Professional Documents
Culture Documents
FFT - SD-WAN Fast Track Lab Guide v6.2 - r1
FFT - SD-WAN Fast Track Lab Guide v6.2 - r1
Points: 0
Objective Text:
Welcome
to the
Constructing a Secure SD-WAN Architecture
Workshop
Time to Complete
Estimated: 30 minutes
----------------------- Answer Section -----------------------
Answer: none
Answer Text:
Answer Key:
Objective: 2
Section: Introduction
Points: 0
Objective Text:
Network Topology
The lab environment is setup to represent a Branch office and an HQ Data Center interconnected over
the internet. Each site has an edge FortiGate connected to two ISP's.
The only thing that has been done to the Branch FortiGate at this point was to setup basic connectivity
between the branch office and HQ. This was done in order for you to setup the IPSEC VPN tunnels.
The HQ administrator has already configured the IPSEC VPN setting on the HQ Edge Fortigate.
In this exercise you will configure the IPSEC VPN settings on the Branch Ede Fortigate, and use them as
interface members of the SD-WAN settings.
There is a WAN Emulator device between the two locations which represents the internet. This device
will allow us to introduce and control latency into the networks so that we may observe the SD-WAN fail
over.
Both the Branch Office and the HQ have a windows workstation with softphone software installed. This
will allow you to place a call from the Branch office to the HQ Datacenter to test the Secure SD-WAN
connection. You will see that the SD-WAN will fail over from one member link to another, without losing
the phone call. The HQ location also houses a PBX phone system.
----------------------- Answer Section -----------------------
Answer: none
Answer Text:
Answer Key:
Objective: 3
Section: Configuration
Title: SD-WAN
Points: 10
Objective Text:
Configuring SD-WAN
The company has decided to implement secure SD-WAN between HQ and the branch offices. This is to
ensure that important traffic like VOIP utilize the links that will provide the best quality. This traffic will
be secured by using IPSEC tunnels as the SD-WAN member interfaces.
The HQ administrator has already configured the IPSEC VPN setting on the HQ Edge Fortigate.
In this exercise you will configure the IPSEC VPN settings on the Branch Edge Fortigate, and use them as
interface members of the SD-WAN.
Open a browser and Log into the branch office FortiGate at http://192.168.0.102, (or use the
shortcut on the browser bar)
Under the SD-WAN Interface Members, click the plus sign "+"
In the interface dropdown menu, click the ‘+ VPN’ button next to the search box
A Create IPsec VPN for SD-WAN members window will slide out.
Click create.
Click close
Select HQ_VPN1 as a member interface
click the plus sign "+" in the field below the interface member you just created.
Again, In the interface dropdown menu, click the ‘+ VPN’ button next to the search box
Click create.
Click close
Question: How many interfaces can be used in a virtual SD-WAN link? Select the most correct
option.
Answer: radio
Answer Text:
You can in fact enable SD-WAN with just a single member interface selected. However, the whole
purpose of SD-WAN is to control traffic flow to maximize the overall performance of critical systems by
directing that traffic from a low performing link to one that meets our needs. So although enable
SD-WAN with a single member interface is not very useful, you can if fact do it.
Select the next objective to Continue.
Answer Key:
✔ 1. You may select a single interface
✘ 2. you must select at least two interfaces
✘ 3. Any multiple of two
✘ 4. a maximum of four
Objective: 4
Section: Configuration
Points: 10
Objective Text:
In the previous objective, you created two VPN tunnels for use in the SD-WAN, but they are not
complete yet. We still need to configure the tunnel endpoint addresses.
Edit HQ_VPN1
In the address section: enter the IP and remote IP for this tunnel
IP: 10.38.1.2
Edit HQ_VPN2
In the address section: enter the IP and remote IP for this tunnel
IP: 10.38.2.2
Click OK
Before moving on, let’s go and verify that the tunnels are up.
Answer: radio
Answer Text:
As the name implies, the algorithm will use both the source and destination IP address as the
connection criteria with which to equally divide the traffic between the interfaces included in the virtual
WAN interface.
Answer Key:
✘ 1. The algorithm tries to equally divide the traffic between the interfaces included in the Virtual
WAN interface. It only concerns itself with the source IP address of the connection.
✔ 2. The algorithm tries to equally divide the traffic between the interfaces included in the virtual
WAN interface. It uses the connection criteria of the source and destination IP address combinations as
a way of sorting the traffic.
✘ 3. The algorithm tries to equally divide the traffic between the interfaces included in the virtual
WAN interface. It uses the connection criteria of the source and destination IP address and sends traffic
initiated from the source IP down one link and the traffic initiated from the destination down another
link.
