config system virtual-wan-link
Configure redundant internet connections using SD-WAN (formerly virtual WAN link).
config system virtual-wan-link
Description: Configure redundant internet connections using SD-WAN (formerly virtual WAN link).
set status [disable|enable]
set load-balance-mode [source-ip-based|weight-based|...]
set neighbor-hold-down [enable|disable]
set neighbor-hold-down-time {integer}
set neighbor-hold-boot-time {integer}
set fail-detect [enable|disable]
set fail-alert-interfaces <name1>, <name2>, ...
config zone
Description: Configure SD-WAN zones.
edit <name>
next
end
config members
Description: FortiGate interfaces added to the virtual-wan-link.
edit <seq-num>
set interface {string}
set gateway {ipv4-address}
set source {ipv4-address}
set gateway6 {ipv6-address}
set source6 {ipv6-address}
set cost {integer}
set weight {integer}
set priority {integer}
set spillover-threshold {integer}
set ingress-spillover-threshold {integer}
set volume-ratio {integer}
set status [disable|enable]
set comment {var-string}
next
end
config health-check
Description: SD-WAN status checking or health checking. Identify a server on the Internet and determine how SD-WAN verifies that the FortiGate can communicate with it.
edit <name>
set probe-packets [disable|enable]
set addr-mode [ipv4|ipv6]
set server {string}
set protocol [ping|tcp-echo|...]
set port {integer}
set security-mode [none|authentication]
set password {password}
set packet-size {integer}
set ha-priority {integer}
set http-get {string}
set http-agent {string}
set http-match {string}
set interval {integer}
set probe-timeout {integer}
set failtime {integer}
set recoverytime {integer}
set diffservcode {user}
set update-cascade-interface [enable|disable]
set update-static-route [enable|disable]
set sla-fail-log-period {integer}
set sla-pass-log-period {integer}
set threshold-warning-packetloss {integer}
set threshold-alert-packetloss {integer}
set threshold-warning-latency {integer}
set threshold-alert-latency {integer}
set threshold-warning-jitter {integer}
set threshold-alert-jitter {integer}
set members <seq-num1>, <seq-num2>, ...
config sla
Description: Service level agreement (SLA).
edit <id>
set link-cost-factor {option1}, {option2}, ...
set latency-threshold {integer}
set jitter-threshold {integer}
set packetloss-threshold {integer}
next
end
next
end
config neighbor
Description: Create SD-WAN neighbor from BGP neighbor table to control route advertisements according to SLA status.
edit <ip>
set member {integer}
set role [standalone|primary|...]
set health-check {string}
set sla-id {integer}
next
end
config service
Description: Create SD-WAN rules (also called services) to control how sessions are distributed to interfaces in the SD-WAN.
edit <id>
set name {string}
set addr-mode [ipv4|ipv6]
set input-device <name1>, <name2>, ...
set input-device-negate [enable|disable]
set mode [auto|manual|...]
set role [standalone|primary|...]
set standalone-action [enable|disable]
set quality-link {integer}
set tos {user}
set tos-mask {user}
set protocol {integer}
set start-port {integer}
set end-port {integer}
set route-tag {integer}
set dst <name1>, <name2>, ...
set dst-negate [enable|disable]
set src <name1>, <name2>, ...
set dst6 <name1>, <name2>, ...
set src6 <name1>, <name2>, ...
set src-negate [enable|disable]
set users <name1>, <name2>, ...
set groups <name1>, <name2>, ...
set internet-service [enable|disable]
set internet-service-custom <name1>, <name2>, ...
set internet-service-custom-group <name1>, <name2>, ...
set internet-service-id <id1>, <id2>, ...
set internet-service-group <name1>, <name2>, ...
set internet-service-app-ctrl <id1>, <id2>, ...
set internet-service-app-ctrl-group <name1>, <name2>, ...
set health-check {string}
set link-cost-factor [latency|jitter|...]
set packet-loss-weight {integer}
set latency-weight {integer}
set jitter-weight {integer}
set bandwidth-weight {integer}
set link-cost-threshold {integer}
set hold-down-time {integer}
set dscp-forward [enable|disable]
set dscp-reverse [enable|disable]
set dscp-forward-tag {user}
set dscp-reverse-tag {user}
config sla
Description: Service level agreement (SLA).
edit <health-check>
set id {integer}
next
end
set priority-members <seq-num1>, <seq-num2>, ...
