Objective: 1

Section: Fortinet Fast Tracks

Title: Secure SD-WAN

Points: 0

----------------------- Objective Section -----------------------

Objective Text:

Welcome
to the
Constructing a Secure SD-WAN Architecture
Workshop

SD-WAN Hands On Exercises

Objectives

 How to configure SD-WAN with multiple ISP interfaces

 How to measure the quality of each interface

 Set up rules to direct traffic based on interface quality

 Determine which interface is being used for a specified rule

Time to Complete
Estimated: 30 minutes
----------------------- Answer Section -----------------------

Answer: none

Answer Text:

Answer Key:
Objective: 2

Section: Introduction

Title: Network Topology

Points: 0

----------------------- Objective Section -----------------------

Objective Text:

Network Topology
The lab environment is setup to represent a Branch office and an HQ Data Center interconnected over
the internet. Each site has an edge FortiGate connected to two ISP's.
The only thing that has been done to the Branch FortiGate at this point was to setup basic connectivity
between the branch office and HQ. This was done in order for you to setup the IPSEC VPN tunnels.
The HQ administrator has already configured the IPSEC VPN setting on the HQ Edge Fortigate.

In this exercise you will configure the IPSEC VPN settings on the Branch Ede Fortigate, and use them as
interface members of the SD-WAN settings.
There is a WAN Emulator device between the two locations which represents the internet. This device
will allow us to introduce and control latency into the networks so that we may observe the SD-WAN fail
over.

Both the Branch Office and the HQ have a windows workstation with softphone software installed. This
will allow you to place a call from the Branch office to the HQ Datacenter to test the Secure SD-WAN
connection. You will see that the SD-WAN will fail over from one member link to another, without losing
the phone call. The HQ location also houses a PBX phone system.
 ----------------------- Answer Section -----------------------

Answer: none

Answer Text:

Answer Key:
Objective: 3

Section: Configuration

Title: SD-WAN

Points: 10

----------------------- Objective Section -----------------------

Objective Text:

Configuring SD-WAN

The company has decided to implement secure SD-WAN between HQ and the branch offices. This is to
ensure that important traffic like VOIP utilize the links that will provide the best quality. This traffic will
be secured by using IPSEC tunnels as the SD-WAN member interfaces.
The HQ administrator has already configured the IPSEC VPN setting on the HQ Edge Fortigate.

In this exercise you will configure the IPSEC VPN settings on the Branch Edge Fortigate, and use them as
interface members of the SD-WAN.

To configure the SD-WAN connections:

 Open a browser and Log into the branch office FortiGate at http://192.168.0.102, (or use the
shortcut on the browser bar)

username: admin password: Fortinet1!

 From the left-hand menu go to Network > SD-WAN

 Under the SD-WAN header set the Status to Enable

 Under the SD-WAN Interface Members, click the plus sign "+"

 In the interface dropdown menu, click the ‘+ VPN’ button next to the search box
A Create IPsec VPN for SD-WAN members window will slide out.

 Provide a name: HQ_VPN1

 Enter the IP address of the HQ FG: 10.38.214.1

 Select the outgoing interface: WAN_1(port2)

 Enter pre-shared key: Fortinet1!

 Click create.

 Click close
  Select HQ_VPN1 as a member interface

 Provide its gateway IP: 10.38.216.10

 Leave the Cost at 0

Repeat for HQ_VPN2

 click the plus sign "+" in the field below the interface member you just created.

 Again, In the interface dropdown menu, click the ‘+ VPN’ button next to the search box

 Provide a name: HQ_VPN2

 Enter the IP address of the HQ FG: 10.38.215.1

 Select the outgoing interface: WAN_2(port3)

 Enter pre-shared key: Fortinet1!

 Click create.

 Click close

 Select HQ_VPN2 as a member interface

 Provide its gateway IP: 10.38.217.10

 Leave the Cost at 0

  Click Apply

Stop & Think

Question: How many interfaces can be used in a virtual SD-WAN link? Select the most correct
option.

