Fortinet white logo
Fortinet white logo

Cookbook

MPLS (SIP and backup) + DIA (cloud apps)

MPLS (SIP and backup) + DIA (cloud apps)

This topic covers a typical customer usage scenario where the customer's SD-WAN has two members: MPLS and DIA. DIA is mostly used for direct Internet access to Internet applications, for example, Office365, Google applications, Amazon, Dropbox, etc. MPLS is mostly used for SIP and works as a backup when DIA is not working.

Sample topology

Sample configuration

This sample configures all SIP traffic to use MPLS while all other traffic uses DIA. If DIA is not working, the traffic will use MPLS.

To configure an SD-WAN rule to use SIP and DIA using the GUI:
  1. On the FortiGate, enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static route.

    See Creating the SD-WAN interface.

  2. When you add a firewall policy, enable Application Control.
  3. Go to Network > SD-WAN Rules.
  4. Click Create New. The Priority Rule page opens.
  5. Enter a name for the rule, such as SIP.
  6. Click the Application box to display the popup dialog box; then select the applicable SIP applications.
  7. For Strategy, select Manual.
  8. For Interface preference, select MPLS.
  9. Click OK.
  10. Click Create New to create another rule.
  11. Enter a name for the rule, such as Internet.
  12. Click the Address box to display the popup dialog box and select all.
  13. For Strategy, select Manual.
  14. For Interface preference, select DIA.
  15. Click OK.
To configure the firewall policy using the CLI:
config firewall policy
    edit 1
        set name "1"
        set srcintf "dmz"
        set dstintf ""virtual-wan-link""
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set fsso disable
        set application-list "g-default"
        set ssl-ssh-profile "certificate-inspection"
        set nat enable
    next
end
To configure an SD-WAN rule to use SIP and DIA using the CLI:
config system virtual-wan-link
    set status enable
    config members
        edit 1
            set interface "MPLS"
            set gateway x.x.x.x
        next
        edit 2
            set interface "DIA"
            set gateway x.x.x.x
        next
    end
    config service
        edit 1
            set name "SIP"
            set member 1
            set internet-service enable
            set internet-service-app-ctrl 34640 152305677 38938 26180 26179 30251
        next
        edit 2
            set name "Internet"
            set input-device "dmz"
            set member 2
            set dst "all"
        next
    end
end

All SIP traffic uses MPLS. All other traffic goes to DIA. If DIA is broken, the traffic uses MPLS. If you use VPN instead of MPLS to run SIP traffic, you must configure a VPN interface, for example vpn1, and then replace member 1 from MPLS to vpn1 for SD-WAN member.

To use the diagnose command to check performance SLA status using the CLI:
FGT_A (root) # diagnose sys virtual-wan-link service 1

Service(1): Address Mode(IPV4) flags=0x0

TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
Members:<<BR>>

1: Seq_num(1), alive, selected

Internet Service: SIP(4294836224 34640) SIP.Method(4294836225 152305677) SIP.Via.NAT(4294836226 38938) SIP_Media.Type.Application(4294836227 26180) SIP_Message(4294836228 26179) SIP_Voice(4294836229 30251)

FGT_A (root) # diagnose sys virtual-wan-link service 2

Service(2): Address Mode(IPV4) flags=0x0

TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
Members:<<BR>>

1: Seq_num(2), alive, selected

Dst address: 0.0.0.0-255.255.255.255

FGT_A (root) #

FGT_A (root) # diagnose sys virtual-wan-link internet-service-app-ctrl-list
Ctrl application(SIP 34640):Internet Service ID(4294836224)
Ctrl application(SIP.Method 152305677):Internet Service ID(4294836225)
Ctrl application(SIP.Via.NAT 38938):Internet Service ID(4294836226)
Ctrl application(SIP_Media.Type.Application 26180):Internet Service ID(4294836227)
Ctrl application(SIP_Message 26179):Internet Service ID(4294836228)
Ctrl application(SIP_Voice 30251):Internet Service ID(4294836229)

FGT_A (root) #

MPLS (SIP and backup) + DIA (cloud apps)

MPLS (SIP and backup) + DIA (cloud apps)

This topic covers a typical customer usage scenario where the customer's SD-WAN has two members: MPLS and DIA. DIA is mostly used for direct Internet access to Internet applications, for example, Office365, Google applications, Amazon, Dropbox, etc. MPLS is mostly used for SIP and works as a backup when DIA is not working.

