integer}

set status [disable|enable]

set comment {var-string}

next

end

config health-check

Description: SD-WAN status checking or health checking. Identify a server on the Internet and determine how SD-WAN verifies that the FortiGate can communicate with it.

edit <name>

set probe-packets [disable|enable]

set addr-mode [ipv4|ipv6]

set system-dns [disable|enable]

set server {string}

set protocol [ping|tcp-echo|...]

set port {integer}

set quality-measured-method [half-open|half-close]

set security-mode [none|authentication]

set user {string}

set password {password}

set packet-size {integer}

set ha-priority {integer}

set ftp-mode [passive|port]

set ftp-file {string}

set http-get {string}

set http-agent {string}

set http-match {string}

set dns-request-domain {string}

set dns-match-ip {ipv4-address}

set interval {integer}

set probe-timeout {integer}

set failtime {integer}

set recoverytime {integer}

set probe-count {integer}

set diffservcode {user}

set update-cascade-interface [enable|disable]

set update-static-route [enable|disable]

set sla-fail-log-period {integer}

set sla-pass-log-period {integer}

set threshold-warning-packetloss {integer}

set threshold-alert-packetloss {integer}

set threshold-warning-latency {integer}

set threshold-alert-latency {integer}

set threshold-warning-jitter {integer}

set threshold-alert-jitter {integer}

set members <seq-num1>, <seq-num2>, ...

config sla

Description: Service level agreement (SLA).

edit <id>

set link-cost-factor {option1}, {option2}, ...

set latency-threshold {integer}

set jitter-threshold {integer}

set packetloss-threshold {integer}

next

end

next

end

config neighbor

Description: Create SD-WAN neighbor from BGP neighbor table to control route advertisements according to SLA status.

edit <ip>

set member {integer}

set role [standalone|primary|...]

set health-check {string}

set sla-id {integer}

next

end

config service

Description: Create SD-WAN rules (also called services) to control how sessions are distributed to interfaces in the SD-WAN.

edit <id>

set name {string}

set addr-mode [ipv4|ipv6]

set input-device <name1>, <name2>, ...

set input-device-negate [enable|disable]

set mode [auto|manual|...]

set minimum-sla-meet-members {integer}

set hash-mode [round-robin|source-ip-based|...]

set role [standalone|primary|...]

set standalone-action [enable|disable]

set quality-link {integer}

set tos {user}

set tos-mask {user}

set protocol {integer}

set start-port {integer}

set end-port {integer}

set route-tag {integer}

set dst <name1>, <name2>, ...

set dst-negate [enable|disable]

set src <name1>, <name2>, ...

set dst6 <name1>, <name2>, ...

set src6 <name1>, <name2>, ...

set src-negate [enable|disable]

set users <name1>, <name2>, ...

set groups <name1>, <name2>, ...

set internet-service [enable|disable]

set internet-service-custom <name1>, <name2>, ...

set internet-service-custom-group <name1>, <name2>, ...

set internet-service-name <name1>, <name2>, ...

set internet-service-group <name1>, <name2>, ...

set internet-service-app-ctrl <id1>, <id2>, ...

set internet-service-app-ctrl-group <name1>, <name2>, ...

set health-check <name1>, <name2>, ...

set link-cost-factor [latency|jitter|...]

set packet-loss-weight {integer}

set latency-weight {integer}

set jitter-weight {integer}

set bandwidth-weight {integer}

set link-cost-threshold {integer}

set hold-down-time {integer}

set dscp-forward [enable|disable]

set dscp-reverse [enable|disable]

set dscp-forward-tag {user}

set dscp-reverse-tag {user}

config sla

Description: Service level agreement (SLA).

edit <health-check>

set id {integer}

next

end

set priority-members <seq-num1>, <seq-num2>, ...

set status [enable|disable]

set gateway [enable|disable]

set default [enable|disable]

set sla-compare-method [order|number]

set tie-break [zone|cfg-order|...]

set use-shortcut-sla [enable|disable]

next

end

config duplication

Description: Create SD-WAN duplication rule.

edit <id>

set service-id <id1>, <id2>, ...

set srcaddr <name1>, <name2>, ...

set dstaddr <name1>, <name2>, ...

set srcaddr6 <name1>, <name2>, ...

set dstaddr6 <name1>, <name2>, ...

set srcintf <name1>, <name2>, ...

set dstintf <name1>, <name2>, ...

set service <name1>, <name2>, ...

set packet-duplication [disable|force|...]

set packet-de-duplication [enable|disable]

next

end

end

config system sdwan

Parameter

Description

Type

Size

Default

status

Enable/disable SD-WAN.

option

-

disable

Option

Description

disable

Disable SD-WAN.

enable

Enable SD-WAN.

load-balance-mode

Algorithm or mode to use for load balancing Internet traffic to SD-WAN members.

option

-

source-ip-based

Option

Description

source-ip-based

Source IP load balancing. All traffic from a source IP is sent to the same interface.

weight-based

Weight-based load balancing. Interfaces with higher weights have higher priority and get more traffic.

usage-based

Usage-based load balancing. All traffic is sent to the first interface on the list. When the bandwidth on that interface exceeds the spill-over limit new traffic is sent to the next interface.

source-dest-ip-based

Source and destination IP load balancing. All traffic from a source IP to a destination IP is sent to the same interface.

measured-volume-based

Volume-based load balancing. Traffic is load balanced based on traffic volume (in bytes). More traffic is sent to interfaces with higher volume ratios.

duplication-max-num

Maximum number of interface members a packet is duplicated in the SD-WAN zone (2 - 4, default = 2; if set to 3, the original packet plus 2 more copies are created).

integer

Minimum value: 2 Maximum value: 4

2

neighbor-hold-down

Enable/disable hold switching from the secondary neighbor to the primary neighbor.

option

-

disable

Option

Description

enable

Enable hold switching from the secondary neighbor to the primary neighbor.

disable

Disable hold switching from the secondary neighbor to the primary neighbor.

neighbor-hold-down-time

Waiting period in seconds when switching from the secondary neighbor to the primary neighbor when hold-down is disabled. (0 - 10000000, default = 0).

integer

Minimum value: 0 Maximum value: 10000000

0

neighbor-hold-boot-time

Waiting period in seconds when switching from the primary neighbor to the secondary neighbor from the neighbor start. (0 - 10000000, default = 0).

integer

Minimum value: 0 Maximum value: 10000000

0

fail-detect

Enable/disable SD-WAN Internet connection status checking (failure detection).

option

-

disable

Option

Description

enable

Enable status checking.

disable

Disable status checking.

fail-alert-interfaces <name>

Physical interfaces that will be alerted.

