config system virtual-wan-link

Configure redundant internet connections using SD-WAN (formerly virtual WAN link).

config system virtual-wan-link
    Description: Configure redundant internet connections using SD-WAN (formerly virtual WAN link).
    set fail-alert-interfaces <name1>, <name2>, ...
    set fail-detect [enable|disable]
    config health-check
        Description: SD-WAN status checking or health checking. Identify a server on the Internet and determine how SD-WAN verifies that the FortiGate can communicate with it.
        edit <name>
            set probe-packets [disable|enable]
            set addr-mode [ipv4|ipv6]
            set server {string}
            set protocol [ping|tcp-echo|...]
            set port {integer}
            set security-mode [none|authentication]
            set password {password}
            set packet-size {integer}
            set ha-priority {integer}
            set http-get {string}
            set http-agent {string}
            set http-match {string}
            set interval {integer}
            set probe-timeout {integer}
            set failtime {integer}
            set recoverytime {integer}
            set diffservcode {user}
            set update-cascade-interface [enable|disable]
            set update-static-route [enable|disable]
            set sla-fail-log-period {integer}
            set sla-pass-log-period {integer}
            set threshold-warning-packetloss {integer}
            set threshold-alert-packetloss {integer}
            set threshold-warning-latency {integer}
            set threshold-alert-latency {integer}
            set threshold-warning-jitter {integer}
            set threshold-alert-jitter {integer}
            set members <seq-num1>, <seq-num2>, ...
            config sla
                Description: Service level agreement (SLA).
                edit <id>
                    set link-cost-factor {option1}, {option2}, ...
                    set latency-threshold {integer}
                    set jitter-threshold {integer}
                    set packetloss-threshold {integer}
                next
            end
        next
    end
    set load-balance-mode [source-ip-based|weight-based|...]
    config members
        Description: FortiGate interfaces added to the virtual-wan-link.
        edit <seq-num>
            set interface {string}
            set gateway {ipv4-address}
            set source {ipv4-address}
            set gateway6 {ipv6-address}
            set source6 {ipv6-address}
            set cost {integer}
            set weight {integer}
            set priority {integer}
            set spillover-threshold {integer}
            set ingress-spillover-threshold {integer}
            set volume-ratio {integer}
            set status [disable|enable]
            set comment {var-string}
        next
    end
    config neighbor
        Description: Create SD-WAN neighbor from BGP neighbor table to control route advertisements according to SLA status.
        edit <ip>
            set member {integer}
            set role [standalone|primary|...]
            set health-check {string}
            set sla-id {integer}
        next
    end
    set neighbor-hold-boot-time {integer}
    set neighbor-hold-down [enable|disable]
    set neighbor-hold-down-time {integer}
    config service
        Description: Create SD-WAN rules (also called services) to control how sessions are distributed to interfaces in the SD-WAN.
        edit <id>
            set name {string}
            set addr-mode [ipv4|ipv6]
            set input-device <name1>, <name2>, ...
            set input-device-negate [enable|disable]
            set mode [auto|manual|...]
            set role [standalone|primary|...]
            set standalone-action [enable|disable]
            set quality-link {integer}
            set tos {user}
            set tos-mask {user}
            set protocol {integer}
            set start-port {integer}
            set end-port {integer}
            set route-tag {integer}
            set dst <name1>, <name2>, ...
            set dst-negate [enable|disable]
            set src <name1>, <name2>, ...
            set dst6 <name1>, <name2>, ...
            set src6 <name1>, <name2>, ...
            set src-negate [enable|disable]
            set users <name1>, <name2>, ...
            set groups <name1>, <name2>, ...
            set internet-service [enable|disable]
            set internet-service-custom <name1>, <name2>, ...
            set internet-service-custom-group <name1>, <name2>, ...
            set internet-service-id <id1>, <id2>, ...
            set internet-service-group <name1>, <name2>, ...
            set internet-service-app-ctrl <id1>, <id2>, ...
            set internet-service-app-ctrl-group <name1>, <name2>, ...
            set health-check {string}
            set link-cost-factor [latency|jitter|...]
            set packet-loss-weight {integer}
            set latency-weight {integer}
            set jitter-weight {integer}
            set bandwidth-weight {integer}
            set link-cost-threshold {integer}
            set hold-down-time {integer}
            set dscp-forward [enable|disable]
            set dscp-reverse [enable|disable]
            set dscp-forward-tag {user}
            set dscp-reverse-tag {user}
            config sla
                Description: Service level agreement (SLA).
                edit <health-check>
                    set id {integer}
                next
            end
            set priority-members <seq-num1>, <seq-num2>, ...
            set status [enable|disable]
            set gateway [enable|disable]
            set default [enable|disable]
            set sla-compare-method [order|number]
        next
    end
    set status [disable|enable]
    config zone
        Description: Configure SD-WAN zones.
        edit <name>
        next
    end
end

config system virtual-wan-link

Parameter

Description

Type

Size

fail-alert-interfaces <name>

Physical interfaces that will be alerted.

