Fortinet black logo

User Guide

Home FortiPortal 5.3.4 User Guide
5.3.4
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.0.14
6.0.13
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.3.8
5.3.7
5.3.6
5.3.5
5.3.4
5.3.3
5.3.2
5.3.0
5.2.0
4.1.0

Configuring an SD-WAN for a group of interfaces

Configuring an SD-WAN for a group of interfaces

To configure an SD-WAN for a group of interfaces:
  1. Select Configuration from the SD-WAN tree.
  2. Enable the SD-WAN status. See Enable the SD-WAN status.
  3. Define which physical FortiPortal interfaces belong to the SD-WAN. See Define which physical FortiPortal interfaces belong to the SD-WAN.
  4. Define a new performance service level agreement (SLA). See Define a new performance SLA.
  5. Define SD-WAN rules to control how sessions are distributed to physical interfaces in the SD-WAN. See Define SD-WAN rules.

Enable the SD-WAN status

The SD-WAN pane on the SD-WAN > Configuration page displays the SD-WAN status, whether any physical interfaces will be alerted if the SD-WAN fails, and whether the SD-WAN Internet connection will be checked.

To change these settings in the GUI:
  1. Select Edit.
  2. Select Enable to enable the SD-WAN status.
  3. Select a physical interface to alert if the SD-WAN fails, None, or any.
  4. Select Enable or Disable to change whether the SD-WAN Internet connection is checked.
  5. Select Save to make your changes.

Define which physical FortiPortal interfaces belong to the SD-WAN

Use the Interface Members area on the SD-WAN > Configuration page to define which physical FortiPortal interfaces belong to the SD-WAN.

SD-WAN interfaces are the ports and interfaces that are used to run traffic. At least one interface must be configured for SD-WAN to function; up to 255 member interfaces can be configured.

In the Interface Members area, the following actions are available:

  • Create New—define a new interface member
  • Edit—change the settings for an existing interface member
  • Delete—delete an interface member
To add a new interface member:
  1. Select Configuration from the SD-WAN tree.
  2. Right-click an interface member and select Create New. If the table is blank, right-click under the column headings and select Create New.
  3. Enter values in the relevant fields. See Interface member fields .
  4. Select Save.
Interface member fields

The Create New Interface Member and Edit Interface Member forms contain the following fields:

Settings

Guidelines

Member

Required. Select one of the available physical interfaces.

Weight

Weight of this interface for weighted load balancing. More traffic is directed to interfaces with higher weights. The weight must be in the range of 0-255.

Gateway IP

Enter the IPv4 address of the default gateway for this interface. Usually the default gateway of the Internet service provider that this interface is connected to.

Status

Enable or disable this interface in the SD-WAN.

Estimated Upstream Bandwidth

Select the link based on the available bandwidth of outgoing traffic.

Estimated Downstream Bandwidth

Select the link based on the available bandwidth of incoming traffic.

Advanced Options

gateway6

Enter the IPv6 address of the default gateway for this interface. Usually the default gateway of the Internet service provider that this interface is connected to.

priority

Assign interfaces a priority based on the priority assigned to the interface.

seq-num

Member sequence number. The range is 0-4294967295.

source

Source IPv4 address name.

source6

Source IPv6 address name.

volume-ratio

Measured volume ratio (this value / sum of all values = percentage of link volume). The range is 0-255.

Define a new performance SLA

Use the Performance SLA area on the SD-WAN > Configuration page to configure SLA management.

If all links meet the SLA criteria, the FortiPortal unit uses the first link, even if that link is not the best quality link. If at any time, the link in use does not meet the SLA criteria, and the next link in the configuration meets the SLA criteria, the FortiPortal unit changes to that link. If the next link does not meet the SLA criteria, the FortiPortal unit uses the next link in the configuration if it meets the SLA criteria, and so on.