✘ 4. The algorithm tries to equally divide the traffic between the interfaces included in the virtual
WAN interface. It only concerns itself with the destination IP address of the connection.
Objective: 5
Section: Configuration
Points: 10
Objective Text:
You will now need to set a static route using the new SD-WAN interface you just created.
For the Interface select the SD-WAN logical interface from the dropdown
Click OK
Stop & Think
Question: When using a physical interface as the member of the SD-WAN virtual interface, why can
you not use that physical interface is a static route before creating the SD-WAN link?
Answer: radio
Answer Text:
If you recall from the presentation, if an interface is already referenced by a firewall policy or static
route, it cannot be use as an SD-WAN member interface. It will not even show up in the drop down list
of available interfaces to add as a member of the SD-WAN virtual link.
Answer Key:
✔ 1. If an interface is already referenced by a firewall policy or static
route, it cannot be use as an SD-WAN member interface.
✘ 2. There is no reason why we could not do so.
✘ 3. So as to not interrupt any traffic on the chosen member
interfaces as the SD-WAN link is setup.
✘ 4. The physical interfaces to be used as SD-WAN member links do
not show up as available interfaces in the Static Routs page until the
SD_WAN link is created.
Objective: 6
Section: Configuration
Points: 0
Objective Text:
Name: WAN_Outbound
Source: all
Destination: all
Service: ALL
Click OK
We also have to create an inbound policy. Here, we’ll use the clone policy method to do this.
Answer: none
Answer Text:
Answer Key:
Objective: 7
Section: Configuration
Points: 10
Objective Text:
Performance SLA
To verify the health and status of the links that make up the virtual SD-WAN link, we will configure a Link
Health monitor. Also known as a Performance SLA. For the purposes of this lab, we will send a ping
request to a server located in the datacenter.
For the Server input 10.38.218.5 for the first server, and 10.38.218.32 for the second server.
In the SLA Target section, Click the "Plus sign" to set Add Target.
Note that Fortinet offers some recommended values for both Performance Criteria and Internet
Services. Hover over a few to see what their values are.
For the purposes of this lab, set the following values. (it is important that you use these
values as we use them against other thresholds set in the environment).
Latency threshold: 5
Jitter threshold: 5
Click OK
If you select the SLA, the graph at the top of the page will display the history of the performance of the
Packet loss, Latency and Jitter for each of the member interfaces participating in that SLA.
Clicking on Performance SLA in the left hand pane will update the numbers being displayed for the SLA.
But the graph is showing live data.
It should be noted that we are deliberately injecting a latency of 5ms into WAN_2(port3). This is to
ensure that we know which link the system will favor before starting the fail over test.
The SD-WAN rules use this information for its decision criteria when determining which interface to use.
Question: Which of the following protocols can be used for the status check? Select ALL that apply
Hint: 1 Points: 2
Hint Text:
There are more options via the CLI.
Hint: 2 Points: 2
Hint Text:
Type the following commands at the CLI prompt:
This will display all of the available protocols that can be used with the Performance SLA (or Health-Check)
Hint: 3 Points: 4
Hint Text:
Ping and HTTP are the only options available via the GUI, but the other protocols (TCP ECHO, UDP ECHO,
and TWAMP) are available via the CLI.
Answer: checkbox
Answer Text:
Ping and HTTP are the only options available via the GUI, but the other protocols (TCP ECHO, UDP ECHO,
and TWAMP) are available via the CLI.
Select the next objective to Continue.
Answer Key:
✔ 1. PING
✔ 2. HTTP
✔ 3. TCP ECHO
✔ 4. UDP ECHO
✔ 5. TWAMP
Objective: 8
Section: Configuration
Points: 10
Objective Text:
SD-WAN rules
SD-WAN rules allow us to pick the best route for defined packets based on the quality of a member's
interface. In this task, we will create a rule which routes traffic going to the PBX server in the datacenter
(our VOIP traffic) over the link member that has the lowest latency, based on the status check we
created in the previous task, ensuring that our calls do not get interrupted.
Name: Softphone_PBX
In the Destination section, click on the ‘+’ sign in the field next to Address:
Destination Address:
On the right panel, click on the ‘+ Create’ beside the Search box
Click OK
The order stipulated above is only important for the purposes of this lab and is to help
point out how the Lowest Cost (SLA) strategy works.
You should now see the newly created rule above the default Implicit SD-WAN rule which was created
when the SD-WAN virtual interface enabled.
(Optional Task)
While we are here, let’s create another rule simply to demonstrate some of the traffic engineering
options based on the internet services database. In this task, we will create a rule that basically says,
anything that is identified as traffic going to Amazon; we want that traffic to use the interface with the
least latency.
Go to Network -> SD-WAN Rules
Name: Amazon-AWS
Take note of all of the different Internet Services and Application Controls that are available.
On the right panel, with Internet Services Tab selected, type Amazon in the search field
Select Amazon.AWS
Click OK
Question: In the real world, you would have many SD-WAN rules. You might even have several
rule for the same application. In what order will the SD-WAN rules be evaluated?
Answer: radio
Answer Text:
Rules are evaluated in the same way as the firewall policies: from top to bottom, using the first match.
Answer Key:
✘ 1. The rules will be evaluated based on the load balancing method
chosen. (Source IP, Source-destination IP, Spillover, Sessions, and
Volume )
✔ 2. The rules will be evaluated as they appear in the GUI, from top to
bottom
✘ 3. The rules will be evaluated as they appear in the GUI, from
bottom to top
✘ 4. The rules will be evaluated based on the amount of traffic passing
through the associated links
Objective: 9
Section: Measurement
Title: Recap
Points: 10
Objective Text:
RECAP
Created some policies to allow traffic to flow through the SD-WAN interface in both directions.
Created a Performance SLA (or Health check) to monitor the SD-WAN member links to the PBX
phone system over in HQ.
Created a rule which will route the traffic over the preferred link based on the order of the links
in the Interface Preference section of the rule. The links will be evaluated as they appear in the
GUI from top to bottom.
click on the CLI icon from the top menu to connect to the CLI Console
On the command line enter:
Pay particular attention to the priority-members setting. As you can see, it is set to use
HQ_VPN2 as the preferred link, and then HQ_VPN1 as its second option. They should appear in
the same order as they are in the GUI.
Note: You may have more than one Service is you did the optional Amazon-AWS rule earlier.
This command shows which of the SD-WAN link members will actually be used for traffic flow, as
dictated by the settings in the rule. Seq_num(1) and seq_num(2) represent HQ_VPN1 and
HQ_VPN2 respectively. Based on the output shown in this screenshot, the traffic will be sent
over HQ_VPN1.
the Softphone_PBX rule has its Interface Preference set to use HQ_VPN2 first, and then
HQ_VPN1 as the second option. So why does the diag sys virtual-wan-link service
command show the HQ_VPN1 member as the first option to select for the SD-WAN traffic?
Hint: 1 Points: 3
Hint Text:
Other than the order of the link members in the Interface Preference section of the rule, what other
settings plays a part on which member the rule will use.
Hint: 2 Points: 2
Hint Text:
Unlike the Best Quality method, which selects the best link (as the name implies), a rule using the
Lowest Cost (SLA) method selects the link based on the order that it is displayed in the GUI so long as it
meets the SLA.
Answer: radio
Answer Text:
The Best Quality method, selects the best link (as the name implies), but a rule using the Lowest Cost
(SLA) method selects the link based on the order that it is displayed in the GUI so long as it meets the
SLA.
If you recall, we had mentioned that we introduced 5ms of latency on the HQ_VPN2 link. And since the
default SLA setting used in the Softphone_PBX rule has a latency threshold of 5ms, HQ_VPN2 does not
meet the criteria for that SLA. So even though HQ_VPN2 is the preferred link, the system will look at
the next member in the list, which is HQ_VPN1. It meets the SLA criteria, so it is selected as the link to
handle the traffic.
Option 1, “HQ_VPN1 is selected because it has less latency than HQ_VPN2 is not the best answer
because if HQ_VPN2 had a latency of 4ms it would meet the rule’s SLA and so it would have been
selected because it is the preferred link. Even though HQ_VPN1 still had less latency than HQ_VPN2
Answer Key:
✘ 1. HQ_VPN1 is selected because it has less latency than HQ_VPN2
✔ 2. HQ_VPN1 is selected because HQ_VPN2 does not meet the performance SLA of the Softphone_PBX rule.
✘ 3. HQ_VPN1 is selected because it is the preferred link of the performance SLA
✘ 4. HQ_VPN1 is selected because it was the first link member added when SD-WAN was enabled
Objective: 10
Section: Measurement
Points: 0
Objective Text:
We are going to use SoftPhone software to establish a call between a computer in the Branch Office and
one in HQ.
But, before we make the call, lets first make sure that our HQ computer is awake and ready to receive
the call.