Physical interface name.

string

Maximum length: 79

fail-detect

Enable/disable SD-WAN Internet connection status checking (failure detection).

option

Option	Description
enable	Enable status checking.
disable	Disable status checking.

load-balance-mode

Algorithm or mode to use for load balancing Internet traffic to SD-WAN members.

option

Option	Description
source-ip-based	Source IP load balancing. All traffic from a source IP is sent to the same interface.
weight-based	Weight-based load balancing. Interfaces with higher weights have higher priority and get more traffic.
usage-based	Usage-based load balancing. All traffic is sent to the first interface on the list. When the bandwidth on that interface exceeds the spill-over limit new traffic is sent to the next interface.
source-dest-ip-based	Source and destination IP load balancing. All traffic from a source IP to a destination IP is sent to the same interface.
measured-volume-based	Volume-based load balancing. Traffic is load balanced based on traffic volume (in bytes). More traffic is sent to interfaces with higher volume ratios.

neighbor-hold-boot-time

Waiting period in seconds when switching from the primary neighbor to the secondary neighbor from the neighbor start..

integer

Minimum value: 0 Maximum value: 10000000

neighbor-hold-down

Enable/disable hold switching from the secondary neighbor to the primary neighbor.

option

Option	Description
enable	Enable hold switching from the secondary neighbor to the primary neighbor.
disable	Disable hold switching from the secondary neighbor to the primary neighbor.

neighbor-hold-down-time

Waiting period in seconds when switching from the secondary neighbor to the primary neighbor when hold-down is disabled..

integer

Minimum value: 0 Maximum value: 10000000

status

Enable/disable SD-WAN.

option

Option	Description
disable	Disable SD-WAN.
enable	Enable SD-WAN.

config health-check

Parameter

Description

Type

Size

name

Status check or health check name.

string

Maximum length: 35

probe-packets

Enable/disable transmission of probe packets.

option

Option	Description
disable	Disable transmission of probe packets.
enable	Enable transmission of probe packets.

addr-mode

Address mode (IPv4 or IPv6).

option

Option	Description
ipv4	IPv4 mode.
ipv6	IPv6 mode.

server

IP address or FQDN name of the server.

string

Maximum length: 79

protocol

Protocol used to determine if the FortiGate can communicate with the server.

option

Option	Description
ping	Use PING to test the link with the server.
tcp-echo	Use TCP echo to test the link with the server.
udp-echo	Use UDP echo to test the link with the server.
http	Use HTTP-GET to test the link with the server.
twamp	Use TWAMP to test the link with the server.
ping6	PING6 link monitor.

port

Port number used to communicate with the server over the selected protocol.

integer

Minimum value: 1 Maximum value: 65535

security-mode

Twamp controller security mode.

option

Option	Description
none	Unauthenticated mode.
authentication	Authenticated mode.

password

Twamp controller password in authentication mode

password

Not Specified

packet-size

Packet size of a twamp test session,

integer

Minimum value: 64 Maximum value: 1024

ha-priority

HA election priority.

integer

Minimum value: 1 Maximum value: 50

http-get

URL used to communicate with the server if the protocol if the protocol is HTTP.

string

Maximum length: 1024

http-agent

String in the http-agent field in the HTTP header.

string

Maximum length: 1024

http-match

Response string expected from the server if the protocol is HTTP.

string

Maximum length: 1024

interval

Status check interval in milliseconds, or the time between attempting to connect to the server.

integer

Minimum value: 500 Maximum value: 3600000

probe-timeout

Time to wait before a probe packet is considered lost.

integer

Minimum value: 500 Maximum value: 5000

failtime

Number of failures before server is considered lost.

integer

Minimum value: 1 Maximum value: 3600

recoverytime

Number of successful responses received before server is considered recovered.

integer

Minimum value: 1 Maximum value: 3600

diffservcode

Differentiated services code point (DSCP) in the IP header of the probe packet.

user

Not Specified

update-cascade-interface

Enable/disable update cascade interface.

option

Option	Description
enable	Enable update cascade interface.
disable	Disable update cascade interface.

update-static-route

Enable/disable updating the static route.

option

Option	Description
enable	Enable updating the static route.
disable	Disable updating the static route.

sla-fail-log-period

Time interval in seconds that SLA fail log messages will be generated.

integer

Minimum value: 0 Maximum value: 3600

sla-pass-log-period

Time interval in seconds that SLA pass log messages will be generated.

integer

Minimum value: 0 Maximum value: 3600

threshold-warning-packetloss

Warning threshold for packet loss.

integer

Minimum value: 0 Maximum value: 100

threshold-alert-packetloss

Alert threshold for packet loss.

integer

Minimum value: 0 Maximum value: 100

threshold-warning-latency

Warning threshold for latency.

integer

Minimum value: 0 Maximum value: 4294967295

threshold-alert-latency

Alert threshold for latency.

integer

Minimum value: 0 Maximum value: 4294967295

threshold-warning-jitter

Warning threshold for jitter.

integer

Minimum value: 0 Maximum value: 4294967295

threshold-alert-jitter

Alert threshold for jitter.

integer

Minimum value: 0 Maximum value: 4294967295

members <seq-num>

Member sequence number list.