In Performance SLA area, the following actions are available:

  • Create New—define a new performance SLA
  • Edit—change an existing performance SLA
  • Delete—delete a performance SLA
To add a new performance SLA:
  1. Select Configuration from the SD-WAN tree.
  2. Right-click a performance SLA and select Create New. If the table is blank, right-click under the column headings and select Create New.
  3. Enter values in the relevant fields. See Performance SLA fields.
  4. Select Save.
Performance SLA fields

The Create New Performance SLA and Edit Performance SLA forms contain the following fields:

Settings

Guidelines

Name

Required. Name of the performance SLA.

Detect Protocol

Required. Protocol used to determine if the FortiPortal unit can communicate with the server. Select Ping, TCP ECHO, UDP ECHO, HTTP, or TWAMP.

Detect Server

Required. IPv4 address of the server.

Detect Server 2

IPv4 address of an optional second server.

Members

Required. Select the interfaces from the Available Members list and then select > to move them to the Selected Members list.

SLA

Configure the SLA. See SLA fields.

Link Status

interval

Status check interval, which is the time between attempting to connect to the server. The default is 5 seconds; the range is 1 - 3600 seconds.

Failure Before Inactive

Number of failures before server is considered lost. The default is 5; the range is 1 - 10.

Restore Link After

Number of successful responses received before server is considered recovered. The default is 5; the range is 1 - 10.

Action When Inactive

Update Static Route

Enable or disable updating the static route.

Update Cascade Interface

Enable or disable update cascade interface.

Advanced Options

http-get

URL used to communicate with the server if the protocol if the protocol is HTTP.

http-match

Response string expected from the server if the protocol is HTTP.

interval

Status check interval, or the time between attempting to connect to the server. The default is 5 seconds; the range is 1 - 3600 seconds.

packet-size

Packet size of a Two-Way Active Measurement Protocol (TWAMP) test session. The range is 64-1024.

threshold-alert-jitter

Alert threshold for jitter. The default is 0 ms; the range is 0-4294967295 ms.

threshold-alert-latency

Alert threshold for latency. The default is 0 ms; the range is 0-4294967295 ms.

threshold-alert-packetloss

Alert threshold for packet loss. The default is 0 percent; the range is 0-100 percent.

threshold-warning-jitter

Warning threshold for jitter. The default is 0 ms ; the range is 0-4294967295 ms.

threshold-warning-latency

Warning threshold for latency. The default is 0 ms; the range is 0-4294967295 ms.

threshold-warning-packetloss

Warning threshold for packet loss. The default is 0 percent; the range is 0-100 percent.
To add a new SLA:
  1. Select Configuration from the SD-WAN tree.
  2. Right-click a performance SLA and select Create New. If the table is blank, right-click under the column headings and select Create New.
  3. Right-click under the column headings in the SLA area and select Create New.
  4. Enter values in the relevant fields. See SLA fields.
  5. Select Save to save your SLA configuration.
  6. Select Save to save your performance SLA configuration.
SLA fields

The Create New SLA and Edit SLA forms contain the following fields:

Settings

Guidelines

link-cost-factor

Required. Criteria on which to base link selection. You can select one or more of the threshold values to use: Jitter Threshold, Latency Threshold, and Packet Loss Threshold. You need to enter a threshold value for each criterion that you select.

Jitter Threshold

Jitter for SLA to make decision in milliseconds. The default is 5; the range is 0-10000000.

Latency Threshold

Latency for SLA to make decision in milliseconds. The default is 5; the range is 0- 10000000.

Packet Loss Threshold

Packet loss for SLA to make decision in percentage. The default is 0; the range is 0-100.

Define SD-WAN rules

Use the SD-WAN Rules area on the SD-WAN > Configuration page to configure SD-WAN rules or priority rules (also called services) to control how sessions are distributed to physical interfaces in the SD-WAN.

In the SD-WAN Rules area, the following actions are available:

  • Create New—define a new SD-WAN rule
  • Edit—change an existing SD-WAN rule
  • Delete—delete an SD-WAN rule
To add a new SD-WAN rule:
  1. Select Configuration from the SD-WAN tree.
  2. Right-click an SD-WAN rule and select Create New. If the table is blank, right-click under the column headings and select Create New.
  3. Enter values in the relevant fields. See Performance SLA fields.
  4. Select Save.
SD-WAN rule fields

The Create New SD-WAN Rules and Edit SD-WAN Rules forms contain the following fields:

Settings

Guidelines

Name

Required. Priority rule name.

Source Address

Select the source addresses from the Available list and then select > to move them to the Selected list.

User

Select the users from the Available list and then select > to move them to the Selected list.

User group

Select the user groups from the Available list and then select > to move them to the Selected list.

Destination

Required. Select Address to use destination addresses or select Internet Service to use destination Internet services.

Address

Required. Available if Destination is set to Address. Select the destination addresses from the Available list and then select > to move them to the Selected list.

Protocol

Required. Available if Destination is set to Address. Select TCP, UDP, ANY, or Specify. If you select Specify, enter the protocol number, type of service, and bit mask.

Internet Service

Available if Destination is set to Internet Service. Select the Internet services from the Available list and then select > to move them to the Selected list.

Internet Service Group

Available if Destination is set to Internet Service. Select the Internet service groups from the Available list and then select > to move them to the Selected list.

Custom Internet Service

Available if Destination is set to Internet Service. Select the custom Internet services from the Available list and then select > to move them to the Selected list.

Custom Internet Service Group

Required. Available if Destination is set to Internet Service. Select the custom Internet service groups from the Available list and then select > to move them to the Selected list.

Application

Available if Destination is set to Internet Service. Select the applications from the Available list and then select > to move them to the Selected list.

Application Group

Available if Destination is set to Internet Service. Select the application groups from the Available list and then select > to move them to the Selected list.

Outgoing Interface

Required. Select Best Quality or Minimum Quality (SLA).

Interface Members

Required. Select the interfaces from the Available list and then select > to move them to the Selected list.

Status Check

Required. Available if Outgoing Interface is set to Best Quality. Select the appropriate performance SLA to use for the status check.

Required SLA Target

Required. Available if Outgoing Interface is set to Minimum Quality (SLA). Select the appropriate performance SLA from the drop-down list.
Previous
Next

Configuring an SD-WAN for a group of interfaces

To configure an SD-WAN for a group of interfaces:
  1. Select Configuration from the SD-WAN tree.
  2. Enable the SD-WAN status. See Enable the SD-WAN status.
  3. Define which physical FortiPortal interfaces belong to the SD-WAN. See Define which physical FortiPortal interfaces belong to the SD-WAN.
  4. Define a new performance service level agreement (SLA). See Define a new performance SLA.
  5. Define SD-WAN rules to control how sessions are distributed to physical interfaces in the SD-WAN. See Define SD-WAN rules.

Enable the SD-WAN status

The SD-WAN pane on the SD-WAN > Configuration page displays the SD-WAN status, whether any physical interfaces will be alerted if the SD-WAN fails, and whether the SD-WAN Internet connection will be checked.

To change these settings in the GUI:
  1. Select Edit.
  2. Select Enable to enable the SD-WAN status.
  3. Select a physical interface to alert if the SD-WAN fails, None, or any.
  4. Select Enable or Disable to change whether the SD-WAN Internet connection is checked.
  5. Select Save to make your changes.

Define which physical FortiPortal interfaces belong to the SD-WAN

Use the Interface Members area on the SD-WAN > Configuration page to define which physical FortiPortal interfaces belong to the SD-WAN.

SD-WAN interfaces are the ports and interfaces that are used to run traffic. At least one interface must be configured for SD-WAN to function; up to 255 member interfaces can be configured.

In the Interface Members area, the following actions are available:

  • Create New—define a new interface member
  • Edit—change the settings for an existing interface member
  • Delete—delete an interface member
To add a new interface member:
  1. Select Configuration from the SD-WAN tree.
  2. Right-click an interface member and select Create New. If the table is blank, right-click under the column headings and select Create New.
  3. Enter values in the relevant fields. See Interface member fields .
  4. Select Save.
Interface member fields

The Create New Interface Member and Edit Interface Member forms contain the following fields:

Settings

Guidelines

Member

Required. Select one of the available physical interfaces.