From the CloudShare interface, select the Alice_Win10 tab (if you are in Full Screen mode, you
will need to exit it to see the CloudShare Tabs )
Make sure that the softphone application is up and running. If it isn’t, click on the SoftPhone
Icon either on the task bar or on the desktop. no need to wait for it. You can move on
to the next step.
Click on the SoftPhone Icon either on the task bar or on the desktop. You may need
to minimize the browser.
Before trying to place the call, make sure that the SoftPhone is indicating that it is connected to
the PBX. It should read “On Hook”. This may take a minute or so.
Enter extension 804 in the keypad, and click the phone icon to start the call
Access the Alice_Win10 VM from the CloudShare browser interface and answer the call.
Return to the Jumpbox Server. We can't actually hold a conversation due to the fact that these
SoftPhones are not connected to speakers and a mic, but we can at least see that the call has
been established.
ping -t 10.38.218.5
Take note of the latency displayed in the ping returns. It should be approximately 1ms. Indicating that it
has chosen the path with the least latency.
In the previous objective, we used the CLI to show which SD-WAN interface member was the preferred
link. Now that we have some traffic flowing, we can also use the GUI to see which interface member the
traffic is flowing through.
Answer: none
Answer Text:
Answer Key:
Objective: 11
Section: Measurement
Points: 10
Objective Text:
Click on Advanced Mode add choose the eth1 interface from the dropdown menu and click on
the Start button. (it may take a moment for it to move to the next page. Be patient)
To verify the settings have been correctly set click on the Check Current Status button.
This will open a new browser tab, where you should see the settings correctly applied against the
interface in question.
Once the settings are applied, go back to the command prompt window and review the ping output. You
should see the latency go up momentarily, and then settle back down to around 5ms (remember, this is
the latency that was deliberately added to HQ_VPN2 ).
Note: You may have to stop the ping and scroll up to see the point of transition.
You can also see that the timer on the softphone is still counting, indicating that we didn't drop the call.
From the browser return to the Branch FortiGate web console and go to Network ->
Performance SLA, you should now see the increased latency on the respective port.
To see the newly selected route for the SD-WAN rule we added connect to the CLI Console again
To see the currently active link from the command line enter the command:
Note: The active link is now Seq_num(2) which has latency of 5ms and was previously the worst of the
two routes. Seq_num(1) latency now matches the 100ms we added in the previous step.
To see the currently active link from the GUI, return to FortiView > All Session
Note: The traffic going out WAN_1 was generated when accessing the WANem site. That traffic does not
go through the SD_WAN interface.
(Optional Task)
If you have time, go back to the WanEM interface and reduce the latency on eth1 back to 0 ms.
go to Network -> Performance SLA, take note of the latency on the two links.
Click Network -> Performance SLA again to refresh it. What do you observe?
refresh the page a few more times.
Although we dropped the latency to 0ms on HQ_VPN1, it is not immediately reflected in the GUI
because the latency of a link is calculated as an average over time. It will take a few moments for it to
settle.
This is to prevent the system from shifting traffic back and forth in quick sequence over the different
links due to momentary spikes in latency. A condition known as flapping.
When the WANen application was used to introduce 100ms to the HQ_VPN1 link, why did
HQ_VPN2 become the chosen interface for the SD-WAN traffic?
Hint: 1 Points: 5
Hint Text:
refer to the hint and answer of objective 9
Answer: radio
Answer Text:
In this scenario, neither HQ_VPN1 or HQ_VPN2 meet the SLA criteria. The rule will therefore go with the
preferred link (based on the order that they are listed), which is HQ_VPN2
So option 3 is the correct answer.
Option 1 is not the correct answer because even if HQ_VPN2 had a latency of 120ms it would still be the
preferred link.
Option 2 is not the most correct answer as neither of the links meet the SLA.
Option 4 is not correct as the order the link members are added when SD-WAN is enabled has no
bearing on the rule’s preference order.
Answer Key:
✘ 1. HQ_VPN2 was selected because it has less latency than HQ_VPN1
✘ 2. HQ_VPN2 was selected because HQ_VPN1 does not meet the
performance SLA of the Softphone_PBX rule.
✔ 3. HQ_VPN2 was selected because it is the preferred link of the
Softphone_PBX rule.
✘ 4. HQ_VPN2 was selected because it was the first link member
added when SD-WAN was enabled
Objective: 12
Section: Fortinet Fast Track
Title: Complete
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
Thank you for participating! We hope that you found this training of value.
To learn more about what the FortiGate can do, we encourage you to enroll in
the NSE 4 courses and pursue your FortiGate Certification.
----------------------- Answer Section -----------------------
Answer: none
Answer Text:
Answer Key: