Fortinet white logo
Fortinet white logo

Cookbook

Redundant Internet with SD-WAN

Redundant Internet with SD-WAN

This recipe provides an example of how you can configure redundant Internet connectivity for your network using SD-WAN. This allows you to load balance your Internet traffic between multiple ISP links and provides redundancy for your network’s Internet connection if your primary ISP is unavailable.

  1. Connect the FortiGate to your ISP devices by connecting the Internet-facing (WAN) ports on the FortiGate to your ISP devices. Connect WAN1 to the ISP that you want to use for most traffic, and connect WAN2 to the other ISP.

  2. Before you can configure FortiGate interfaces as SD-WAN members, you must remove or redirect existing configuration references to those interfaces in routes and security policies. This includes the default Internet access policy that’s included with many FortiGate models. Note that after you remove the routes and security policies, traffic can’t reach the WAN ports through the FortiGate. Redirecting the routes and policies to reference other interfaces avoids your having to create them again later. After you configure SD-WAN, you can reconfigure the routes and policies to reference the SD-WAN interface. Remove existing configuration references to interfaces:
    1. Go to Network > Static Routes and delete any routes that use WAN1 or WAN2.
    2. Go to Policy & Objects > IPv4 Policy and delete any policies that use WAN1 or WAN2.
  3. Create the SD-WAN interface:
    1. Go to Network > SD-WAN and set Status to Enable.
    2. Under SD-WAN Interface Members, select + and select wan1. Set the Gateway to the default gateway for this interface. This is usually the default gateway IP address of the ISP that this interface is connected to. Repeat these steps to add wan2.
    3. Go to Network > Interfaces and verify that the virtual interface for SD-WAN appears in the interface list. You can expand SD-WAN to view the ports that are included in the SD-WAN interface.
  4. Configure SD-WAN load balancing:
    1. Go to Network > SD-WAN Rules and edit the rule named sd-wan.
    2. In the Load Balancing Algorithm field, select Volume, and prioritize WAN1 to serve more traffic. the example, the ISP connected to WAN1 is a 40Mb link, and the ISP connected to WAN2 is a 10Mb link, so we balance the weight 75% to 25% in favor of WAN1.

  5. Create a static route for the SD-WAN interface:
    1. Go to Network > Static Routes and create a new route.
    2. In the Destination field, select Subnet, and leave the destination IP address and subnet mask as 0.0.0.0/0.0.0.0.
    3. In the Interface field, select the SD-WAN interface from the dropdown list.
    4. Ensure that Status is set to Enable. If you previously removed or redirected existing references in routes to interfaces that you wanted to add as SD-WAN interface members, you can now reconfigure those routes to reference the SD-WAN interface.
  6. Configure a security policy that allows traffic from your organization’s internal network to the SD-WAN interface.
    1. Go to Policy & Objects > IPv4 Policy and create a new policy.
    2. Set Incoming Interface to the interface that connects to your organization’s internal network and set Outgoing Interface to the SD-WAN interface.
    3. Enable NAT and apply Security Profiles as required.
    4. Enable Log Allowed Traffic for All Sessions to allow you to verify the results later. If you previously removed or redirected existing references in security policies to interfaces that you wanted to add as SD-WAN interface members, you can now reconfigure those policies to reference the SD-WAN interface.
  7. You can configure link health monitoring to verify the health and status of the links that make up the SD-WAN link:
    1. Go to Network > Performance SLA and create a new performance SLA.
    2. Set the Protocol for the health checks. In the Server fields, enter the IP addresses of up to two servers that you want to use to test the health of each SD-WAN member interface.* In the Participants field, select the SD-WAN interface members that you want the health check to apply to.
    3. You can view link quality measurements on the Performance SLA page. The table displays information about configured health checks. The values in the Packet Loss, Latency, and Jitter columns apply to the server that the FortiGate is using to test the health of the SD-WAN member interfaces. The green (up) arrows indicate only that the server is responding to the health checks, regardless of the packet loss, latency, and jitter values, and do not indicate that the health checks are being met.

  8. View the results:
    1. Browse the Internet using a computer on your internal network and then go to Network > SD-WAN.
    2. In the SD-WAN Usage section, you can see the bandwidth, volume, and sessions for traffic on the SD-WAN interfaces.

    3. Go to Monitor > SD-WAN Monitor to view the number of sessions, bit rate, and more information for each interface.
  9. To test failover of the redundant Internet configuration, you must simulate a failed Internet connection to one of the ports. Do so by physically disconnecting the Ethernet cable connected to WAN1:
    1. Verify that users still have Internet access by navigating to Monitor > SD-WAN Monitor. The Upload and Download values for WAN1 show that traffic is not going through that interface.

    2. Go to Network > SD-WAN. In the SD-WAN Usage section, you can see that bandwidth, volume, and sessions have diverted entirely through WAN2.

    3. Users on the internal network should not notice the WAN1 failure. Likewise, if you are using the WAN1 gateway IP address to connect to the admin dashboard, nothing should change from your perspective. It appears as though you are still connecting through WAN1. After you verify successful failover, reconnect the WAN1 Ethernet cable.