Physical interface name.

string

Maximum length: 79

Parameter

Description

Type

Size

Default

service-sla-tie-break

Method of selecting member if more than one meets the SLA.

option

-

cfg-order

Option

Description

cfg-order

Members that meet the SLA are selected in the order they are configured.

fib-best-match

Members that meet the SLA are selected that match the longest prefix in the routing table.

Parameter

Description

Type

Size

Default

interface

Interface name.

string

Maximum length: 15

zone

Zone name.

string

Maximum length: 35

virtual-wan-link

gateway

The default gateway for this interface. Usually the default gateway of the Internet service provider that this interface is connected to.

ipv4-address

Not Specified

0.0.0.0

source

Source IP address used in the health-check packet to the server.

ipv4-address

Not Specified

0.0.0.0

gateway6

IPv6 gateway.

ipv6-address

Not Specified

::

source6

Source IPv6 address used in the health-check packet to the server.

ipv6-address

Not Specified

::

cost

Cost of this interface for services in SLA mode (0 - 4294967295, default = 0).

integer

Minimum value: 0 Maximum value: 4294967295

0

weight

Weight of this interface for weighted load balancing. (1 - 255) More traffic is directed to interfaces with higher weights.

integer

Minimum value: 1 Maximum value: 255

1

priority

Priority of the interface (0 - 65535). Used for SD-WAN rules or priority rules.

integer

Minimum value: 0 Maximum value: 65535

0

spillover-threshold

Egress spillover threshold for this interface (0 - 16776000 kbit/s). When this traffic volume threshold is reached, new sessions spill over to other interfaces in the SD-WAN.

integer

Minimum value: 0 Maximum value: 16776000

0

ingress-spillover-threshold

Ingress spillover threshold for this interface (0 - 16776000 kbit/s). When this traffic volume threshold is reached, new sessions spill over to other interfaces in the SD-WAN.

integer

Minimum value: 0 Maximum value: 16776000

0

volume-ratio

Measured volume ratio (this value / sum of all values = percentage of link volume, 1 - 255).

integer

Minimum value: 1 Maximum value: 255

1

status

Enable/disable this interface in the SD-WAN.

option

-

enable

Option

Description

disable

Disable this interface in the SD-WAN.

enable

Enable this interface in the SD-WAN.

comment

Comments.

var-string

Maximum length: 255

Parameter

Description

Type

Size

Default

probe-packets

Enable/disable transmission of probe packets.

option

-

enable

Option

Description

disable

Disable transmission of probe packets.

enable

Enable transmission of probe packets.

addr-mode

Address mode (IPv4 or IPv6).

option

-

ipv4

Option

Description

ipv4

IPv4 mode.

ipv6

IPv6 mode.

system-dns

Enable/disable system DNS as the probe server.

option

-

disable

Option

Description

disable

Disable system DNS as the probe server.

enable

Enable system DNS as the probe server.

server

IP address or FQDN name of the server.

string

Maximum length: 79

protocol

Protocol used to determine if the FortiGate can communicate with the server.

option

-

ping

Option

Description

ping

Use PING to test the link with the server.

tcp-echo

Use TCP echo to test the link with the server.

udp-echo

Use UDP echo to test the link with the server.

http

Use HTTP-GET to test the link with the server.

twamp

Use TWAMP to test the link with the server.

dns

Use DNS query to test the link with the server.

tcp-connect

Use a full TCP connection to test the link with the server.

ftp

Use FTP to test the link with the server.

port

Port number used to communicate with the server over the selected protocol (0-65535, default = 0, auto select. http, twamp: 80, udp-echo, tcp-echo: 7, dns: 53, ftp: 21).

integer

Minimum value: 0 Maximum value: 65535

0

quality-measured-method

Method to measure the quality of tcp-connect.

option

-

half-open

Option

Description

half-open

Measure the round trip between syn and ack.

half-close

Measure the round trip between fin and ack.

security-mode

Twamp controller security mode.

option

-

none

Option

Description

none

Unauthenticated mode.

authentication

Authenticated mode.

user

The user name to access probe server.

string

Maximum length: 64

password

Twamp controller password in authentication mode

password

Not Specified

packet-size

Packet size of a twamp test session,

integer

Minimum value: 64 Maximum value: 1024

64

ha-priority

HA election priority (1 - 50).

integer

Minimum value: 1 Maximum value: 50

1

ftp-mode

FTP mode.

option

-

passive

Option

Description

passive

The FTP health-check initiates and establishes the data connection.

port

The FTP server initiates and establishes the data connection.

ftp-file

Full path and file name on the FTP server to download for FTP health-check to probe.

string

Maximum length: 254

http-get

URL used to communicate with the server if the protocol if the protocol is HTTP.

string

Maximum length: 1024

/

http-agent

String in the http-agent field in the HTTP header.

string

Maximum length: 1024

Chrome/ Safari/

http-match

Response string expected from the server if the protocol is HTTP.

string

Maximum length: 1024

dns-request-domain

Fully qualified domain name to resolve for the DNS probe.

string

Maximum length: 255

www.example.com

dns-match-ip

Response IP expected from DNS server if the protocol is DNS.

ipv4-address

Not Specified

0.0.0.0

interval

Status check interval in milliseconds, or the time between attempting to connect to the server (500 - 3600*1000 msec, default = 500).

integer

Minimum value: 500 Maximum value: 3600000

500

probe-timeout

Time to wait before a probe packet is considered lost (500 - 3600*1000 msec, default = 500).

integer

Minimum value: 500 Maximum value: 3600000

500

failtime

Number of failures before server is considered lost (1 - 3600, default = 5).

integer

Minimum value: 1 Maximum value: 3600

5

recoverytime

Number of successful responses received before server is considered recovered (1 - 3600, default = 5).

integer

Minimum value: 1 Maximum value: 3600

5

probe-count

Number of most recent probes that should be used to calculate latency and jitter (5 - 30, default = 30).

integer

Minimum value: 5 Maximum value: 30

30

diffservcode

Differentiated services code point (DSCP) in the IP header of the probe packet.

user

Not Specified

update-cascade-interface

Enable/disable update cascade interface.

option

-

enable

Option

Description

enable

Enable update cascade interface.

disable

Disable update cascade interface.

update-static-route

Enable/disable updating the static route.

option

-

enable

Option

Description

enable

Enable updating the static route.

disable

Disable updating the static route.

sla-fail-log-period

Time interval in seconds that SLA fail log messages will be generated (0 - 3600, default = 0).

integer

Minimum value: 0 Maximum value: 3600

0

sla-pass-log-period

Time interval in seconds that SLA pass log messages will be generated (0 - 3600, default = 0).

integer

Minimum value: 0 Maximum value: 3600

0

threshold-warning-packetloss

Warning threshold for packet loss (percentage, default = 0).

integer

Minimum value: 0 Maximum value: 100

0

threshold-alert-packetloss

Alert threshold for packet loss (percentage, default = 0).

integer

Minimum value: 0 Maximum value: 100

0

threshold-warning-latency

Warning threshold for latency (ms, default = 0).

integer

Minimum value: 0 Maximum value: 4294967295

0

threshold-alert-latency

Alert threshold for latency (ms, default = 0).

integer

Minimum value: 0 Maximum value: 4294967295

0

threshold-warning-jitter

Warning threshold for jitter (ms, default = 0).

integer

Minimum value: 0 Maximum value: 4294967295

0

threshold-alert-jitter

Alert threshold for jitter (ms, default = 0).

integer

Minimum value: 0 Maximum value: 4294967295

0

members <seq-num>

Member sequence number list.

Member sequence number.

integer

Minimum value: 0 Maximum value: 4294967295

0

config sla

Parameter

Description

Type

Size

Default

id

SLA ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

Parameter

Description

Type

Size

Default

member

Member sequence number.

integer

Minimum value: 0 Maximum value: 4294967295

0

role

Role of neighbor.

option

-

standalone

Option

Description

standalone

Standalone neighbor.

primary

Primary neighbor.

secondary

Secondary neighbor.

health-check

SD-WAN health-check name.

string

Maximum length: 35

sla-id

SLA ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

Parameter

Description

Type

Size

Default

name

SD-WAN rule name.

string

Maximum length: 35

addr-mode

Address mode (IPv4 or IPv6).

option

-

ipv4

Option

Description

ipv4

IPv4 mode.

ipv6

IPv6 mode.

input-device <name>

Source interface name.

Interface name.

string

Maximum length: 79

input-device-negate

Enable/disable negation of input device match.

option

-

disable

Option

Description

enable

Enable negation of input device match.

disable

Disable negation of input device match.

mode

Control how the SD-WAN rule sets the priority of interfaces in the SD-WAN.

option

-

manual

Option

Description

auto

Assign interfaces a priority based on quality.

manual

Assign interfaces a priority manually.

priority

Assign interfaces a priority based on the link-cost-factor quality of the interface.

sla

Assign interfaces a priority based on selected SLA settings.

load-balance

Distribute traffic among all available links based on round robin. ADVPN feature is not supported in the mode.

minimum-sla-meet-members

Minimum number of members which meet SLA.

integer

Minimum value: 0 Maximum value: 255

0

hash-mode

Hash algorithm for selected priority members for load balance mode.

option

-

round-robin

Option

Description

round-robin

All traffic are distributed to selected interfaces in equal portions and circular order.

source-ip-based

All traffic from a source IP is sent to the same interface.

source-dest-ip-based

All traffic from a source IP to a destination IP is sent to the same interface.

inbandwidth

All traffic are distributed to a selected interface with most available bandwidth for incoming traffic.

outbandwidth

All traffic are distributed to a selected interface with most available bandwidth for outgoing traffic.

bibandwidth

All traffic are distributed to a selected interface with most available bandwidth for both incoming and outgoing traffic.

role

Service role to work with neighbor.

option

-

standalone

Option

Description

standalone

Standalone service.

primary

Primary service for primary neighbor.

secondary

Secondary service for secondary neighbor.

standalone-action

Enable/disable service when selected neighbor role is standalone while service role is not standalone.

option

-

disable

Option

Description

enable

Enable service when selected neighbor role is standalone.

disable

Disable service when selected neighbor role is standalone.

quality-link

Quality grade.

integer

Minimum value: 0 Maximum value: 255

0

tos

Type of service bit pattern.

user

Not Specified

tos-mask

Type of service evaluated bits.

user

Not Specified

protocol

Protocol number.

integer

Minimum value: 0 Maximum value: 255

0

start-port

Start destination port number.

integer

Minimum value: 0 Maximum value: 65535

1

end-port

End destination port number.

integer

Minimum value: 0 Maximum value: 65535

65535

route-tag

IPv4 route map route-tag.

integer

Minimum value: 0 Maximum value: 4294967295

0

dst <name>

Destination address name.

Address or address group name.

string

Maximum length: 79

dst-negate

Enable/disable negation of destination address match.

option

-

disable

Option

Description

enable

Enable destination address negation.

disable

Disable destination address negation.

src <name>

Source address name.

Address or address group name.

string

Maximum length: 79

dst6 <name>

Destination address6 name.

Address6 or address6 group name.

string

Maximum length: 79

src6 <name>

Source address6 name.

Address6 or address6 group name.

string

Maximum length: 79

src-negate

Enable/disable negation of source address match.

option

-

disable

Option

Description

enable

Enable source address negation.

disable

Disable source address negation.

users <name>

User name.

User name.

string

Maximum length: 79

groups <name>

User groups.

Group name.

string

Maximum length: 79

internet-service

Enable/disable use of Internet service for application-based load balancing.

option

-

disable

Option

Description

enable

Enable cloud service to support application-based load balancing.

disable

Disable cloud service to support application-based load balancing.

internet-service-custom <name>

Custom Internet service name list.