----------------------- Answer Section -----------------------

Answer: radio

Answer Text:
You can in fact enable SD-WAN with just a single member interface selected. However, the whole
purpose of SD-WAN is to control traffic flow to maximize the overall performance of critical systems by
directing that traffic from a low performing link to one that meets our needs. So although enable
SD-WAN with a single member interface is not very useful, you can if fact do it.
Select the next objective to Continue.

Answer Key:
✔ 1. You may select a single interface
✘ 2. you must select at least two interfaces
✘ 3. Any multiple of two
✘ 4. a maximum of four
Objective: 4

Section: Configuration

Title: Endpoint Addresses

Points: 10

----------------------- Objective Section -----------------------

Objective Text:

In the previous objective, you created two VPN tunnels for use in the SD-WAN, but they are not
complete yet. We still need to configure the tunnel endpoint addresses.

To set the tunnel endpoint addresses:

 From the left-hand menu go to Network > Interfaces

 Expand the SD-WAN interface

 Edit HQ_VPN1

 In the address section: enter the IP and remote IP for this tunnel

 IP: 10.38.1.2

 Remote IP: 10.38.1.1/32

  Click OK

 Edit HQ_VPN2

 In the address section: enter the IP and remote IP for this tunnel

 IP: 10.38.2.2

 Remote IP: 10.38.2.1/32

 Click OK

Before moving on, let’s go and verify that the tunnels are up.

 Go to VPN > IPSEC Tunnels from the left-hand menu.

You should see that both tunnels are up.

If you do not see this, go back and make sure that you configured things correctly.

Stop & Think

Which of the following defines the Source_Destination IP load balancing?

----------------------- Answer Section -----------------------

Answer: radio

Answer Text:
As the name implies, the algorithm will use both the source and destination IP address as the
connection criteria with which to equally divide the traffic between the interfaces included in the virtual
WAN interface.

Therefore option 2 is the correct answer.

Select the next objective to Continue.

Answer Key:
✘ 1. The algorithm tries to equally divide the traffic between the interfaces included in the Virtual
WAN interface. It only concerns itself with the source IP address of the connection.
✔ 2. The algorithm tries to equally divide the traffic between the interfaces included in the virtual
WAN interface. It uses the connection criteria of the source and destination IP address combinations as
a way of sorting the traffic.
✘ 3. The algorithm tries to equally divide the traffic between the interfaces included in the virtual
WAN interface. It uses the connection criteria of the source and destination IP address and sends traffic
initiated from the source IP down one link and the traffic initiated from the destination down another
link.
✘ 4. The algorithm tries to equally divide the traffic between the interfaces included in the virtual
WAN interface. It only concerns itself with the destination IP address of the connection.
Objective: 5

Section: Configuration

Title: Static Route

Points: 10

----------------------- Objective Section -----------------------

Objective Text:

Set a static route

You will now need to set a static route using the new SD-WAN interface you just created.

 Go to Network -> Static Route from the left-hand menu.

 Click +Create New

 For the Destination Subnet, enter 10.38.218.0/24

 For the Interface select the SD-WAN logical interface from the dropdown

 Leave the other settings with their defaults

 Click OK
Stop & Think

Question: When using a physical interface as the member of the SD-WAN virtual interface, why can
you not use that physical interface is a static route before creating the SD-WAN link?

----------------------- Answer Section -----------------------

Answer: radio

Answer Text:
If you recall from the presentation, if an interface is already referenced by a firewall policy or static
route, it cannot be use as an SD-WAN member interface. It will not even show up in the drop down list
of available interfaces to add as a member of the SD-WAN virtual link.

Select the next objective to Continue.

Answer Key:
✔ 1. If an interface is already referenced by a firewall policy or static
route, it cannot be use as an SD-WAN member interface.
✘ 2. There is no reason why we could not do so.
✘ 3. So as to not interrupt any traffic on the chosen member
interfaces as the SD-WAN link is setup.
✘ 4. The physical interfaces to be used as SD-WAN member links do
not show up as available interfaces in the Static Routs page until the
SD_WAN link is created.
Objective: 6

Section: Configuration

Title: Firewall Policy

Points: 0

----------------------- Objective Section -----------------------

Objective Text:

Set a Firewall Policy

The next step, is to set a Firewall policy to allow the Virtual Machines on the internal network to access
the Data Center via the SD-WAN interface
Note: The policies used in this lab are for example and should not be considered best practice

 Go to Policy & Objects -> IPv4 Policy

 Click +Create New

 For the New Policy use the following values

 Name: WAN_Outbound

 Incoming Interface: Internal (port4)

 Outgoing Interface: SD-WAN

 Source: all

 Destination: all

 Schedule: always (default)

 Service: ALL

 Action: Accept (default)

 Toggle NAT off to disable

  Leave all the other settings with their defaults

 Click OK

We also have to create an inbound policy. Here, we’ll use the clone policy method to do this.

 While still at Policy & Objects -> IPv4 Policy

 Right click on the WAN_Outbound policy you just created.

 Select Clone Reverse from the dropdown menu.

 Now double click the policy that was just created by this action

 Enter WAN_Inbound as the name

 Scroll to the very bottom and enable the policy

 Click OK
 ----------------------- Answer Section -----------------------

Answer: none

Answer Text:

Answer Key:
Objective: 7

Section: Configuration

Title: Performance SLA

Points: 10

----------------------- Objective Section -----------------------

Objective Text:

Performance SLA
To verify the health and status of the links that make up the virtual SD-WAN link, we will configure a Link
Health monitor. Also known as a Performance SLA. For the purposes of this lab, we will send a ping
request to a server located in the datacenter.

 Go to Network -> Performance SLA

 Click +Create New

 Enter DC_PBX_SLA as the name

 For the Protocol leave Ping selected

 For the Server input 10.38.218.5 for the first server, and 10.38.218.32 for the second server.

 For the Participants, select both HQ_VPN1 and HQ_VPN2

 In the SLA Target section, Click the "Plus sign" to set Add Target.

Note that Fortinet offers some recommended values for both Performance Criteria and Internet
Services. Hover over a few to see what their values are.

 For the purposes of this lab, set the following values. (it is important that you use these
values as we use them against other thresholds set in the environment).

 Latency threshold: 5

 Jitter threshold: 5

 Packet loss threshold: 0

 Toggle the Update Static route option Off to disable

 Leave the defaults for the other settings

 Click OK
If you select the SLA, the graph at the top of the page will display the history of the performance of the
Packet loss, Latency and Jitter for each of the member interfaces participating in that SLA.
Clicking on Performance SLA in the left hand pane will update the numbers being displayed for the SLA.
But the graph is showing live data.
It should be noted that we are deliberately injecting a latency of 5ms into WAN_2(port3). This is to
ensure that we know which link the system will favor before starting the fail over test.

The SD-WAN rules use this information for its decision criteria when determining which interface to use.

Stop & Think

Question: Which of the following protocols can be used for the status check? Select ALL that apply

----------------------- Hint 1 Section -----------------------

Hint: 1 Points: 2

Hint Text:
There are more options via the CLI.

----------------------- Hint 2 Section -----------------------

Hint: 2 Points: 2

Hint Text:
Type the following commands at the CLI prompt:

config system virtual-wan-link

config health-check
edit DC_PBX_SLA
set protocol ?

This will display all of the available protocols that can be used with the Performance SLA (or Health-Check)

----------------------- Hint 3 Section -----------------------

Hint: 3 Points: 4

Hint Text:
Ping and HTTP are the only options available via the GUI, but the other protocols (TCP ECHO, UDP ECHO,
and TWAMP) are available via the CLI.

----------------------- Answer Section -----------------------

Answer: checkbox

Answer Text:
Ping and HTTP are the only options available via the GUI, but the other protocols (TCP ECHO, UDP ECHO,
and TWAMP) are available via the CLI.
Select the next objective to Continue.

Answer Key:
✔ 1. PING
✔ 2. HTTP
✔ 3. TCP ECHO
✔ 4. UDP ECHO
✔ 5. TWAMP
Objective: 8

Section: Configuration

Title: SD-WAN Rules

Points: 10

----------------------- Objective Section -----------------------

Objective Text:

SD-WAN rules
SD-WAN rules allow us to pick the best route for defined packets based on the quality of a member's
interface. In this task, we will create a rule which routes traffic going to the PBX server in the datacenter
(our VOIP traffic) over the link member that has the lowest latency, based on the status check we
created in the previous task, ensuring that our calls do not get interrupted.

