Scribd Logo
Upload

Welcome to Scribd!

  • Lab 2: SD-WAN: Do Not Reprint © Fortinet

    Uploaded by

    Juan Perez
    85 views7 pages

    Original Title

    LAB 2 - SD-WAN

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    85 views7 pages

    Lab 2: SD-WAN: Do Not Reprint © Fortinet

    Uploaded by

    Juan Perez

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 7

    DO NOT REPRINT

    © FORTINET
    Lab 2: SD-WAN

    In this exercise, you will configure SD-WAN on Local-FortiGate.

    Objectives
    l Configure SD-WAN load balancing.
    l Configure routes and firewall policies for SD-WAN.
    l Verify SD-WAN load balancing.

    Time to Complete
    Estimated: 20 minutes

    Prerequisites
    Before beginning this lab, you must restore a configuration file to Local-FortiGate.

    To restore the Local-FortiGate configuration file


    1. On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.254 with the user
    name admin and password password.
    2. In the upper-right corner of the screen, click admin, and then click Configuration > Restore.

    3. Click Local PC, and then click Upload.


    4. Click Desktop > Resources > FortiGate-Infrastructure > SDWAN > local-sdwan.conf, and then click
    Open.
    5. Click OK.
    6. Click OK to reboot.

    FortiGate Infrastructure 6.0 Lab Guide 37


    Fortinet Technologies Inc.
    DO NOT REPRINT
    © FORTINET
    Exercise 1: SD-WAN

    In this exercise, you will configure SD-WAN using the port1 and port2 interfaces on Local-FortiGate.

    Remove Interface References

    Before you can add port1 and port2 as SD-WAN member interfaces, you must remove all configuration elements
    referencing the two interfaces.

    Take the Expert Challenge!


    On the Local-FortiGate GUI (10.0.1.254 | admin/password), remove all firewall policies and routes
    referencing port1 and port2.

    If you require assistance, or to verify your work, use the step-by-step instructions that follow.

    After you complete the challenge, see Configure SD-WAN Load Balancing on page 39.

    To remove interface references


    1. On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.254 with the user
    name admin and password password.
    2. Click Network > Static Routes.
    3. Select the port1 default route, and then click Delete.

    4. Click OK.
    5. Click Policy & Objects > IPv4 Policy.
    6. Select the Full_Access policy, and then click Delete.

    7. Click OK.

    38 FortiGate Infrastructure 6.0 Lab Guide


    Fortinet Technologies Inc.
    DO Exercise
    NOT1: SD-WAN
    REPRINT Configure SD-WAN Load Balancing

    © FORTINET
    Configure SD-WAN Load Balancing

    You will configure SD-WAN load balancing for all Internet traffic between port1 and port2.

    Take the Expert Challenge!


    On the Local-FortiGate GUI (10.0.1.254), complete the following:

    l Configure SD-WAN members with the following configuration


    l port1 with Gateway 10.200.1.254.
    l port2 with Gateway 10.200.2.254.
    l Edit SD-WAN Rules to use Source-Destination IP as the load-balancing method.
    If you require assistance, or to verify your work, use the step-by-step instructions that follow.

    After you complete the challenge, see Create a Static Route for the SD-WAN Interface on page 41

    To configure SD-WAN load balancing


    1. Continuing on the Local-FortiGate GUI, click Network > SD-WAN .
    2. Set Status to Enable.
    3. In the SD-WAN Interface Members section, click + sign to add the first interface.

    4. Configure the following:

    Field Value

    Interface port1

    Gateway 10.200.1.254

    Status <enable>

    FortiGate Infrastructure 6.0 Lab Guide 39


    Fortinet Technologies Inc.
    DO Configure
    NOTSD-WAN Load
    REPRINT
    Balancing Exercise 1: SD-WAN

    © FORTINET
    5. In the SD-WAN Interface Members section, click again + sign to add the second interface.
    6. Configure the following:

    Field Value

    Interface port2

    Gateway 10.200.2.254

    Status <enable>

    The SD-WAN configuration should look like the following example:

    7. Click Apply.
    8. Click Network > SD-WAN Rules.
    9. Right click on sd-wan rule and click Edit.

    40 FortiGate Infrastructure 6.0 Lab Guide


    Fortinet Technologies Inc.
    DO Exercise
    NOT1: SD-WAN
    REPRINT Create a Static Route for the SD-WAN Interface

    © FORTINET

    10. Set Load Balancing Algorithm to Source-Destination IP.


    11. Click Ok.

    Create a Static Route for the SD-WAN Interface

    You will create a default route using the sd-wan virtual interface.

    Take the Expert Challenge!


    On the Local-FortiGate GUI (10.0.1.254), configure a default route using the sdwan interface.

    If you require assistance, or to verify your work, use the step-by-step instructions that follow.

    After you complete the challenge, see Create a Firewall Policy for SD-WAN Load Balancing on page 42.

    To create a static route for SD-WAN


    1. Continuing on the Local-FortiGate GUI, click Network > Static Routes.
    2. Click Create New.
    3. Configure the following settings:

    Field Value

    Destination Subnet

    0.0.0.0/0.0.0.0

    Interface SD-WAN

    Administrative Distance 10

    4. Click OK.

    FortiGate Infrastructure 6.0 Lab Guide 41


    Fortinet Technologies Inc.
    DO Create
    NOT REPRINT
    a Firewall Policy for SD-WAN Load Balancing Exercise 1: SD-WAN

    © FORTINET
    Create a Firewall Policy for SD-WAN Load Balancing

    You will create the firewall policy to allow the Internet traffic to pass from port3 to the sd-wan interface.

    To create a firewall policy for SD-WAN load balancing


    1. Continuing on the Local-FortiGate GUI, click Policy & Objects > IPv4 Policy.
    2. Click Create New.
    3. Configure the following settings:

    Field Value

    Name SDWAN_Access

    Incoming Interface port3

    Outgoing Interface SD-WAN

    Source LOCAL_SUBNET

    Destination all

    Schedule always

    Service ALL

    Action Accept

    NAT  <enable>

    4. Click OK.

    Verify the SD-WAN Load Balancing Configuration

    First, you will review the Local-FortiGate routing table to examine the routes installed for SD-WAN. Then, you will
    use the CLI packet capture tool to verify whether or not FortiGate is load balancing HTTP traffic between the SD-
    WAN member interfaces.

    To review the routing table


    1. Continuing on the Local-Windows VM, open PuTTY and connect over SSH to the LOCAL-FORTIGATE saved
    session.
    2. At the login prompt, enter the user name admin and password password.
    3. Enter the following command to confirm the list of active routes in the routing table:
    get router info routing-table all

    4. Verify that both default routes for port1 and port2 have the same distance value and are active in the routing
    table.

    42 FortiGate Infrastructure 6.0 Lab Guide


    Fortinet Technologies Inc.
    DO Exercise
    NOT1: SD-WAN
    REPRINT Verify the SD-WAN Load Balancing Configuration

    © FORTINET

    After you create a static route for the SD-WAN interface, FortiGate automatically
    adds individual routes, with the same distance value, for all member interfaces. This
    ensures all routes will be active in the routing table, which makes them eligible for load
    balancing.

    To verify the SD-WAN load balancing configuration


    1. Continuing on the open LOCAL-FORTIGATE PuTTY session, enter the following CLI commands:
    diagnose sniffer packet any 'tcp[13]&2==2 and port 80' 4

    2. On the Local-Windows VM, open new tabs in the web browser, and go to a few websites:
    l http://www.pearsonvue.com/fortinet/
    l http://cve.mitre.org
    l http://www.eicar.org
    3. Return to the open LOCAL-FORTIGATE PuTTY session, and press Ctrl+C to stop the sniffer.
    4. Analyze the sniffer output.

    The SYN packets are egressing both port1 and port2. This verifies that Local-FortiGate is now load
    balancing all Internet traffic across SD-WAN member interfaces.

    5. Close the PuTTY session and your browser.

    FortiGate Infrastructure 6.0 Lab Guide 43


    Fortinet Technologies Inc.

    You might also like