Custom Internet service name.

string

Maximum length: 79

internet-service-custom-group <name>

Custom Internet Service group list.

Custom Internet Service group name.

string

Maximum length: 79

internet-service-name <name>

Internet service name list.

Internet service name.

string

Maximum length: 79

internet-service-group <name>

Internet Service group list.

Internet Service group name.

string

Maximum length: 79

internet-service-app-ctrl <id>

Application control based Internet Service ID list.

Application control based Internet Service ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

internet-service-app-ctrl-group <name>

Application control based Internet Service group list.

Application control based Internet Service group name.

string

Maximum length: 79

health-check <name>

Health check list.

Health check name.

string

Maximum length: 79

link-cost-factor

Link cost factor.

option

-

latency

Option

Description

latency

Select link based on latency.

jitter

Select link based on jitter.

packet-loss

Select link based on packet loss.

inbandwidth

Select link based on available bandwidth of incoming traffic.

outbandwidth

Select link based on available bandwidth of outgoing traffic.

bibandwidth

Select link based on available bandwidth of bidirectional traffic.

custom-profile-1

Select link based on customized profile.

packet-loss-weight

Coefficient of packet-loss in the formula of custom-profile-1.

integer

Minimum value: 0 Maximum value: 10000000

0

latency-weight

Coefficient of latency in the formula of custom-profile-1.

integer

Minimum value: 0 Maximum value: 10000000

0

jitter-weight

Coefficient of jitter in the formula of custom-profile-1.

integer

Minimum value: 0 Maximum value: 10000000

0

bandwidth-weight

Coefficient of reciprocal of available bidirectional bandwidth in the formula of custom-profile-1.

integer

Minimum value: 0 Maximum value: 10000000

0

link-cost-threshold

Percentage threshold change of link cost values that will result in policy route regeneration (0 - 10000000, default = 10).

integer

Minimum value: 0 Maximum value: 10000000

10

hold-down-time

Waiting period in seconds when switching from the back-up member to the primary member (0 - 10000000, default = 0).

integer

Minimum value: 0 Maximum value: 10000000

0

dscp-forward

Enable/disable forward traffic DSCP tag.

option

-

disable

Option

Description

enable

Enable use of forward DSCP tag.

disable

Disable use of forward DSCP tag.

dscp-reverse

Enable/disable reverse traffic DSCP tag.

option

-

disable

Option

Description

enable

Enable use of reverse DSCP tag.

disable

Disable use of reverse DSCP tag.

dscp-forward-tag

Forward traffic DSCP tag.

user

Not Specified

dscp-reverse-tag

Reverse traffic DSCP tag.

user

Not Specified

priority-members <seq-num>

Member sequence number list.

Member sequence number.

integer

Minimum value: 0 Maximum value: 4294967295

0

status

Enable/disable SD-WAN service.

option

-

enable

Option

Description

enable

Enable SD-WAN service.

disable

Disable SD-WAN service.

gateway

Enable/disable SD-WAN service gateway.

option

-

disable

Option

Description

enable

Enable SD-WAN service gateway.

disable

Disable SD-WAN service gateway.

default

Enable/disable use of SD-WAN as default service.

option

-

disable

Option

Description

enable

Enable use of SD-WAN as default service.

disable

Disable use of SD-WAN as default service.

sla-compare-method

Method to compare SLA value for SLA mode.

option

-

order

Option

Description

order

Compare SLA value based on the order of health-check.

number

Compare SLA value based on the number of satisfied health-check. Limits health-checks to only configured member interfaces.

tie-break

Method of selecting member if more than one meets the SLA.

option

-

zone

Option

Description

zone

Use the setting that is configured for the members' zone.

cfg-order

Members that meet the SLA are selected in the order they are configured.

fib-best-match

Members that meet the SLA are selected that match the longest prefix in the routing table.

use-shortcut-sla

Enable/disable use of ADVPN shortcut for quality comparison.

option

-

enable

Option

Description

enable

Enable use of ADVPN shortcut for quality comparison.

disable

Disable use of ADVPN shortcut for quality comparison.

config sla

Parameter

Description

Type

Size

Default

id

SLA ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

Parameter

Description

Type

Size

Default

service-id <id>

SD-WAN service rule ID list.

SD-WAN service rule ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

srcaddr <name>

Source address or address group names.

Address or address group name.

string

Maximum length: 79

dstaddr <name>

Destination address or address group names.

Address or address group name.

string

Maximum length: 79

srcaddr6 <name>

Source address6 or address6 group names.

Address6 or address6 group name.

string

Maximum length: 79

dstaddr6 <name>

Destination address6 or address6 group names.

Address6 or address6 group name.

string

Maximum length: 79

srcintf <name>

Incoming (ingress) interfaces or zones.

Interface, zone or SDWAN zone name.

string

Maximum length: 79

dstintf <name>

Outgoing (egress) interfaces or zones.

Interface, zone or SDWAN zone name.

string

Maximum length: 79

service <name>

Service and service group name.

Service and service group name.

string

Maximum length: 79

packet-duplication

Configure packet duplication method.

option

-

disable

Option

Description

disable

Disable packet duplication.

force

Duplicate packets across all interface members of the SD-WAN zone.

on-demand

Duplicate packets across all interface members of the SD-WAN zone based on the link quality.

packet-de-duplication

Enable/disable discarding of packets that have been duplicated.

option

-

disable

Option

Description

enable

Enable discarding of packets that have been duplicated.

disable

Disable discarding of packets that have been duplicated.

config system sdwan

config system sdwan

Configure redundant Internet connections with multiple outbound links and health-check profiles.

config system sdwan

Description: Configure redundant Internet connections with multiple outbound links and health-check profiles.

set status [disable|enable]

set load-balance-mode [source-ip-based|weight-based|...]

set duplication-max-num {integer}

set neighbor-hold-down [enable|disable]

set neighbor-hold-down-time {integer}

set neighbor-hold-boot-time {integer}

set fail-detect [enable|disable]

set fail-alert-interfaces <name1>, <name2>, ...

config zone

Description: Configure SD-WAN zones.

edit <name>

set service-sla-tie-break [cfg-order|fib-best-match]

next

end

config members

Description: FortiGate interfaces added to the SD-WAN.

edit <seq-num>

set interface {string}

set zone {string}

set gateway {ipv4-address}

set source {ipv4-address}

set gateway6 {ipv6-address}

set source6 {ipv6-address}

set cost {integer}

set weight {integer}

set priority {integer}

set spillover-threshold {integer}

set ingress-spillover-threshold {integer}

set volume-ratio {integer}

set status [disable|enable]

set comment {var-string}

next

end

config health-check

Description: SD-WAN status checking or health checking. Identify a server on the Internet and determine how SD-WAN verifies that the FortiGate can communicate with it.

edit <name>

set probe-packets [disable|enable]

set addr-mode [ipv4|ipv6]

set system-dns [disable|enable]

set server {string}

set protocol [ping|tcp-echo|...]

set port {integer}

set quality-measured-method [half-open|half-close]

set security-mode [none|authentication]

set user {string}

set password {password}

set packet-size {integer}

set ha-priority {integer}

set ftp-mode [passive|port]

set ftp-file {string}

set http-get {string}

set http-agent {string}

set http-match {string}

set dns-request-domain {string}

set dns-match-ip {ipv4-address}

set interval {integer}

set probe-timeout {integer}

set failtime {integer}

set recoverytime {integer}

set probe-count {integer}

set diffservcode {user}

set update-cascade-interface [enable|disable]

set update-static-route [enable|disable]

set sla-fail-log-period {integer}

set sla-pass-log-period {integer}

set threshold-warning-packetloss {integer}

set threshold-alert-packetloss {integer}

set threshold-warning-latency {integer}

set threshold-alert-latency {integer}

set threshold-warning-jitter {integer}

set threshold-alert-jitter {integer}

set members <seq-num1>, <seq-num2>, ...

config sla

Description: Service level agreement (SLA).

edit <id>

set link-cost-factor {option1}, {option2}, ...

set latency-threshold {integer}

set jitter-threshold {integer}

set packetloss-threshold {integer}

next

end

next

end

config neighbor

Description: Create SD-WAN neighbor from BGP neighbor table to control route advertisements according to SLA status.

edit <ip>

set member {integer}

set role [standalone|primary|...]

set health-check {string}

set sla-id {integer}

next

end

config service

Description: Create SD-WAN rules (also called services) to control how sessions are distributed to interfaces in the SD-WAN.

edit <id>

set name {string}

set addr-mode [ipv4|ipv6]

set input-device <name1>, <name2>, ...

set input-device-negate [enable|disable]

set mode [auto|manual|...]

set minimum-sla-meet-members {integer}

set hash-mode [round-robin|source-ip-based|...]

set role [standalone|primary|...]

set standalone-action [enable|disable]

set quality-link {integer}

set tos {user}

set tos-mask {user}

set protocol {integer}

set start-port {integer}

set end-port {integer}

set route-tag {integer}

set dst <name1>, <name2>, ...

set dst-negate [enable|disable]

set src <name1>, <name2>, ...

set dst6 <name1>, <name2>, ...

set src6 <name1>, <name2>, ...

set src-negate [enable|disable]

set users <name1>, <name2>, ...

set groups <name1>, <name2>, ...

set internet-service [enable|disable]

set internet-service-custom <name1>, <name2>, ...

set internet-service-custom-group <name1>, <name2>, ...

set internet-service-name <name1>, <name2>, ...

set internet-service-group <name1>, <name2>, ...

set internet-service-app-ctrl <id1>, <id2>, ...

set internet-service-app-ctrl-group <name1>, <name2>, ...

set health-check <name1>, <name2>, ...

set link-cost-factor [latency|jitter|...]

set packet-loss-weight {integer}

set latency-weight {integer}

set jitter-weight {integer}

set bandwidth-weight {integer}

set link-cost-threshold {integer}

set hold-down-time {integer}

set dscp-forward [enable|disable]

set dscp-reverse [enable|disable]

set dscp-forward-tag {user}

set dscp-reverse-tag {user}

config sla

Description: Service level agreement (SLA).

edit <health-check>

set id {integer}

next

end

set priority-members <seq-num1>, <seq-num2>, ...

set status [enable|disable]

set gateway [enable|disable]

set default [enable|disable]

set sla-compare-method [order|number]

set tie-break [zone|cfg-order|...]

set use-shortcut-sla [enable|disable]

next

end

config duplication

Description: Create SD-WAN duplication rule.

edit <id>

set service-id <id1>, <id2>, ...

set srcaddr <name1>, <name2>, ...

set dstaddr <name1>, <name2>, ...

set srcaddr6 <name1>, <name2>, ...

set dstaddr6 <name1>, <name2>, ...

set srcintf <name1>, <name2>, ...

set dstintf <name1>, <name2>, ...

set service <name1>, <name2>, ...

set packet-duplication [disable|force|...]

set packet-de-duplication [enable|disable]

next

end

end

config system sdwan

Parameter

Description

Type

Size

Default

status

Enable/disable SD-WAN.

option

-

disable

Option

Description

disable

Disable SD-WAN.

enable

Enable SD-WAN.

load-balance-mode

Algorithm or mode to use for load balancing Internet traffic to SD-WAN members.

option

-

source-ip-based

Option

Description

source-ip-based

Source IP load balancing. All traffic from a source IP is sent to the same interface.

weight-based

Weight-based load balancing. Interfaces with higher weights have higher priority and get more traffic.

usage-based

Usage-based load balancing. All traffic is sent to the first interface on the list. When the bandwidth on that interface exceeds the spill-over limit new traffic is sent to the next interface.

source-dest-ip-based

Source and destination IP load balancing. All traffic from a source IP to a destination IP is sent to the same interface.

measured-volume-based

Volume-based load balancing. Traffic is load balanced based on traffic volume (in bytes). More traffic is sent to interfaces with higher volume ratios.

duplication-max-num

Maximum number of interface members a packet is duplicated in the SD-WAN zone (2 - 4, default = 2; if set to 3, the original packet plus 2 more copies are created).

integer

Minimum value: 2 Maximum value: 4

2

neighbor-hold-down

Enable/disable hold switching from the secondary neighbor to the primary neighbor.

option

-

disable

Option

Description

enable

Enable hold switching from the secondary neighbor to the primary neighbor.

disable

Disable hold switching from the secondary neighbor to the primary neighbor.

neighbor-hold-down-time

Waiting period in seconds when switching from the secondary neighbor to the primary neighbor when hold-down is disabled. (0 - 10000000, default = 0).

integer

Minimum value: 0 Maximum value: 10000000

0

neighbor-hold-boot-time

Waiting period in seconds when switching from the primary neighbor to the secondary neighbor from the neighbor start. (0 - 10000000, default = 0).

integer

Minimum value: 0 Maximum value: 10000000

0

fail-detect

Enable/disable SD-WAN Internet connection status checking (failure detection).

option

-

disable

Option

Description

enable

Enable status checking.

disable

Disable status checking.

fail-alert-interfaces <name>

Physical interfaces that will be alerted.

Physical interface name.

string

Maximum length: 79

Parameter

Description

Type

Size

Default

service-sla-tie-break

Method of selecting member if more than one meets the SLA.

option

-

cfg-order

Option

Description

cfg-order

Members that meet the SLA are selected in the order they are configured.

fib-best-match

Members that meet the SLA are selected that match the longest prefix in the routing table.

Parameter

Description

Type

Size

Default

interface

Interface name.

string

Maximum length: 15

zone

Zone name.

string

Maximum length: 35

virtual-wan-link

gateway

The default gateway for this interface. Usually the default gateway of the Internet service provider that this interface is connected to.

ipv4-address

Not Specified

0.0.0.0

source

Source IP address used in the health-check packet to the server.

ipv4-address

Not Specified

0.0.0.0

gateway6

IPv6 gateway.

ipv6-address

Not Specified

::

source6

Source IPv6 address used in the health-check packet to the server.

ipv6-address

Not Specified

::

cost

Cost of this interface for services in SLA mode (0 - 4294967295, default = 0).

integer

Minimum value: 0 Maximum value: 4294967295

0

weight

Weight of this interface for weighted load balancing. (1 - 255) More traffic is directed to interfaces with higher weights.

integer

Minimum value: 1 Maximum value: 255

1

priority

Priority of the interface (0 - 65535). Used for SD-WAN rules or priority rules.

integer

Minimum value: 0 Maximum value: 65535

0

spillover-threshold

Egress spillover threshold for this interface (0 - 16776000 kbit/s). When this traffic volume threshold is reached, new sessions spill over to other interfaces in the SD-WAN.

integer

Minimum value: 0 Maximum value: 16776000

0

ingress-spillover-threshold

Ingress spillover threshold for this interface (0 - 16776000 kbit/s). When this traffic volume threshold is reached, new sessions spill over to other interfaces in the SD-WAN.

integer

Minimum value: 0 Maximum value: 16776000

0

volume-ratio

Measured volume ratio (this value / sum of all values = percentage of link volume, 1 - 255).

integer

Minimum value: 1 Maximum value: 255

1

status

Enable/disable this interface in the SD-WAN.

option

-

enable

Option

Description

disable

Disable this interface in the SD-WAN.

enable

Enable this interface in the SD-WAN.

comment

Comments.

var-string

Maximum length: 255

Parameter

Description

Type

Size

Default

probe-packets

Enable/disable transmission of probe packets.

option

-

enable

Option

Description

disable

Disable transmission of probe packets.

enable

Enable transmission of probe packets.

addr-mode

Address mode (IPv4 or IPv6).

option

-

ipv4

Option

Description

ipv4

IPv4 mode.

ipv6

IPv6 mode.

system-dns

Enable/disable system DNS as the probe server.

option

-

disable

Option

Description

disable

Disable system DNS as the probe server.

enable

Enable system DNS as the probe server.

server

IP address or FQDN name of the server.

string

Maximum length: 79

protocol

Protocol used to determine if the FortiGate can communicate with the server.

option

-

ping

Option

Description

ping

Use PING to test the link with the server.

tcp-echo

Use TCP echo to test the link with the server.

udp-echo

Use UDP echo to test the link with the server.

http

Use HTTP-GET to test the link with the server.

twamp

Use TWAMP to test the link with the server.

dns

Use DNS query to test the link with the server.

tcp-connect

Use a full TCP connection to test the link with the server.

ftp

Use FTP to test the link with the server.

port

Port number used to communicate with the server over the selected protocol (0-65535, default = 0, auto select. http, twamp: 80, udp-echo, tcp-echo: 7, dns: 53, ftp: 21).

integer

Minimum value: 0 Maximum value: 65535

0

quality-measured-method

Method to measure the quality of tcp-connect.

option

-

half-open

Option

Description

half-open

Measure the round trip between syn and ack.

half-close

Measure the round trip between fin and ack.

security-mode

Twamp controller security mode.

option

-

none

Option

Description

none

Unauthenticated mode.

authentication

Authenticated mode.

user

The user name to access probe server.

string

Maximum length: 64

password

Twamp controller password in authentication mode

password

Not Specified

packet-size

Packet size of a twamp test session,

integer

Minimum value: 64 Maximum value: 1024

64

ha-priority

HA election priority (1 - 50).

integer

Minimum value: 1 Maximum value: 50

1

ftp-mode

FTP mode.

option

-

passive

Option

Description

passive

The FTP health-check initiates and establishes the data connection.

port

The FTP server initiates and establishes the data connection.

ftp-file

Full path and file name on the FTP server to download for FTP health-check to probe.

string

Maximum length: 254

http-get

URL used to communicate with the server if the protocol if the protocol is HTTP.

string

Maximum length: 1024

/

http-agent

String in the http-agent field in the HTTP header.

string

Maximum length: 1024

Chrome/ Safari/

http-match

Response string expected from the server if the protocol is HTTP.

string

Maximum length: 1024

dns-request-domain

Fully qualified domain name to resolve for the DNS probe.

string

Maximum length: 255

www.example.com

dns-match-ip

Response IP expected from DNS server if the protocol is DNS.

ipv4-address

Not Specified

0.0.0.0

interval

Status check interval in milliseconds, or the time between attempting to connect to the server (500 - 3600*1000 msec, default = 500).

integer

Minimum value: 500 Maximum value: 3600000

500

probe-timeout

Time to wait before a probe packet is considered lost (500 - 3600*1000 msec, default = 500).

integer

Minimum value: 500 Maximum value: 3600000

500

failtime

Number of failures before server is considered lost (1 - 3600, default = 5).

integer

Minimum value: 1 Maximum value: 3600

5

recoverytime

Number of successful responses received before server is considered recovered (1 - 3600, default = 5).

integer

Minimum value: 1 Maximum value: 3600

5

probe-count

Number of most recent probes that should be used to calculate latency and jitter (5 - 30, default = 30).

integer

Minimum value: 5 Maximum value: 30

30

diffservcode

Differentiated services code point (DSCP) in the IP header of the probe packet.

user

Not Specified

update-cascade-interface

Enable/disable update cascade interface.

option

-

enable

Option

Description

enable

Enable update cascade interface.

disable

Disable update cascade interface.

update-static-route

Enable/disable updating the static route.

option

-

enable

Option

Description

enable

Enable updating the static route.

disable

Disable updating the static route.

sla-fail-log-period

Time interval in seconds that SLA fail log messages will be generated (0 - 3600, default = 0).

integer

Minimum value: 0 Maximum value: 3600

0

sla-pass-log-period

Time interval in seconds that SLA pass log messages will be generated (0 - 3600, default = 0).

integer

Minimum value: 0 Maximum value: 3600

0

threshold-warning-packetloss

Warning threshold for packet loss (percentage, default = 0).

integer

Minimum value: 0 Maximum value: 100

0

threshold-alert-packetloss

Alert threshold for packet loss (percentage, default = 0).

integer

Minimum value: 0 Maximum value: 100

0

threshold-warning-latency

Warning threshold for latency (ms, default = 0).

integer

Minimum value: 0 Maximum value: 4294967295

0

threshold-alert-latency

Alert threshold for latency (ms, default = 0).

integer

Minimum value: 0 Maximum value: 4294967295

0

threshold-warning-jitter

Warning threshold for jitter (ms, default = 0).

integer

Minimum value: 0 Maximum value: 4294967295

0

threshold-alert-jitter

Alert threshold for jitter (ms, default = 0).

integer

Minimum value: 0 Maximum value: 4294967295

0

members <seq-num>

Member sequence number list.

Member sequence number.

integer

Minimum value: 0 Maximum value: 4294967295

0

config sla

Parameter

Description

Type

Size

Default

id

SLA ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

Parameter

Description

Type

Size

Default

member

Member sequence number.

integer

Minimum value: 0 Maximum value: 4294967295

0

role

Role of neighbor.

option

-

standalone

Option

Description

standalone

Standalone neighbor.

primary

Primary neighbor.

secondary

Secondary neighbor.

health-check

SD-WAN health-check name.

string

Maximum length: 35

sla-id

SLA ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

Parameter

Description

Type

Size

Default

name

SD-WAN rule name.

string

Maximum length: 35

addr-mode

Address mode (IPv4 or IPv6).

option

-

ipv4

Option

Description

ipv4

IPv4 mode.

ipv6

IPv6 mode.

input-device <name>

Source interface name.

Interface name.

string

Maximum length: 79

input-device-negate

Enable/disable negation of input device match.

option

-

disable

Option

Description

enable

Enable negation of input device match.

disable

Disable negation of input device match.

mode

Control how the SD-WAN rule sets the priority of interfaces in the SD-WAN.

option

-

manual

Option

Description

auto

Assign interfaces a priority based on quality.

manual

Assign interfaces a priority manually.

priority

Assign interfaces a priority based on the link-cost-factor quality of the interface.

sla

Assign interfaces a priority based on selected SLA settings.

load-balance

Distribute traffic among all available links based on round robin. ADVPN feature is not supported in the mode.

minimum-sla-meet-members

Minimum number of members which meet SLA.

integer

Minimum value: 0 Maximum value: 255

0

hash-mode

Hash algorithm for selected priority members for load balance mode.

option

-

round-robin

Option

Description

round-robin

All traffic are distributed to selected interfaces in equal portions and circular order.

source-ip-based

All traffic from a source IP is sent to the same interface.

source-dest-ip-based

All traffic from a source IP to a destination IP is sent to the same interface.

inbandwidth

All traffic are distributed to a selected interface with most available bandwidth for incoming traffic.

outbandwidth

All traffic are distributed to a selected interface with most available bandwidth for outgoing traffic.

bibandwidth

All traffic are distributed to a selected interface with most available bandwidth for both incoming and outgoing traffic.

role

Service role to work with neighbor.

option

-

standalone

Option

Description

standalone

Standalone service.

primary

Primary service for primary neighbor.

secondary

Secondary service for secondary neighbor.

standalone-action

Enable/disable service when selected neighbor role is standalone while service role is not standalone.

option

-

disable

Option

Description

enable

Enable service when selected neighbor role is standalone.

disable

Disable service when selected neighbor role is standalone.

quality-link

Quality grade.

integer

Minimum value: 0 Maximum value: 255

0

tos

Type of service bit pattern.

user

Not Specified

tos-mask

Type of service evaluated bits.

user

Not Specified

protocol

Protocol number.

integer

Minimum value: 0 Maximum value: 255

0

start-port

Start destination port number.

integer

Minimum value: 0 Maximum value: 65535

1

end-port

End destination port number.

integer

Minimum value: 0 Maximum value: 65535

65535

route-tag

IPv4 route map route-tag.

integer

Minimum value: 0 Maximum value: 4294967295

0

dst <name>

Destination address name.

Address or address group name.

string

Maximum length: 79

dst-negate

Enable/disable negation of destination address match.

option

-

disable

Option

Description

enable

Enable destination address negation.

disable

Disable destination address negation.

src <name>

Source address name.

Address or address group name.

string

Maximum length: 79

dst6 <name>

Destination address6 name.