Redundant Internet with SD-WAN

Redundant Internet with SD-WAN

This recipe provides an example of how you can configure redundant Internet connectivity for your network using SD-WAN. This allows you to load balance your Internet traffic between multiple ISP links and provides redundancy for your network’s Internet connection if your primary ISP is unavailable.

  1. Connect the FortiGate to your ISP devices by connecting the Internet-facing (WAN) ports on the FortiGate to your ISP devices. Connect WAN1 to the ISP that you want to use for most traffic, and connect WAN2 to the other ISP.

  2. Before you can configure FortiGate interfaces as SD-WAN members, you must remove or redirect existing configuration references to those interfaces in routes and security policies. This includes the default Internet access policy that’s included with many FortiGate models. Note that after you remove the routes and security policies, traffic can’t reach the WAN ports through the FortiGate. Redirecting the routes and policies to reference other interfaces avoids your having to create them again later. After you configure SD-WAN, you can reconfigure the routes and policies to reference the SD-WAN interface. Remove existing configuration references to interfaces:
    1. Go to Network > Static Routes and delete any routes that use WAN1 or WAN2.
    2. Go to Policy & Objects > IPv4 Policy and delete any policies that use WAN1 or WAN2.
  3. Create the SD-WAN interface:
    1. Go to Network > SD-WAN and set Status to Enable.
    2. Under SD-WAN Interface Members, select + and select wan1. Set the Gateway to the default gateway for this interface. This is usually the default gateway IP address of the ISP that this interface is connected to. Repeat these steps to add wan2.
    3. Go to Network > Interfaces and verify that the virtual interface for SD-WAN appears in the interface list. You can expand SD-WAN to view the ports that are included in the SD-WAN interface.
  4. Configure SD-WAN load balancing:
    1. Go to Network > SD-WAN Rules and edit the rule named sd-wan.
    2. In the Load Balancing Algorithm field, select Volume, and prioritize WAN1 to serve more traffic. the example, the ISP connected to WAN1 is a 40Mb link, and the ISP connected to WAN2 is a 10Mb link, so we balance the weight 75% to 25% in favor of WAN1.

  5. Create a static route for the SD-WAN interface:
    1. Go to Network > Static Routes and create a new route.
    2. In the Destination field, select Subnet, and leave the destination IP address and subnet mask as 0.0.0.0/0.0.0.0.
    3. In the Interface field, select the SD-WAN interface from the dropdown list.
    4. Ensure that Status is set to Enable. If you previously removed or redirected existing references in routes to interfaces that you wanted to add as SD-WAN interface members, you can now reconfigure those routes to reference the SD-WAN interface.
  6. Configure a security policy that allows traffic from your organization’s internal network to the SD-WAN interface.
    1. Go to Policy & Objects > IPv4 Policy and create a new policy.
    2. Set Incoming Interface to the interface that connects to your organization’s internal network and set Outgoing Interface to the SD-WAN interface.
    3. Enable NAT and apply Security Profiles as required.
    4. Enable Log Allowed Traffic for All Sessions to allow you to verify the results later. If you previously removed or redirected existing references in security policies to interfaces that you wanted to add as SD-WAN interface members, you can now reconfigure those policies to reference the SD-WAN interface.
  7. You can configure link health monitoring to verify the health and status of the links that make up the SD-WAN link:
    1. Go to Network > Performance SLA and create a new performance SLA.
    2. Set the Protocol for the health checks. In the Server fields, enter the IP addresses of up to two servers that you want to use to test the health of each SD-WAN member interface.* In the Participants field, select the SD-WAN interface members that you want the health check to apply to.
    3. You can view link quality measurements on the Performance SLA page. The table displays information about configured health checks. The values in the Packet Loss, Latency, and Jitter columns apply to the server that the FortiGate is using to test the health of the SD-WAN member interfaces. The green (up) arrows indicate only that the server is responding to the health checks, regardless of the packet loss, latency, and jitter values, and do not indicate that the health checks are being met.

  8. View the results:
    1. Browse the Internet using a computer on your internal network and then go to Network > SD-WAN.
    2. In the SD-WAN Usage section, you can see the bandwidth, volume, and sessions for traffic on the SD-WAN interfaces.

    3. Go to Monitor > SD-WAN Monitor to view the number of sessions, bit rate, and more information for each interface.
  9. To test failover of the redundant Internet configuration, you must simulate a failed Internet connection to one of the ports. Do so by physically disconnecting the Ethernet cable connected to WAN1:
    1. Verify that users still have Internet access by navigating to Monitor > SD-WAN Monitor. The Upload and Download values for WAN1 show that traffic is not going through that interface.

    2. Go to Network > SD-WAN. In the SD-WAN Usage section, you can see that bandwidth, volume, and sessions have diverted entirely through WAN2.

    3. Users on the internal network should not notice the WAN1 failure. Likewise, if you are using the WAN1 gateway IP address to connect to the admin dashboard, nothing should change from your perspective. It appears as though you are still connecting through WAN1. After you verify successful failover, reconnect the WAN1 Ethernet cable.