Member sequence number.

integer

Minimum value: 0 Maximum value: 4294967295

config sla

Parameter	Description	Type	Size
health-check	Virtual WAN Link health-check.	string	Maximum length: 35
id	SLA ID.	integer	Minimum value: 0 Maximum value: 4294967295

config members

Parameter

Description

Type

Size

seq-num

Sequence number.

integer

Minimum value: 0 Maximum value: 255

interface

Interface name.

string

Maximum length: 15

gateway

The default gateway for this interface. Usually the default gateway of the Internet service provider that this interface is connected to.

ipv4-address

Not Specified

source

Source IP address used in the health-check packet to the server.

ipv4-address

Not Specified

gateway6

IPv6 gateway.

ipv6-address

Not Specified

source6

Source IPv6 address used in the health-check packet to the server.

ipv6-address

Not Specified

cost

Cost of this interface for services in SLA mode.

integer

Minimum value: 0 Maximum value: 4294967295

weight

Weight of this interface for weighted load balancing. More traffic is directed to interfaces with higher weights.

integer

Minimum value: 1 Maximum value: 255

priority

Priority of the interface. Used for SD-WAN rules or priority rules.

integer

Minimum value: 0 Maximum value: 4294967295

spillover-threshold

Egress spillover threshold for this interface. When this traffic volume threshold is reached, new sessions spill over to other interfaces in the SD-WAN.

integer

Minimum value: 0 Maximum value: 16776000

ingress-spillover-threshold

Ingress spillover threshold for this interface. When this traffic volume threshold is reached, new sessions spill over to other interfaces in the SD-WAN.

integer

Minimum value: 0 Maximum value: 16776000

volume-ratio

Measured volume ratio.

integer

Minimum value: 1 Maximum value: 255

status

Enable/disable this interface in the SD-WAN.

option

Option	Description
disable	Disable this interface in the SD-WAN.
enable	Enable this interface in the SD-WAN.

comment

Comments.

var-string

Maximum length: 255

config neighbor

Parameter

Description

Type

Size

IP address of neighbor.

string

Maximum length: 45

member

Member sequence number.

integer

Minimum value: 0 Maximum value: 4294967295

role

Role of neighbor.

option

Option	Description
standalone	Standalone neighbor.
primary	Primary neighbor.
secondary	Secondary neighbor.

health-check

SD-WAN health-check name.

string

Maximum length: 35

sla-id

SLA ID.

integer

Minimum value: 0 Maximum value: 4294967295

config service

Parameter

Description

Type

Size

Priority rule ID.

integer

Minimum value: 1 Maximum value: 4000

name

Priority rule name.

string

Maximum length: 35

addr-mode

Address mode (IPv4 or IPv6).

option

Option	Description
ipv4	IPv4 mode.
ipv6	IPv6 mode.

input-device <name>

Source interface name.

Interface name.

string

Maximum length: 79

input-device-negate

Enable/disable negation of input device match.

option

Option	Description
enable	Enable negation of input device match.
disable	Disable negation of input device match.

mode

Control how the priority rule sets the priority of interfaces in the SD-WAN.

option

Option	Description
auto	Assign interfaces a priority based on quality.
manual	Assign interfaces a priority manually.
priority	Assign interfaces a priority based on the link-cost-factor quality of the interface.
sla	Assign interfaces a priority based on selected SLA settings.
load-balance	Distribute traffic among all available links based on round robin. ADVPN feature is not supported in the mode.

role

Service role to work with neighbor.

option

Option	Description
standalone	Standalone service.
primary	Primary service for primary neighbor.
secondary	Secondary service for secondary neighbor.

standalone-action

Enable/disable service when selected neighbor role is standalone while service role is not standalone.

option

Option	Description
enable	Enable service when selected neighbor role is standalone.
disable	Disable service when selected neighbor role is standalone.

quality-link

Quality grade.

integer

Minimum value: 0 Maximum value: 255

tos

Type of service bit pattern.

user

Not Specified

tos-mask

Type of service evaluated bits.

user

Not Specified

protocol

Protocol number.

integer

Minimum value: 0 Maximum value: 255

start-port

Start destination port number.

integer

Minimum value: 0 Maximum value: 65535

end-port

End destination port number.

integer

Minimum value: 0 Maximum value: 65535

route-tag

IPv4 route map route-tag.

integer

Minimum value: 0 Maximum value: 4294967295

dst <name>

Destination address name.