Address6 or address6 group name.

string

Maximum length: 79

src6 <name>

Source address6 name.

Address6 or address6 group name.

string

Maximum length: 79

src-negate

Enable/disable negation of source address match.

option

-

disable

Option

Description

enable

Enable source address negation.

disable

Disable source address negation.

users <name>

User name.

User name.

string

Maximum length: 79

groups <name>

User groups.

Group name.

string

Maximum length: 79

internet-service

Enable/disable use of Internet service for application-based load balancing.

option

-

disable

Option

Description

enable

Enable cloud service to support application-based load balancing.

disable

Disable cloud service to support application-based load balancing.

internet-service-custom <name>

Custom Internet service name list.

Custom Internet service name.

string

Maximum length: 79

internet-service-custom-group <name>

Custom Internet Service group list.

Custom Internet Service group name.

string

Maximum length: 79

internet-service-name <name>

Internet service name list.

Internet service name.

string

Maximum length: 79

internet-service-group <name>

Internet Service group list.

Internet Service group name.

string

Maximum length: 79

internet-service-app-ctrl <id>

Application control based Internet Service ID list.

Application control based Internet Service ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

internet-service-app-ctrl-group <name>

Application control based Internet Service group list.

Application control based Internet Service group name.

string

Maximum length: 79

health-check <name>

Health check list.

Health check name.

string

Maximum length: 79

link-cost-factor

Link cost factor.

option

-

latency

Option

Description

latency

Select link based on latency.

jitter

Select link based on jitter.

packet-loss

Select link based on packet loss.

inbandwidth

Select link based on available bandwidth of incoming traffic.

outbandwidth

Select link based on available bandwidth of outgoing traffic.

bibandwidth

Select link based on available bandwidth of bidirectional traffic.

custom-profile-1

Select link based on customized profile.

packet-loss-weight

Coefficient of packet-loss in the formula of custom-profile-1.

integer

Minimum value: 0 Maximum value: 10000000

0

latency-weight

Coefficient of latency in the formula of custom-profile-1.

integer

Minimum value: 0 Maximum value: 10000000

0

jitter-weight

Coefficient of jitter in the formula of custom-profile-1.

integer

Minimum value: 0 Maximum value: 10000000

0

bandwidth-weight

Coefficient of reciprocal of available bidirectional bandwidth in the formula of custom-profile-1.

integer

Minimum value: 0 Maximum value: 10000000

0

link-cost-threshold

Percentage threshold change of link cost values that will result in policy route regeneration (0 - 10000000, default = 10).

integer

Minimum value: 0 Maximum value: 10000000

10

hold-down-time

Waiting period in seconds when switching from the back-up member to the primary member (0 - 10000000, default = 0).

integer

Minimum value: 0 Maximum value: 10000000

0

dscp-forward

Enable/disable forward traffic DSCP tag.

option

-

disable

Option

Description

enable

Enable use of forward DSCP tag.

disable

Disable use of forward DSCP tag.

dscp-reverse

Enable/disable reverse traffic DSCP tag.

option

-

disable

Option

Description

enable

Enable use of reverse DSCP tag.

disable

Disable use of reverse DSCP tag.

dscp-forward-tag

Forward traffic DSCP tag.

user

Not Specified

dscp-reverse-tag

Reverse traffic DSCP tag.

user

Not Specified

priority-members <seq-num>

Member sequence number list.

Member sequence number.

integer

Minimum value: 0 Maximum value: 4294967295

0

status

Enable/disable SD-WAN service.

option

-

enable

Option

Description

enable

Enable SD-WAN service.

disable

Disable SD-WAN service.

gateway

Enable/disable SD-WAN service gateway.

option

-

disable

Option

Description

enable

Enable SD-WAN service gateway.

disable

Disable SD-WAN service gateway.

default

Enable/disable use of SD-WAN as default service.

option

-

disable

Option

Description

enable

Enable use of SD-WAN as default service.

disable

Disable use of SD-WAN as default service.

sla-compare-method

Method to compare SLA value for SLA mode.

option

-

order

Option

Description

order

Compare SLA value based on the order of health-check.

number

Compare SLA value based on the number of satisfied health-check. Limits health-checks to only configured member interfaces.

tie-break

Method of selecting member if more than one meets the SLA.

option

-

zone

Option

Description

zone

Use the setting that is configured for the members' zone.

cfg-order

Members that meet the SLA are selected in the order they are configured.

fib-best-match

Members that meet the SLA are selected that match the longest prefix in the routing table.

use-shortcut-sla

Enable/disable use of ADVPN shortcut for quality comparison.

option

-

enable

Option

Description

enable

Enable use of ADVPN shortcut for quality comparison.

disable

Disable use of ADVPN shortcut for quality comparison.

config sla

Parameter

Description

Type

Size

Default

id

SLA ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

Parameter

Description

Type

Size

Default

service-id <id>

SD-WAN service rule ID list.

SD-WAN service rule ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

srcaddr <name>

Source address or address group names.

Address or address group name.

string

Maximum length: 79

dstaddr <name>

Destination address or address group names.

Address or address group name.

string

Maximum length: 79

srcaddr6 <name>

Source address6 or address6 group names.

Address6 or address6 group name.

string

Maximum length: 79

dstaddr6 <name>

Destination address6 or address6 group names.

Address6 or address6 group name.

string

Maximum length: 79

srcintf <name>

Incoming (ingress) interfaces or zones.

Interface, zone or SDWAN zone name.

string

Maximum length: 79

dstintf <name>

Outgoing (egress) interfaces or zones.

Interface, zone or SDWAN zone name.

string

Maximum length: 79

service <name>

Service and service group name.

Service and service group name.

string

Maximum length: 79

packet-duplication

Configure packet duplication method.

option

-

disable

Option

Description

disable

Disable packet duplication.

force

Duplicate packets across all interface members of the SD-WAN zone.

on-demand

Duplicate packets across all interface members of the SD-WAN zone based on the link quality.

packet-de-duplication

Enable/disable discarding of packets that have been duplicated.

option

-

disable

Option

Description

enable

Enable discarding of packets that have been duplicated.

disable

Disable discarding of packets that have been duplicated.