Sample topology

Sample configuration

This sample configures all SIP traffic to use MPLS while all other traffic uses DIA. If DIA is not working, the traffic will use MPLS.

To configure an SD-WAN rule to use SIP and DIA using the GUI:
  1. On the FortiGate, enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static route.

    See Creating the SD-WAN interface.

  2. When you add a firewall policy, enable Application Control.
  3. Go to Network > SD-WAN Rules.
  4. Click Create New. The Priority Rule page opens.
  5. Enter a name for the rule, such as SIP.
  6. Click the Application box to display the popup dialog box; then select the applicable SIP applications.
  7. For Strategy, select Manual.
  8. For Interface preference, select MPLS.
  9. Click OK.
  10. Click Create New to create another rule.
  11. Enter a name for the rule, such as Internet.
  12. Click the Address box to display the popup dialog box and select all.
  13. For Strategy, select Manual.
  14. For Interface preference, select DIA.
  15. Click OK.
To configure the firewall policy using the CLI:
config firewall policy
    edit 1
        set name "1"
        set srcintf "dmz"
        set dstintf ""virtual-wan-link""
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set fsso disable
        set application-list "g-default"
        set ssl-ssh-profile "certificate-inspection"
        set nat enable
    next
end
To configure an SD-WAN rule to use SIP and DIA using the CLI:
config system virtual-wan-link
    set status enable
    config members
        edit 1
            set interface "MPLS"
            set gateway x.x.x.x
        next
        edit 2
            set interface "DIA"
            set gateway x.x.x.x
        next
    end
    config service
        edit 1
            set name "SIP"
            set member 1
            set internet-service enable
            set internet-service-app-ctrl 34640 152305677 38938 26180 26179 30251
        next
        edit 2
            set name "Internet"
            set input-device "dmz"
            set member 2
            set dst "all"
        next
    end
end

All SIP traffic uses MPLS. All other traffic goes to DIA. If DIA is broken, the traffic uses MPLS. If you use VPN instead of MPLS to run SIP traffic, you must configure a VPN interface, for example vpn1, and then replace member 1 from MPLS to vpn1 for SD-WAN member.

To use the diagnose command to check performance SLA status using the CLI:
FGT_A (root) # diagnose sys virtual-wan-link service 1

Service(1): Address Mode(IPV4) flags=0x0

TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
Members:<<BR>>

1: Seq_num(1), alive, selected

Internet Service: SIP(4294836224 34640) SIP.Method(4294836225 152305677) SIP.Via.NAT(4294836226 38938) SIP_Media.Type.Application(4294836227 26180) SIP_Message(4294836228 26179) SIP_Voice(4294836229 30251)

FGT_A (root) # diagnose sys virtual-wan-link service 2

Service(2): Address Mode(IPV4) flags=0x0

TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
Members:<<BR>>

1: Seq_num(2), alive, selected

Dst address: 0.0.0.0-255.255.255.255

FGT_A (root) #

FGT_A (root) # diagnose sys virtual-wan-link internet-service-app-ctrl-list
Ctrl application(SIP 34640):Internet Service ID(4294836224)
Ctrl application(SIP.Method 152305677):Internet Service ID(4294836225)
Ctrl application(SIP.Via.NAT 38938):Internet Service ID(4294836226)
Ctrl application(SIP_Media.Type.Application 26180):Internet Service ID(4294836227)
Ctrl application(SIP_Message 26179):Internet Service ID(4294836228)
Ctrl application(SIP_Voice 30251):Internet Service ID(4294836229)

FGT_A (root) #