Address or address group name.

string

Maximum length: 79

dst-negate

Enable/disable negation of destination address match.

option

Option	Description
enable	Enable destination address negation.
disable	Disable destination address negation.

src <name>

Source address name.

Address or address group name.

string

Maximum length: 79

dst6 <name>

Destination address6 name.

Address6 or address6 group name.

string

Maximum length: 79

src6 <name>

Source address6 name.

Address6 or address6 group name.

string

Maximum length: 79

src-negate

Enable/disable negation of source address match.

option

Option	Description
enable	Enable source address negation.
disable	Disable source address negation.

users <name>

User name.

string

Maximum length: 79

groups <name>

User groups.

Group name.

string

Maximum length: 79

internet-service

Enable/disable use of Internet service for application-based load balancing.

option

Option	Description
enable	Enable cloud service to support application-based load balancing.
disable	Disable cloud service to support application-based load balancing.

internet-service-custom <name>

Custom Internet service name list.

Custom Internet service name.

string

Maximum length: 79

internet-service-custom-group <name>

Custom Internet Service group list.

Custom Internet Service group name.

string

Maximum length: 79

internet-service-id <id>

Internet service ID list.

Internet service ID.

integer

Minimum value: 0 Maximum value: 4294967295

internet-service-group <name>

Internet Service group list.

Internet Service group name.

string

Maximum length: 79

internet-service-app-ctrl <id>

Application control based Internet Service ID list.

Application control based Internet Service ID.

integer

Minimum value: 0 Maximum value: 4294967295

internet-service-app-ctrl-group <name>

Application control based Internet Service group list.

Application control based Internet Service group name.

string

Maximum length: 79

health-check

Health check.

string

Maximum length: 35

link-cost-factor

Link cost factor.

option

Option	Description
latency	Select link based on latency.
jitter	Select link based on jitter.
packet-loss	Select link based on packet loss.
inbandwidth	Select link based on available bandwidth of incoming traffic.
outbandwidth	Select link based on available bandwidth of outgoing traffic.
bibandwidth	Select link based on available bandwidth of bidirectional traffic.
custom-profile-1	Select link based on customized profile.

packet-loss-weight

Coefficient of packet-loss in the formula of custom-profile-1.

integer

Minimum value: 0 Maximum value: 10000000

latency-weight

Coefficient of latency in the formula of custom-profile-1.

integer

Minimum value: 0 Maximum value: 10000000

jitter-weight

Coefficient of jitter in the formula of custom-profile-1.

integer

Minimum value: 0 Maximum value: 10000000

bandwidth-weight

Coefficient of reciprocal of available bidirectional bandwidth in the formula of custom-profile-1.

integer

Minimum value: 0 Maximum value: 10000000

link-cost-threshold

Percentage threshold change of link cost values that will result in policy route regeneration.

integer

Minimum value: 0 Maximum value: 10000000

hold-down-time

Waiting period in seconds when switching from the back-up member to the primary member.

integer

Minimum value: 0 Maximum value: 10000000

dscp-forward

Enable/disable forward traffic DSCP tag.

option

Option	Description
enable	Enable use of forward DSCP tag.
disable	Disable use of forward DSCP tag.

dscp-reverse

Enable/disable reverse traffic DSCP tag.

option

Option	Description
enable	Enable use of reverse DSCP tag.
disable	Disable use of reverse DSCP tag.

dscp-forward-tag

Forward traffic DSCP tag.

user

Not Specified

dscp-reverse-tag

Reverse traffic DSCP tag.

user

Not Specified

priority-members <seq-num>

Member sequence number list.

Member sequence number.

integer

Minimum value: 0 Maximum value: 4294967295

status

Enable/disable SD-WAN service.

option

Option	Description
enable	Enable virtual WAN link service.
disable	Disable virtual WAN link service.

gateway

Enable/disable SD-WAN service gateway.

option

Option	Description
enable	Enable SD-WAN service gateway.
disable	Disable SD-WAN service gateway.

default

Enable/disable use of SD-WAN as default service.

option

Option	Description
enable	Enable use of SD-WAN as default service.
disable	Disable use of SD-WAN as default service.

sla-compare-method

Method to compare SLA value for sla and load balance mode.

option

Option	Description
order	Compare SLA value based on the order of health-check.
number	Compare SLA value based on the number of satisfied health-check. Limits health-checks to only configured member interfaces.

config sla

Parameter	Description	Type	Size
health-check	Virtual WAN Link health-check.	string	Maximum length: 35
id	SLA ID.	integer	Minimum value: 0 Maximum value: 4294967295

config zone

Parameter	Description	Type	Size
name	Zone name.	string	Maximum length: 35

config system virtual-wan-link

Configure redundant internet connections using SD-WAN (formerly virtual WAN link).

config system virtual-wan-link
    Description: Configure redundant internet connections using SD-WAN (formerly virtual WAN link).
    set fail-alert-interfaces <name1>, <name2>, ...
    set fail-detect [enable|disable]
    config health-check
        Description: SD-WAN status checking or health checking. Identify a server on the Internet and determine how SD-WAN verifies that the FortiGate can communicate with it.
        edit <name>
            set probe-packets [disable|enable]
            set addr-mode [ipv4|ipv6]
            set server {string}
            set protocol [ping|tcp-echo|...]
            set port {integer}
            set security-mode [none|authentication]
            set password {password}
            set packet-size {integer}
            set ha-priority {integer}
            set http-get {string}
            set http-agent {string}
            set http-match {string}
            set interval {integer}
            set probe-timeout {integer}
            set failtime {integer}
            set recoverytime {integer}
            set diffservcode {user}
            set update-cascade-interface [enable|disable]
            set update-static-route [enable|disable]
            set sla-fail-log-period {integer}
            set sla-pass-log-period {integer}
            set threshold-warning-packetloss {integer}
            set threshold-alert-packetloss {integer}
            set threshold-warning-latency {integer}
            set threshold-alert-latency {integer}
            set threshold-warning-jitter {integer}
            set threshold-alert-jitter {integer}
            set members <seq-num1>, <seq-num2>, ...
            config sla
                Description: Service level agreement (SLA).
                edit <id>
                    set link-cost-factor {option1}, {option2}, ...
                    set latency-threshold {integer}
                    set jitter-threshold {integer}
                    set packetloss-threshold {integer}
                next
            end
        next
    end
    set load-balance-mode [source-ip-based|weight-based|...]
    config members
        Description: FortiGate interfaces added to the virtual-wan-link.
        edit <seq-num>
            set interface {string}
            set gateway {ipv4-address}
            set source {ipv4-address}
            set gateway6 {ipv6-address}
            set source6 {ipv6-address}
            set cost {integer}
            set weight {integer}
            set priority {integer}
            set spillover-threshold {integer}
            set ingress-spillover-threshold {integer}
            set volume-ratio {integer}
            set status [disable|enable]
            set comment {var-string}
        next
    end
    config neighbor
        Description: Create SD-WAN neighbor from BGP neighbor table to control route advertisements according to SLA status.
        edit <ip>
            set member {integer}
            set role [standalone|primary|...]
            set health-check {string}
            set sla-id {integer}
        next
    end
    set neighbor-hold-boot-time {integer}
    set neighbor-hold-down [enable|disable]
    set neighbor-hold-down-time {integer}
    config service
        Description: Create SD-WAN rules (also called services) to control how sessions are distributed to interfaces in the SD-WAN.
        edit <id>
            set name {string}
            set addr-mode [ipv4|ipv6]
            set input-device <name1>, <name2>, ...
            set input-device-negate [enable|disable]
            set mode [auto|manual|...]
            set role [standalone|primary|...]
            set standalone-action [enable|disable]
            set quality-link {integer}
            set tos {user}
            set tos-mask {user}
            set protocol {integer}
            set start-port {integer}
            set end-port {integer}
            set route-tag {integer}
            set dst <name1>, <name2>, ...
            set dst-negate [enable|disable]
            set src <name1>, <name2>, ...
            set dst6 <name1>, <name2>, ...
            set src6 <name1>, <name2>, ...
            set src-negate [enable|disable]
            set users <name1>, <name2>, ...
            set groups <name1>, <name2>, ...
            set internet-service [enable|disable]
            set internet-service-custom <name1>, <name2>, ...
            set internet-service-custom-group <name1>, <name2>, ...
            set internet-service-id <id1>, <id2>, ...
            set internet-service-group <name1>, <name2>, ...
            set internet-service-app-ctrl <id1>, <id2>, ...
            set internet-service-app-ctrl-group <name1>, <name2>, ...
            set health-check {string}
            set link-cost-factor [latency|jitter|...]
            set packet-loss-weight {integer}
            set latency-weight {integer}
            set jitter-weight {integer}
            set bandwidth-weight {integer}
            set link-cost-threshold {integer}
            set hold-down-time {integer}
            set dscp-forward [enable|disable]
            set dscp-reverse [enable|disable]
            set dscp-forward-tag {user}
            set dscp-reverse-tag {user}
            config sla
                Description: Service level agreement (SLA).
                edit <health-check>
                    set id {integer}
                next
            end
            set priority-members <seq-num1>, <seq-num2>, ...
            set status [enable|disable]
            set gateway [enable|disable]
            set default [enable|disable]
            set sla-compare-method [order|number]
        next
    end
    set status [disable|enable]
    config zone
        Description: Configure SD-WAN zones.
        edit <name>
        next
    end
end

config system virtual-wan-link

Parameter

Description

Type

Size

fail-alert-interfaces <name>

Physical interfaces that will be alerted.

Physical interface name.

string

Maximum length: 79

fail-detect

Enable/disable SD-WAN Internet connection status checking (failure detection).

option

Option	Description
enable	Enable status checking.
disable	Disable status checking.

load-balance-mode

Algorithm or mode to use for load balancing Internet traffic to SD-WAN members.

option

Option	Description
source-ip-based	Source IP load balancing. All traffic from a source IP is sent to the same interface.
weight-based	Weight-based load balancing. Interfaces with higher weights have higher priority and get more traffic.
usage-based	Usage-based load balancing. All traffic is sent to the first interface on the list. When the bandwidth on that interface exceeds the spill-over limit new traffic is sent to the next interface.
source-dest-ip-based	Source and destination IP load balancing. All traffic from a source IP to a destination IP is sent to the same interface.
measured-volume-based	Volume-based load balancing. Traffic is load balanced based on traffic volume (in bytes). More traffic is sent to interfaces with higher volume ratios.

neighbor-hold-boot-time

Waiting period in seconds when switching from the primary neighbor to the secondary neighbor from the neighbor start..

integer

Minimum value: 0 Maximum value: 10000000

neighbor-hold-down

Enable/disable hold switching from the secondary neighbor to the primary neighbor.

option

Option	Description
enable	Enable hold switching from the secondary neighbor to the primary neighbor.
disable	Disable hold switching from the secondary neighbor to the primary neighbor.

neighbor-hold-down-time

Waiting period in seconds when switching from the secondary neighbor to the primary neighbor when hold-down is disabled..

integer

Minimum value: 0 Maximum value: 10000000

status

Enable/disable SD-WAN.

option

Option	Description
disable	Disable SD-WAN.
enable	Enable SD-WAN.

config health-check

Parameter

Description

Type

Size

name

Status check or health check name.

string

Maximum length: 35

probe-packets

Enable/disable transmission of probe packets.

option

Option	Description
disable	Disable transmission of probe packets.
enable	Enable transmission of probe packets.

addr-mode

Address mode (IPv4 or IPv6).

option

Option	Description
ipv4	IPv4 mode.
ipv6	IPv6 mode.

server

IP address or FQDN name of the server.

string

Maximum length: 79

protocol

Protocol used to determine if the FortiGate can communicate with the server.

option

Option	Description
ping	Use PING to test the link with the server.
tcp-echo	Use TCP echo to test the link with the server.
udp-echo	Use UDP echo to test the link with the server.
http	Use HTTP-GET to test the link with the server.
twamp	Use TWAMP to test the link with the server.
ping6	PING6 link monitor.

port

Port number used to communicate with the server over the selected protocol.

integer

Minimum value: 1 Maximum value: 65535

security-mode

Twamp controller security mode.

option

Option	Description
none	Unauthenticated mode.
authentication	Authenticated mode.

password

Twamp controller password in authentication mode

password

Not Specified

packet-size

Packet size of a twamp test session,

integer

Minimum value: 64 Maximum value: 1024

ha-priority

HA election priority.

integer

Minimum value: 1 Maximum value: 50

http-get

URL used to communicate with the server if the protocol if the protocol is HTTP.

string

Maximum length: 1024

http-agent

String in the http-agent field in the HTTP header.

string

Maximum length: 1024

http-match

Response string expected from the server if the protocol is HTTP.

string

Maximum length: 1024

interval

Status check interval in milliseconds, or the time between attempting to connect to the server.

integer

Minimum value: 500 Maximum value: 3600000

probe-timeout

Time to wait before a probe packet is considered lost.

integer

Minimum value: 500 Maximum value: 5000

failtime

Number of failures before server is considered lost.

integer

Minimum value: 1 Maximum value: 3600

recoverytime

Number of successful responses received before server is considered recovered.

integer

Minimum value: 1 Maximum value: 3600

diffservcode

Differentiated services code point (DSCP) in the IP header of the probe packet.

user

Not Specified

update-cascade-interface

Enable/disable update cascade interface.

option

Option	Description
enable	Enable update cascade interface.
disable	Disable update cascade interface.

update-static-route

Enable/disable updating the static route.

option

Option	Description
enable	Enable updating the static route.
disable	Disable updating the static route.

sla-fail-log-period

Time interval in seconds that SLA fail log messages will be generated.

integer

Minimum value: 0 Maximum value: 3600

sla-pass-log-period

Time interval in seconds that SLA pass log messages will be generated.

integer

Minimum value: 0 Maximum value: 3600

threshold-warning-packetloss

Warning threshold for packet loss.

integer

Minimum value: 0 Maximum value: 100

threshold-alert-packetloss

Alert threshold for packet loss.

integer

Minimum value: 0 Maximum value: 100

threshold-warning-latency

Warning threshold for latency.

integer

Minimum value: 0 Maximum value: 4294967295

threshold-alert-latency

Alert threshold for latency.

integer

Minimum value: 0 Maximum value: 4294967295

threshold-warning-jitter

Warning threshold for jitter.

integer

Minimum value: 0 Maximum value: 4294967295

threshold-alert-jitter

Alert threshold for jitter.

integer

Minimum value: 0 Maximum value: 4294967295

members <seq-num>

Member sequence number list.