set status [enable|disable]
set gateway [enable|disable]
set default [enable|disable]
set sla-compare-method [order|number]
next
end
end
config system virtual-wan-link
Parameter |
Description |
Type |
Size |
|||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
status |
Enable/disable SD-WAN. |
option |
- |
|||||||||||||
|
|
|||||||||||||||
load-balance-mode |
Algorithm or mode to use for load balancing Internet traffic to SD-WAN members. |
option |
- |
|||||||||||||
|
|
|||||||||||||||
neighbor-hold-down |
Enable/disable hold switching from the secondary neighbor to the primary neighbor. |
option |
- |
|||||||||||||
|
|
|||||||||||||||
neighbor-hold-down-time |
Waiting period in seconds when switching from the secondary neighbor to the primary neighbor when hold-down is disabled. . |
integer |
Minimum value: 0 Maximum value: 10000000 |
|||||||||||||
neighbor-hold-boot-time |
Waiting period in seconds when switching from the primary neighbor to the secondary neighbor from the neighbor start. . |
integer |
Minimum value: 0 Maximum value: 10000000 |
|||||||||||||
fail-detect |
Enable/disable SD-WAN Internet connection status checking (failure detection). |
option |
- |
|||||||||||||
|
|
|||||||||||||||
fail-alert-interfaces |
Physical interfaces that will be alerted. Physical interface name. |
string |
Maximum length: 79 |
config members
Parameter |
Description |
Type |
Size |
|||||||
---|---|---|---|---|---|---|---|---|---|---|
interface |
Interface name. |
string |
Maximum length: 15 |
|||||||
gateway |
The default gateway for this interface. Usually the default gateway of the Internet service provider that this interface is connected to. |
ipv4-address |
Not Specified |
|||||||
source |
Source IP address used in the health-check packet to the server. |
ipv4-address |
Not Specified |
|||||||
gateway6 |
IPv6 gateway. |
ipv6-address |
Not Specified |
|||||||
source6 |
Source IPv6 address used in the health-check packet to the server. |
ipv6-address |
Not Specified |
|||||||
cost |
Cost of this interface for services in SLA mode . |
integer |
Minimum value: 0 Maximum value: 4294967295 |
|||||||
weight |
Weight of this interface for weighted load balancing. More traffic is directed to interfaces with higher weights. |
integer |
Minimum value: 1 Maximum value: 255 |
|||||||
priority |
Priority of the interface . Used for SD-WAN rules or priority rules. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
|||||||
spillover-threshold |
Egress spillover threshold for this interface . When this traffic volume threshold is reached, new sessions spill over to other interfaces in the SD-WAN. |
integer |
Minimum value: 0 Maximum value: 16776000 |
|||||||
ingress-spillover-threshold |
Ingress spillover threshold for this interface . When this traffic volume threshold is reached, new sessions spill over to other interfaces in the SD-WAN. |
integer |
Minimum value: 0 Maximum value: 16776000 |
|||||||
volume-ratio |
Measured volume ratio . |
integer |
Minimum value: 1 Maximum value: 255 |
|||||||
status |
Enable/disable this interface in the SD-WAN. |
option |
- |
|||||||
|
|
|||||||||
comment |
Comments. |
var-string |
Maximum length: 255 |
config health-check
Parameter |
Description |
Type |
Size |
|||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
probe-packets |
Enable/disable transmission of probe packets. |
option |
- |
|||||||||||||||
|
|
|||||||||||||||||
addr-mode |
Address mode (IPv4 or IPv6). |
option |
- |
|||||||||||||||
|
|
|||||||||||||||||
server |
IP address or FQDN name of the server. |
string |
Maximum length: 79 |
|||||||||||||||
protocol |
Protocol used to determine if the FortiGate can communicate with the server. |
option |
- |
|||||||||||||||
|
|
|||||||||||||||||
port |
Port number used to communicate with the server over the selected protocol. |
integer |
Minimum value: 1 Maximum value: 65535 |
|||||||||||||||
security-mode |
Twamp controller security mode. |
option |
- |
|||||||||||||||
|
|
|||||||||||||||||
password |
Twamp controller password in authentication mode |
password |
Not Specified |
|||||||||||||||
packet-size |
Packet size of a twamp test session, |
integer |
Minimum value: 64 Maximum value: 1024 |
|||||||||||||||
ha-priority |
HA election priority . |
integer |
Minimum value: 1 Maximum value: 50 |
|||||||||||||||
http-get |
URL used to communicate with the server if the protocol if the protocol is HTTP. |
string |
Maximum length: 1024 |
|||||||||||||||
http-agent |
String in the http-agent field in the HTTP header. |
string |
Maximum length: 1024 |
|||||||||||||||
http-match |
Response string expected from the server if the protocol is HTTP. |
string |
Maximum length: 1024 |
|||||||||||||||
interval |
Status check interval in milliseconds, or the time between attempting to connect to the server . |
integer |
Minimum value: 500 Maximum value: 3600000 |
|||||||||||||||
probe-timeout |
Time to wait before a probe packet is considered lost . |
integer |
Minimum value: 500 Maximum value: 5000 |
|||||||||||||||
failtime |
Number of failures before server is considered lost . |
integer |
Minimum value: 1 Maximum value: 3600 |
|||||||||||||||
recoverytime |
Number of successful responses received before server is considered recovered . |
integer |
Minimum value: 1 Maximum value: 3600 |
|||||||||||||||
diffservcode |
Differentiated services code point (DSCP) in the IP header of the probe packet. |
user |
Not Specified |
|||||||||||||||
update-cascade-interface |
Enable/disable update cascade interface. |
option |
- |
|||||||||||||||
|
|
|||||||||||||||||
update-static-route |
Enable/disable updating the static route. |
option |
- |
|||||||||||||||
|
|
|||||||||||||||||
sla-fail-log-period |
Time interval in seconds that SLA fail log messages will be generated . |
integer |
Minimum value: 0 Maximum value: 3600 |
|||||||||||||||
sla-pass-log-period |
Time interval in seconds that SLA pass log messages will be generated . |
integer |
Minimum value: 0 Maximum value: 3600 |
|||||||||||||||
threshold-warning-packetloss |
Warning threshold for packet loss . |
integer |
Minimum value: 0 Maximum value: 100 |
|||||||||||||||
threshold-alert-packetloss |
Alert threshold for packet loss . |
integer |
Minimum value: 0 Maximum value: 100 |
|||||||||||||||
threshold-warning-latency |
Warning threshold for latency . |
integer |
Minimum value: 0 Maximum value: 4294967295 |
|||||||||||||||
threshold-alert-latency |
Alert threshold for latency . |
integer |
Minimum value: 0 Maximum value: 4294967295 |
|||||||||||||||
threshold-warning-jitter |
Warning threshold for jitter . |
integer |
Minimum value: 0 Maximum value: 4294967295 |
|||||||||||||||
threshold-alert-jitter |
Alert threshold for jitter . |
integer |
Minimum value: 0 Maximum value: 4294967295 |
|||||||||||||||
members |
Member sequence number list. Member sequence number. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
config sla
Parameter |
Description |
Type |
Size |
---|---|---|---|
id |
SLA ID. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
config neighbor
Parameter |
Description |
Type |
Size |
|||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
member |
Member sequence number. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
|||||||||
role |
Role of neighbor. |
option |
- |
|||||||||
|
|
|||||||||||
health-check |
SD-WAN health-check name. |
string |
Maximum length: 35 |
|||||||||
sla-id |
SLA ID. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
config service
Parameter |
Description |
Type |
Size |
|||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
name |
Priority rule name. |
string |
Maximum length: 35 |
|||||||||||||||||
addr-mode |
Address mode (IPv4 or IPv6). |
option |
- |
|||||||||||||||||
|
|
|||||||||||||||||||
input-device |
Source interface name. Interface name. |
string |
Maximum length: 79 |
|||||||||||||||||
input-device-negate |
Enable/disable negation of input device match. |
option |
- |
|||||||||||||||||
|
|
|||||||||||||||||||
mode |
Control how the priority rule sets the priority of interfaces in the SD-WAN. |
option |
- |
|||||||||||||||||
|
|
|||||||||||||||||||
role |
Service role to work with neighbor. |
option |
- |
|||||||||||||||||
|
|
|||||||||||||||||||
standalone-action |
Enable/disable service when selected neighbor role is standalone while service role is not standalone. |
option |
- |
|||||||||||||||||
|
|
|||||||||||||||||||
quality-link |
Quality grade. |
integer |
Minimum value: 0 Maximum value: 255 |
|||||||||||||||||
tos |
Type of service bit pattern. |
user |
Not Specified |
|||||||||||||||||
tos-mask |
Type of service evaluated bits. |
user |
Not Specified |
|||||||||||||||||
protocol |
Protocol number. |
integer |
Minimum value: 0 Maximum value: 255 |
|||||||||||||||||
start-port |
Start destination port number. |
integer |
Minimum value: 0 Maximum value: 65535 |
|||||||||||||||||
end-port |
End destination port number. |
integer |
Minimum value: 0 Maximum value: 65535 |
|||||||||||||||||
route-tag |
IPv4 route map route-tag. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
|||||||||||||||||
dst |
Destination address name. Address or address group name. |
string |
Maximum length: 79 |
|||||||||||||||||
dst-negate |
Enable/disable negation of destination address match. |
option |
- |
|||||||||||||||||
|
|
|||||||||||||||||||
src |
Source address name. Address or address group name. |
string |
Maximum length: 79 |
|||||||||||||||||
dst6 |
Destination address6 name. Address6 or address6 group name. |
string |
Maximum length: 79 |
|||||||||||||||||
src6 |
Source address6 name. Address6 or address6 group name. |
string |
Maximum length: 79 |
|||||||||||||||||
src-negate |
Enable/disable negation of source address match. |
option |
- |
|||||||||||||||||
|
|
|||||||||||||||||||
users |
User name. User name. |
string |
Maximum length: 79 |
|||||||||||||||||
groups |
User groups. Group name. |
string |
Maximum length: 79 |
|||||||||||||||||
internet-service |
Enable/disable use of Internet service for application-based load balancing. |
option |
- |
|||||||||||||||||
|
|
|||||||||||||||||||
internet-service-custom |
Custom Internet service name list. Custom Internet service name. |
string |
Maximum length: 79 |
|||||||||||||||||
internet-service-custom-group |
Custom Internet Service group list. Custom Internet Service group name. |
string |
Maximum length: 79 |
|||||||||||||||||
internet-service-id |
Internet service ID list. Internet service ID. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
|||||||||||||||||
internet-service-group |
Internet Service group list. Internet Service group name. |
string |
Maximum length: 79 |
|||||||||||||||||
internet-service-app-ctrl |
Application control based Internet Service ID list. Application control based Internet Service ID. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
|||||||||||||||||
internet-service-app-ctrl-group |
Application control based Internet Service group list. Application control based Internet Service group name. |
string |
Maximum length: 79 |
|||||||||||||||||
health-check |
Health check. |
string |
Maximum length: 35 |
|||||||||||||||||
link-cost-factor |
Link cost factor. |
option |
- |
|||||||||||||||||
|
|
|||||||||||||||||||
packet-loss-weight |
Coefficient of packet-loss in the formula of custom-profile-1. |
integer |
Minimum value: 0 Maximum value: 10000000 |
|||||||||||||||||
latency-weight |
Coefficient of latency in the formula of custom-profile-1. |
integer |
Minimum value: 0 Maximum value: 10000000 |
|||||||||||||||||
jitter-weight |
Coefficient of jitter in the formula of custom-profile-1. |
integer |
Minimum value: 0 Maximum value: 10000000 |
|||||||||||||||||
bandwidth-weight |
Coefficient of reciprocal of available bidirectional bandwidth in the formula of custom-profile-1. |
integer |
Minimum value: 0 Maximum value: 10000000 |
|||||||||||||||||
link-cost-threshold |
Percentage threshold change of link cost values that will result in policy route regeneration . |
integer |
Minimum value: 0 Maximum value: 10000000 |
|||||||||||||||||
hold-down-time |
Waiting period in seconds when switching from the back-up member to the primary member . |
integer |
Minimum value: 0 Maximum value: 10000000 |
|||||||||||||||||
dscp-forward |
Enable/disable forward traffic DSCP tag. |
option |
- |
|||||||||||||||||
|
|
|||||||||||||||||||
dscp-reverse |
Enable/disable reverse traffic DSCP tag. |
option |
- |
|||||||||||||||||
|
|
|||||||||||||||||||
dscp-forward-tag |
Forward traffic DSCP tag. |
user |
Not Specified |
|||||||||||||||||
dscp-reverse-tag |
Reverse traffic DSCP tag. |
user |
Not Specified |
|||||||||||||||||
priority-members |
Member sequence number list. Member sequence number. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
|||||||||||||||||
status |
Enable/disable SD-WAN service. |
option |
- |
|||||||||||||||||
|
|
|||||||||||||||||||
gateway |
Enable/disable SD-WAN service gateway. |
option |
- |
|||||||||||||||||
|
|
|||||||||||||||||||
default |
Enable/disable use of SD-WAN as default service. |
option |
- |
|||||||||||||||||
|
|
|||||||||||||||||||
sla-compare-method |
Method to compare SLA value for sla and load balance mode. |
option |
- |
|||||||||||||||||
|
|
config sla
Parameter |
Description |
Type |
Size |
---|---|---|---|
id |
SLA ID. |
integer |
Minimum value: 0 Maximum value: 4294967295 |