 Go to Network -> SD-WAN Rules

 Click +Create New

 Name: Softphone_PBX

 Source Address: all

 User Group: leave blank

 In the Destination section, click on the ‘+’ sign in the field next to Address:

 Destination Address:

 On the right panel, click on the ‘+ Create’ beside the Search box

 Select the Address option

 The New Address window will open

 Enter DC-PBX-01 for the name

 Select Subnet from the Type drop down menu

  Enter the IP address 10.38.218.0/24 in the IP/Netmask field

 Leave the remaining options as they are

 Click OK

 Select new Destination Address: DC-PBX-01

 Protocol Number: ANY

 Strategy: Lowest Cost (SLA)

 Interface preference: Select HQ_VPN2 and HQ_VPN1 (in that order)

The order stipulated above is only important for the purposes of this lab and is to help
point out how the Lowest Cost (SLA) strategy works.

 Required SLA target: DC_PBX_SLA#1

  Click OK

You should now see the newly created rule above the default Implicit SD-WAN rule which was created
when the SD-WAN virtual interface enabled.

(Optional Task)

While we are here, let’s create another rule simply to demonstrate some of the traffic engineering
options based on the internet services database. In this task, we will create a rule that basically says,
anything that is identified as traffic going to Amazon; we want that traffic to use the interface with the
least latency.
  Go to Network -> SD-WAN Rules

 Click +Create New

 Name: Amazon-AWS

 Source Address: all

 User Group: leave blank

 In the Destination section, select Internet Service

Take note of all of the different Internet Services and Application Controls that are available.

 On the right panel, with Internet Services Tab selected, type Amazon in the search field

 Select Amazon.AWS

 Strategy: Select Best Quality

 Interface Preference: Select HQ_VPN1 and HQ_VPN2

 Measured SLA: DC_PBX_SLA#1

 Quality Criteria: Latency

 Click OK

Stop & Think

Question: In the real world, you would have many SD-WAN rules. You might even have several
rule for the same application. In what order will the SD-WAN rules be evaluated?

----------------------- Answer Section -----------------------

Answer: radio
Answer Text:
Rules are evaluated in the same way as the firewall policies: from top to bottom, using the first match.

Select the next objective to Continue.

Answer Key:
✘ 1. The rules will be evaluated based on the load balancing method
chosen. (Source IP, Source-destination IP, Spillover, Sessions, and
Volume )
✔ 2. The rules will be evaluated as they appear in the GUI, from top to
bottom
✘ 3. The rules will be evaluated as they appear in the GUI, from
bottom to top
✘ 4. The rules will be evaluated based on the amount of traffic passing
through the associated links
Objective: 9

Section: Measurement

Title: Recap

Points: 10

----------------------- Objective Section -----------------------

Objective Text:

RECAP

Let’s take a moment to recap what we’ve done so far.

At this point we’ve:
 Enabled SD-WAN and added HQ_VPN1 and HQ_VPN2 as members.

 Created a default route using the SD-WAN virtual interface

 Created some policies to allow traffic to flow through the SD-WAN interface in both directions.

 Created a Performance SLA (or Health check) to monitor the SD-WAN member links to the PBX
phone system over in HQ.

 Created a rule which will route the traffic over the preferred link based on the order of the links
in the Interface Preference section of the rule. The links will be evaluated as they appear in the
GUI from top to bottom.

All of which can be seen by running the following CLI command:

 click on the CLI icon from the top menu to connect to the CLI Console
  On the command line enter:

Show system virtual-wan-link (press the space bar to see more)

Pay particular attention to the priority-members setting. As you can see, it is set to use
HQ_VPN2 as the preferred link, and then HQ_VPN1 as its second option. They should appear in
the same order as they are in the GUI.

 Now run the following command:

diag sys virtual-wan-link service

Note: You may have more than one Service is you did the optional Amazon-AWS rule earlier.

This command shows which of the SD-WAN link members will actually be used for traffic flow, as
dictated by the settings in the rule. Seq_num(1) and seq_num(2) represent HQ_VPN1 and
HQ_VPN2 respectively. Based on the output shown in this screenshot, the traffic will be sent
over HQ_VPN1.