Member sequence number.

integer

Minimum value: 0 Maximum value: 4294967295

config sla

Parameter	Description	Type	Size
health-check	Virtual WAN Link health-check.	string	Maximum length: 35
id	SLA ID.	integer	Minimum value: 0 Maximum value: 4294967295

config members

Parameter

Description

Type

Size

seq-num

Sequence number.

integer

Minimum value: 0 Maximum value: 255

interface

Interface name.

string

Maximum length: 15

gateway

The default gateway for this interface. Usually the default gateway of the Internet service provider that this interface is connected to.

ipv4-address

Not Specified

source

Source IP address used in the health-check packet to the server.

ipv4-address

Not Specified

gateway6

IPv6 gateway.

ipv6-address

Not Specified

source6

Source IPv6 address used in the health-check packet to the server.

ipv6-address

Not Specified

cost

Cost of this interface for services in SLA mode.

integer

Minimum value: 0 Maximum value: 4294967295

weight

Weight of this interface for weighted load balancing. More traffic is directed to interfaces with higher weights.

integer

Minimum value: 1 Maximum value: 255

priority

Priority of the interface. Used for SD-WAN rules or priority rules.

integer

Minimum value: 0 Maximum value: 4294967295

spillover-threshold

Egress spillover threshold for this interface. When this traffic volume threshold is reached, new sessions spill over to other interfaces in the SD-WAN.

integer

Minimum value: 0 Maximum value: 16776000

ingress-spillover-threshold

Ingress spillover threshold for this interface. When this traffic volume threshold is reached, new sessions spill over to other interfaces in the SD-WAN.

integer

Minimum value: 0 Maximum value: 16776000

volume-ratio

Measured volume ratio.

integer

Minimum value: 1 Maximum value: 255

status

Enable/disable this interface in the SD-WAN.

option

Option	Description
disable	Disable this interface in the SD-WAN.
enable	Enable this interface in the SD-WAN.

comment

Comments.

var-string

Maximum length: 255

config neighbor

Parameter

Description

Type

Size

IP address of neighbor.

string

Maximum length: 45

member

Member sequence number.

integer

Minimum value: 0 Maximum value: 4294967295

role

Role of neighbor.

option

Option	Description
standalone	Standalone neighbor.
primary	Primary neighbor.
secondary	Secondary neighbor.

health-check

SD-WAN health-check name.

string

Maximum length: 35

sla-id

SLA ID.

integer

Minimum value: 0 Maximum value: 4294967295

config service

Parameter

Description

Type

Size

Priority rule ID.

integer

Minimum value: 1 Maximum value: 4000

name

Priority rule name.

string

Maximum length: 35

addr-mode

Address mode (IPv4 or IPv6).

option

Option	Description
ipv4	IPv4 mode.
ipv6	IPv6 mode.

input-device <name>

Source interface name.

Interface name.

string

Maximum length: 79

input-device-negate

Enable/disable negation of input device match.

option

Option	Description
enable	Enable negation of input device match.
disable	Disable negation of input device match.

mode

Control how the priority rule sets the priority of interfaces in the SD-WAN.

option

Option	Description
auto	Assign interfaces a priority based on quality.
manual	Assign interfaces a priority manually.
priority	Assign interfaces a priority based on the link-cost-factor quality of the interface.
sla	Assign interfaces a priority based on selected SLA settings.
load-balance	Distribute traffic among all available links based on round robin. ADVPN feature is not supported in the mode.

role

Service role to work with neighbor.

option

Option	Description
standalone	Standalone service.
primary	Primary service for primary neighbor.
secondary	Secondary service for secondary neighbor.

standalone-action

Enable/disable service when selected neighbor role is standalone while service role is not standalone.

option

Option	Description
enable	Enable service when selected neighbor role is standalone.
disable	Disable service when selected neighbor role is standalone.

quality-link

Quality grade.

integer

Minimum value: 0 Maximum value: 255

tos

Type of service bit pattern.

user

Not Specified

tos-mask

Type of service evaluated bits.

user

Not Specified

protocol

Protocol number.

integer

Minimum value: 0 Maximum value: 255

start-port

Start destination port number.

integer

Minimum value: 0 Maximum value: 65535

end-port

End destination port number.

integer

Minimum value: 0 Maximum value: 65535

route-tag

IPv4 route map route-tag.

integer

Minimum value: 0 Maximum value: 4294967295

dst <name>

Destination address name.

Address or address group name.

string

Maximum length: 79

dst-negate

Enable/disable negation of destination address match.

option

Option	Description
enable	Enable destination address negation.
disable	Disable destination address negation.

src <name>

Source address name.

Address or address group name.

string

Maximum length: 79

dst6 <name>

Destination address6 name.

Address6 or address6 group name.

string

Maximum length: 79

src6 <name>

Source address6 name.

Address6 or address6 group name.

string

Maximum length: 79

src-negate

Enable/disable negation of source address match.

option

Option	Description
enable	Enable source address negation.
disable	Disable source address negation.

users <name>

User name.

string

Maximum length: 79

groups <name>

User groups.

Group name.

string

Maximum length: 79

internet-service

Enable/disable use of Internet service for application-based load balancing.

option

Option	Description
enable	Enable cloud service to support application-based load balancing.
disable	Disable cloud service to support application-based load balancing.

internet-service-custom <name>

Custom Internet service name list.

Custom Internet service name.

string

Maximum length: 79

internet-service-custom-group <name>

Custom Internet Service group list.

Custom Internet Service group name.

string

Maximum length: 79

internet-service-id <id>

Internet service ID list.

Internet service ID.

integer

Minimum value: 0 Maximum value: 4294967295

internet-service-group <name>

Internet Service group list.

Internet Service group name.

string

Maximum length: 79

internet-service-app-ctrl <id>

Application control based Internet Service ID list.

Application control based Internet Service ID.

integer

Minimum value: 0 Maximum value: 4294967295

internet-service-app-ctrl-group <name>

Application control based Internet Service group list.

Application control based Internet Service group name.

string

Maximum length: 79

health-check

Health check.

string

Maximum length: 35

link-cost-factor

Link cost factor.

option

Option	Description
latency	Select link based on latency.
jitter	Select link based on jitter.
packet-loss	Select link based on packet loss.
inbandwidth	Select link based on available bandwidth of incoming traffic.
outbandwidth	Select link based on available bandwidth of outgoing traffic.
bibandwidth	Select link based on available bandwidth of bidirectional traffic.
custom-profile-1	Select link based on customized profile.

packet-loss-weight

Coefficient of packet-loss in the formula of custom-profile-1.

integer

Minimum value: 0 Maximum value: 10000000

latency-weight

Coefficient of latency in the formula of custom-profile-1.

integer

Minimum value: 0 Maximum value: 10000000

jitter-weight

Coefficient of jitter in the formula of custom-profile-1.

integer

Minimum value: 0 Maximum value: 10000000

bandwidth-weight

Coefficient of reciprocal of available bidirectional bandwidth in the formula of custom-profile-1.

integer

Minimum value: 0 Maximum value: 10000000

link-cost-threshold

Percentage threshold change of link cost values that will result in policy route regeneration.

integer

Minimum value: 0 Maximum value: 10000000

hold-down-time

Waiting period in seconds when switching from the back-up member to the primary member.

integer

Minimum value: 0 Maximum value: 10000000

dscp-forward

Enable/disable forward traffic DSCP tag.

option

Option	Description
enable	Enable use of forward DSCP tag.
disable	Disable use of forward DSCP tag.

dscp-reverse

Enable/disable reverse traffic DSCP tag.

option

Option	Description
enable	Enable use of reverse DSCP tag.
disable	Disable use of reverse DSCP tag.

dscp-forward-tag

Forward traffic DSCP tag.

user

Not Specified

dscp-reverse-tag

Reverse traffic DSCP tag.

user

Not Specified

priority-members <seq-num>

Member sequence number list.

Member sequence number.

integer

Minimum value: 0 Maximum value: 4294967295

status

Enable/disable SD-WAN service.

option

Option	Description
enable	Enable virtual WAN link service.
disable	Disable virtual WAN link service.

gateway

Enable/disable SD-WAN service gateway.

option

Option	Description
enable	Enable SD-WAN service gateway.
disable	Disable SD-WAN service gateway.

default

Enable/disable use of SD-WAN as default service.

option

Option	Description
enable	Enable use of SD-WAN as default service.
disable	Disable use of SD-WAN as default service.

sla-compare-method

Method to compare SLA value for sla and load balance mode.

option

Option	Description
order	Compare SLA value based on the order of health-check.
number	Compare SLA value based on the number of satisfied health-check. Limits health-checks to only configured member interfaces.

config sla

Parameter	Description	Type	Size
health-check	Virtual WAN Link health-check.	string	Maximum length: 35
id	SLA ID.	integer	Minimum value: 0 Maximum value: 4294967295

config zone

Parameter	Description	Type	Size
name	Zone name.	string	Maximum length: 35

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

CLI Reference

config system virtual-wan-link

config system virtual-wan-link

config system virtual-wan-link

config health-check

config sla

config members

config neighbor

config service

config sla

config zone

config system virtual-wan-link

config system virtual-wan-link

config system virtual-wan-link