Weight

Weight of this interface for weighted load balancing. More traffic is directed to interfaces with higher weights. The weight must be in the range of 0-255.

Gateway IP

Enter the IPv4 address of the default gateway for this interface. Usually the default gateway of the Internet service provider that this interface is connected to.

Status

Enable or disable this interface in the SD-WAN.

Estimated Upstream Bandwidth

Select the link based on the available bandwidth of outgoing traffic.

Estimated Downstream Bandwidth

Select the link based on the available bandwidth of incoming traffic.

Advanced Options

gateway6

Enter the IPv6 address of the default gateway for this interface. Usually the default gateway of the Internet service provider that this interface is connected to.

priority

Assign interfaces a priority based on the priority assigned to the interface.

seq-num

Member sequence number. The range is 0-4294967295.

source

Source IPv4 address name.

source6

Source IPv6 address name.

volume-ratio

Measured volume ratio (this value / sum of all values = percentage of link volume). The range is 0-255.

Define a new performance SLA

Use the Performance SLA area on the SD-WAN > Configuration page to configure SLA management.

If all links meet the SLA criteria, the FortiPortal unit uses the first link, even if that link is not the best quality link. If at any time, the link in use does not meet the SLA criteria, and the next link in the configuration meets the SLA criteria, the FortiPortal unit changes to that link. If the next link does not meet the SLA criteria, the FortiPortal unit uses the next link in the configuration if it meets the SLA criteria, and so on.

In Performance SLA area, the following actions are available:

  • Create New—define a new performance SLA
  • Edit—change an existing performance SLA
  • Delete—delete a performance SLA
To add a new performance SLA:
  1. Select Configuration from the SD-WAN tree.
  2. Right-click a performance SLA and select Create New. If the table is blank, right-click under the column headings and select Create New.
  3. Enter values in the relevant fields. See Performance SLA fields.
  4. Select Save.
Performance SLA fields

The Create New Performance SLA and Edit Performance SLA forms contain the following fields:

Settings

Guidelines

Name

Required. Name of the performance SLA.

Detect Protocol

Required. Protocol used to determine if the FortiPortal unit can communicate with the server. Select Ping, TCP ECHO, UDP ECHO, HTTP, or TWAMP.

Detect Server

Required. IPv4 address of the server.

Detect Server 2

IPv4 address of an optional second server.

Members

Required. Select the interfaces from the Available Members list and then select > to move them to the Selected Members list.

SLA

Configure the SLA. See SLA fields.

Link Status

interval

Status check interval, which is the time between attempting to connect to the server. The default is 5 seconds; the range is 1 - 3600 seconds.

Failure Before Inactive

Number of failures before server is considered lost. The default is 5; the range is 1 - 10.

Restore Link After

Number of successful responses received before server is considered recovered. The default is 5; the range is 1 - 10.

Action When Inactive

Update Static Route

Enable or disable updating the static route.

Update Cascade Interface

Enable or disable update cascade interface.

Advanced Options

http-get

URL used to communicate with the server if the protocol if the protocol is HTTP.

http-match

Response string expected from the server if the protocol is HTTP.

interval

Status check interval, or the time between attempting to connect to the server. The default is 5 seconds; the range is 1 - 3600 seconds.

packet-size

Packet size of a Two-Way Active Measurement Protocol (TWAMP) test session. The range is 64-1024.

threshold-alert-jitter

Alert threshold for jitter. The default is 0 ms; the range is 0-4294967295 ms.

threshold-alert-latency

Alert threshold for latency. The default is 0 ms; the range is 0-4294967295 ms.

threshold-alert-packetloss

Alert threshold for packet loss. The default is 0 percent; the range is 0-100 percent.

threshold-warning-jitter

Warning threshold for jitter. The default is 0 ms ; the range is 0-4294967295 ms.

threshold-warning-latency

Warning threshold for latency. The default is 0 ms; the range is 0-4294967295 ms.

threshold-warning-packetloss

Warning threshold for packet loss. The default is 0 percent; the range is 0-100 percent.
To add a new SLA:
  1. Select Configuration from the SD-WAN tree.
  2. Right-click a performance SLA and select Create New. If the table is blank, right-click under the column headings and select Create New.
  3. Right-click under the column headings in the SLA area and select Create New.
  4. Enter values in the relevant fields. See SLA fields.
  5. Select Save to save your SLA configuration.
  6. Select Save to save your performance SLA configuration.
SLA fields

The Create New SLA and Edit SLA forms contain the following fields:

Settings

Guidelines

link-cost-factor

Required. Criteria on which to base link selection. You can select one or more of the threshold values to use: Jitter Threshold, Latency Threshold, and Packet Loss Threshold. You need to enter a threshold value for each criterion that you select.

Jitter Threshold

Jitter for SLA to make decision in milliseconds. The default is 5; the range is 0-10000000.

Latency Threshold

Latency for SLA to make decision in milliseconds. The default is 5; the range is 0- 10000000.

Packet Loss Threshold

Packet loss for SLA to make decision in percentage. The default is 0; the range is 0-100.

Define SD-WAN rules

Use the SD-WAN Rules area on the SD-WAN > Configuration page to configure SD-WAN rules or priority rules (also called services) to control how sessions are distributed to physical interfaces in the SD-WAN.

In the SD-WAN Rules area, the following actions are available:

  • Create New—define a new SD-WAN rule
  • Edit—change an existing SD-WAN rule
  • Delete—delete an SD-WAN rule
To add a new SD-WAN rule:
  1. Select Configuration from the SD-WAN tree.
  2. Right-click an SD-WAN rule and select Create New. If the table is blank, right-click under the column headings and select Create New.
  3. Enter values in the relevant fields. See Performance SLA fields.
  4. Select Save.
SD-WAN rule fields

The Create New SD-WAN Rules and Edit SD-WAN Rules forms contain the following fields:

Settings

Guidelines

Name

Required. Priority rule name.

Source Address

Select the source addresses from the Available list and then select > to move them to the Selected list.

User

Select the users from the Available list and then select > to move them to the Selected list.

User group

Select the user groups from the Available list and then select > to move them to the Selected list.

Destination

Required. Select Address to use destination addresses or select Internet Service to use destination Internet services.

Address

Required. Available if Destination is set to Address. Select the destination addresses from the Available list and then select > to move them to the Selected list.

Protocol

Required. Available if Destination is set to Address. Select TCP, UDP, ANY, or Specify. If you select Specify, enter the protocol number, type of service, and bit mask.

Internet Service

Available if Destination is set to Internet Service. Select the Internet services from the Available list and then select > to move them to the Selected list.

Internet Service Group

Available if Destination is set to Internet Service. Select the Internet service groups from the Available list and then select > to move them to the Selected list.

Custom Internet Service

Available if Destination is set to Internet Service. Select the custom Internet services from the Available list and then select > to move them to the Selected list.

Custom Internet Service Group

Required. Available if Destination is set to Internet Service. Select the custom Internet service groups from the Available list and then select > to move them to the Selected list.

Application

Available if Destination is set to Internet Service. Select the applications from the Available list and then select > to move them to the Selected list.

Application Group

Available if Destination is set to Internet Service. Select the application groups from the Available list and then select > to move them to the Selected list.

Outgoing Interface

Required. Select Best Quality or Minimum Quality (SLA).

Interface Members

Required. Select the interfaces from the Available list and then select > to move them to the Selected list.

Status Check

Required. Available if Outgoing Interface is set to Best Quality. Select the appropriate performance SLA to use for the status check.

Required SLA Target

Required. Available if Outgoing Interface is set to Minimum Quality (SLA). Select the appropriate performance SLA from the drop-down list.
Previous
Next