Stop & Think

the Softphone_PBX rule has its Interface Preference set to use HQ_VPN2 first, and then
HQ_VPN1 as the second option. So why does the diag sys virtual-wan-link service
command show the HQ_VPN1 member as the first option to select for the SD-WAN traffic?

Chose the best answer.

 ----------------------- Hint 1 Section -----------------------

Hint: 1 Points: 3

Hint Text:
Other than the order of the link members in the Interface Preference section of the rule, what other
settings plays a part on which member the rule will use.

----------------------- Hint 2 Section -----------------------

Hint: 2 Points: 2

Hint Text:
Unlike the Best Quality method, which selects the best link (as the name implies), a rule using the
Lowest Cost (SLA) method selects the link based on the order that it is displayed in the GUI so long as it
meets the SLA.

----------------------- Answer Section -----------------------

Answer: radio

Answer Text:
The Best Quality method, selects the best link (as the name implies), but a rule using the Lowest Cost
(SLA) method selects the link based on the order that it is displayed in the GUI so long as it meets the
SLA.

If you recall, we had mentioned that we introduced 5ms of latency on the HQ_VPN2 link. And since the
default SLA setting used in the Softphone_PBX rule has a latency threshold of 5ms, HQ_VPN2 does not
meet the criteria for that SLA. So even though HQ_VPN2 is the preferred link, the system will look at
the next member in the list, which is HQ_VPN1. It meets the SLA criteria, so it is selected as the link to
handle the traffic.
Option 1, “HQ_VPN1 is selected because it has less latency than HQ_VPN2 is not the best answer
because if HQ_VPN2 had a latency of 4ms it would meet the rule’s SLA and so it would have been
selected because it is the preferred link. Even though HQ_VPN1 still had less latency than HQ_VPN2

Select the next objective to Continue.

Answer Key:
✘ 1. HQ_VPN1 is selected because it has less latency than HQ_VPN2
✔ 2. HQ_VPN1 is selected because HQ_VPN2 does not meet the performance SLA of the Softphone_PBX rule.
✘ 3. HQ_VPN1 is selected because it is the preferred link of the performance SLA
✘ 4. HQ_VPN1 is selected because it was the first link member added when SD-WAN was enabled
Objective: 10

Section: Measurement

Title: Testing Connection

Points: 0

----------------------- Objective Section -----------------------

Objective Text:

Testing the Connection

We are going to use SoftPhone software to establish a call between a computer in the Branch Office and
one in HQ.

But, before we make the call, lets first make sure that our HQ computer is awake and ready to receive
the call.

 From the CloudShare interface, select the Alice_Win10 tab (if you are in Full Screen mode, you
will need to exit it to see the CloudShare Tabs )

 You should automatically be logged in to the machine.

 Make sure that the softphone application is up and running. If it isn’t, click on the SoftPhone

Icon either on the task bar or on the desktop. no need to wait for it. You can move on
to the next step.

 Now, go back to the Jumpbox Server

 Click on the SoftPhone Icon either on the task bar or on the desktop. You may need
 to minimize the browser.

 Before trying to place the call, make sure that the SoftPhone is indicating that it is connected to
the PBX. It should read “On Hook”. This may take a minute or so.

 Enter extension 804 in the keypad, and click the phone icon to start the call

 Access the Alice_Win10 VM from the CloudShare browser interface and answer the call.
  Return to the Jumpbox Server. We can't actually hold a conversation due to the fact that these
SoftPhones are not connected to speakers and a mic, but we can at least see that the call has
been established.

 Open a command line and initiate a contiguous ping, by entering:

ping -t 10.38.218.5

Take note of the latency displayed in the ping returns. It should be approximately 1ms. Indicating that it
has chosen the path with the least latency.
In the previous objective, we used the CLI to show which SD-WAN interface member was the preferred
link. Now that we have some traffic flowing, we can also use the GUI to see which interface member the
traffic is flowing through.

 Navigate to FortiView > All Sessions.

 You should see that the traffic is passing through HQ_VPN1

----------------------- Answer Section -----------------------

Answer: none

Answer Text:
Answer Key:
Objective: 11

Section: Measurement

Title: Test SD-WAN Rules

Points: 10

----------------------- Objective Section -----------------------

Objective Text:

Testing the SD-WAN rules

Now we are ready to change the latency of the HQ_VPN1 interface using WANem, which is a WAN
emulator. It allows us to add latency, packet loss and jitter in order to emulate real world networks. In
order to see how the SD-WAN rule works, we are going to add a delay to the packets passing through
the gateway (representing the ISP) in the previous exercise.

 From the Jumpbox browser, click on the WANem bookmark

 Click on Advanced Mode add choose the eth1 interface from the dropdown menu and click on
the Start button. (it may take a moment for it to move to the next page. Be patient)

 Set the Delay Time to 100 ms

  Click on Apply Settings button

 To verify the settings have been correctly set click on the Check Current Status button.

This will open a new browser tab, where you should see the settings correctly applied against the
interface in question.

Once the settings are applied, go back to the command prompt window and review the ping output. You
should see the latency go up momentarily, and then settle back down to around 5ms (remember, this is
the latency that was deliberately added to HQ_VPN2 ).
Note: You may have to stop the ping and scroll up to see the point of transition.

You can also see that the timer on the softphone is still counting, indicating that we didn't drop the call.

 From the browser return to the Branch FortiGate web console and go to Network ->
Performance SLA, you should now see the increased latency on the respective port.

 To see the newly selected route for the SD-WAN rule we added connect to the CLI Console again
  To see the currently active link from the command line enter the command:

diag sys virtual-wan-link service

Note: The active link is now Seq_num(2) which has latency of 5ms and was previously the worst of the
two routes. Seq_num(1) latency now matches the 100ms we added in the previous step.

 To see the currently active link from the GUI, return to FortiView > All Session

Note: The traffic going out WAN_1 was generated when accessing the WANem site. That traffic does not
go through the SD_WAN interface.

(Optional Task)
  If you have time, go back to the WanEM interface and reduce the latency on eth1 back to 0 ms.
 go to Network -> Performance SLA, take note of the latency on the two links.
 Click Network -> Performance SLA again to refresh it. What do you observe?
 refresh the page a few more times.

Although we dropped the latency to 0ms on HQ_VPN1, it is not immediately reflected in the GUI
because the latency of a link is calculated as an average over time. It will take a few moments for it to
settle.

This is to prevent the system from shifting traffic back and forth in quick sequence over the different
links due to momentary spikes in latency. A condition known as flapping.

Stop & Think

When the WANen application was used to introduce 100ms to the HQ_VPN1 link, why did
HQ_VPN2 become the chosen interface for the SD-WAN traffic?

Chose the most correct answer.

----------------------- Hint 1 Section -----------------------

Hint: 1 Points: 5

Hint Text:
refer to the hint and answer of objective 9

----------------------- Answer Section -----------------------

Answer: radio

Answer Text:
In this scenario, neither HQ_VPN1 or HQ_VPN2 meet the SLA criteria. The rule will therefore go with the
preferred link (based on the order that they are listed), which is HQ_VPN2
So option 3 is the correct answer.
Option 1 is not the correct answer because even if HQ_VPN2 had a latency of 120ms it would still be the
preferred link.

Option 2 is not the most correct answer as neither of the links meet the SLA.

Option 4 is not correct as the order the link members are added when SD-WAN is enabled has no
bearing on the rule’s preference order.

Select the next objective to Continue.

Answer Key:
✘ 1. HQ_VPN2 was selected because it has less latency than HQ_VPN1
✘ 2. HQ_VPN2 was selected because HQ_VPN1 does not meet the
performance SLA of the Softphone_PBX rule.
✔ 3. HQ_VPN2 was selected because it is the preferred link of the
Softphone_PBX rule.
✘ 4. HQ_VPN2 was selected because it was the first link member
added when SD-WAN was enabled
 Objective: 12
Section: Fortinet Fast Track
Title: Complete
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

You have successfully completed

the SD-WAN hands-on exercises

Thank you for participating! We hope that you found this training of value.
To learn more about what the FortiGate can do, we encourage you to enroll in
the NSE 4 courses and pursue your FortiGate Certification.
----------------------- Answer Section -----------------------

Answer: none

Answer Text:

Answer Key: