Professional Documents
Culture Documents
Lab 2: SD-WAN: Do Not Reprint © Fortinet
Lab 2: SD-WAN: Do Not Reprint © Fortinet
© FORTINET
Lab 2: SD-WAN
Objectives
l Configure SD-WAN load balancing.
l Configure routes and firewall policies for SD-WAN.
l Verify SD-WAN load balancing.
Time to Complete
Estimated: 20 minutes
Prerequisites
Before beginning this lab, you must restore a configuration file to Local-FortiGate.
In this exercise, you will configure SD-WAN using the port1 and port2 interfaces on Local-FortiGate.
Before you can add port1 and port2 as SD-WAN member interfaces, you must remove all configuration elements
referencing the two interfaces.
If you require assistance, or to verify your work, use the step-by-step instructions that follow.
After you complete the challenge, see Configure SD-WAN Load Balancing on page 39.
4. Click OK.
5. Click Policy & Objects > IPv4 Policy.
6. Select the Full_Access policy, and then click Delete.
7. Click OK.
© FORTINET
Configure SD-WAN Load Balancing
You will configure SD-WAN load balancing for all Internet traffic between port1 and port2.
After you complete the challenge, see Create a Static Route for the SD-WAN Interface on page 41
Field Value
Interface port1
Gateway 10.200.1.254
Status <enable>
© FORTINET
5. In the SD-WAN Interface Members section, click again + sign to add the second interface.
6. Configure the following:
Field Value
Interface port2
Gateway 10.200.2.254
Status <enable>
7. Click Apply.
8. Click Network > SD-WAN Rules.
9. Right click on sd-wan rule and click Edit.
© FORTINET
You will create a default route using the sd-wan virtual interface.
If you require assistance, or to verify your work, use the step-by-step instructions that follow.
After you complete the challenge, see Create a Firewall Policy for SD-WAN Load Balancing on page 42.
Field Value
Destination Subnet
0.0.0.0/0.0.0.0
Interface SD-WAN
Administrative Distance 10
4. Click OK.
© FORTINET
Create a Firewall Policy for SD-WAN Load Balancing
You will create the firewall policy to allow the Internet traffic to pass from port3 to the sd-wan interface.
Field Value
Name SDWAN_Access
Source LOCAL_SUBNET
Destination all
Schedule always
Service ALL
Action Accept
NAT <enable>
4. Click OK.
First, you will review the Local-FortiGate routing table to examine the routes installed for SD-WAN. Then, you will
use the CLI packet capture tool to verify whether or not FortiGate is load balancing HTTP traffic between the SD-
WAN member interfaces.
4. Verify that both default routes for port1 and port2 have the same distance value and are active in the routing
table.
© FORTINET
After you create a static route for the SD-WAN interface, FortiGate automatically
adds individual routes, with the same distance value, for all member interfaces. This
ensures all routes will be active in the routing table, which makes them eligible for load
balancing.
2. On the Local-Windows VM, open new tabs in the web browser, and go to a few websites:
l http://www.pearsonvue.com/fortinet/
l http://cve.mitre.org
l http://www.eicar.org
3. Return to the open LOCAL-FORTIGATE PuTTY session, and press Ctrl+C to stop the sniffer.
4. Analyze the sniffer output.
The SYN packets are egressing both port1 and port2. This verifies that Local-FortiGate is now load
balancing all Internet traffic across SD-WAN member interfaces.