Professional Documents
Culture Documents
Fortigate Infrastructure: Software-Defined Wan
Fortigate Infrastructure: Software-Defined Wan
Fortigate Infrastructure: Software-Defined Wan
Software-Defined WAN
FortiOS 6.0.0
© Copyright Fortinet Inc. All rights reserved. Last Modified: Sunday, October 04, 2020
Lesson Overview
SD-WAN Rules
SD-WAN Diagnostics
2
Introduction to Software-Defined WAN (SD-WAN)
Objectives
• Identify use cases for SD-WAN
• Identify the implementation requirements for SD-WAN
• Configure SD-WAN virtual link and load balancing
• Configure static routes and firewall policies for SD-WAN
What is SD-WAN?
• Virtual interface consisting of a group of member interfaces that can be connected
to different link types
• Allows effective WAN usage with various load balancing algorithms
• Supports link quality measurement
o Dynamic link selection based on link quality
HQ/Datacenter
o Ensures high availability of business critical applications
SaaS
3G/4G
Branch Office
4
Enterprise SD-WAN Use Cases
MPLS Migration
MPLS
MPLS Dependency
Dependency
Inflexible,
Inflexible, expensive,
expensive, good
goodQoS
QoS
MPLS
Private Cloud
Branch
Traffic
Traffic secured
secured ininthe
the MPLS
MPLS
Business
BusinessApps Apps Provider Cloud
Provider Cloud
All traffic routed
All traffic routed Breakout
Breakout in in the
theprovider
provider cloud
cloud
through
through MPLS
MPLS circuits.
circuits. for all traffic.
for all traffic.
QoS
QoS applied
applied for
for Public Cloud
business
business apps.
apps.
Internet
5
Enterprise SD-WAN Use Cases
MPLS backup with local breakout
Critical
CriticalApps
Apps (Voice
(Voice&& Video)
Video)
Best path is chosen depending
Best path is chosen depending
on
on latency,
latency, jitter,
jitter, and
andpacket
packet
loss.
loss.
MPLS
Private Cloud
Critical
CriticalApps
Apps (Voice
(Voice && Video)
Video)
Branch Redirected
Redirected to a new tunnelin
to a new tunnel incase
casethe
the WAN
WAN
conditions are worse than the threshold.
conditions are worse than the threshold.
IPSec VPN
Business
BusinessAppsApps
Load
Load balanced across
balanced across Direct
Direct secure
secureaccess
access to to Internet,
Internet,
different lines so
different lines so SaaS and IaaS content
SaaS and IaaS content
bandwidth Load
Loadbalanced
balanced ifif needed.
bandwidth isis needed.
optimized. Public Cloud
optimized.
Internet
6
Enterprise SD-WAN Use Cases
MPLS Replacement
Critical
CriticalApps
Apps (Voice
(Voice&& Video)
Video)
Best path is chosen depending
Best path is chosen depending
on
on latency,
latency, jitter,
jitter, and
andpacket
packet
loss.
loss.
IPSec VPN
Private Cloud
Critical
CriticalApps
Apps (Voice
(Voice && Video)
Video)
Branch Redirected
Redirected to a new tunnelin
to a new tunnel incase
casethe
the WAN
WAN
conditions are worse than the threshold.
conditions are worse than the threshold.
IPSec VPN
Business
BusinessAppsApps
Load
Load balanced across
balanced across Direct
Direct secure
secureaccess
access to to Internet,
Internet,
different lines so
different lines so SaaS, and IaaS content
SaaS, and IaaS content
bandwidth Load
Loadbalanced
balanced ifif needed.
bandwidth isis needed.
optimized. Public Cloud
optimized.
Internet
7
SD-WAN Configuration
• Specify at least two member interfaces and their associated gateways
o Interfaces should not be referenced by any other configuration element (for example, routes or
policies)
o Supports aggregate, VLAN, and IPsec interfaces
• An implicit rule is automatically generated for balancing the traffic
Network > SD-WAN
Member
Member interfaces
interfaces
8
SD-WAN Load Balancing Methods
• Source IP (default)
o Sessions from the same source IP address use the same interface.
• Source-destination IP
o Sessions with the same source and destination IP pair use the same interface.
• Spillover
o Use one interface until threshold is reached; then, use the next interface.
• Sessions
o The number of sessions distributed is determined by the interface weights.
• Volume
o Sessions are distributed so that traffic volume is distributed by the interface weights.
9
SD-WAN Virtual Interface
• The sd-wan virtual interface is automatically created
o All static routes and firewall policies must be configured using this virtual interface
10
SD-WAN Routes in the Routing Table
Network > Static Routes
Even
Even though
though you
you must
must configure
configure
routes
routes using the sd-wan virtual
using the sd-wan virtual
interface,
interface, FortiGate
FortiGate installs
installs
individual
individual routes
routes for
for the
the member
member
interfaces
interfaces in
in the
the routing
routing table.
table.
11
Knowledge Check
1. Which method of load balancing is supported by SD-WAN but not supported by
ECMP routing?
A. Sessions
B. Volume
12
Lesson Progress
SD-WAN Rules
SD-WAN Diagnostics
13
SD-WAN Performance SLA
Objectives
• Configure SD-WAN performance SLA
• Identify how FortiGate measures link quality
Performance SLA
Network > Performance SLA
SLA Targets
15
Performance SLA-Link Health Monitor
• Status Check is renamed Performance SLA
• You can use two servers to test the quality of a link
• You can specify which SD-WAN members this SLA applies to
Available
Available Protocols
Protocols Through
Through CLI:
CLI:
Network > Performance SLA
ping
ping PING
PING link
link monitor
monitor
http
http HTTP-GET
HTTP-GET linklink monitor
monitor
tcp-echo
tcp-echo TCP
TCP echo
echo link
link monitor
monitor
udp-echo
udp-echo UDP
UDP echo
echo link
link monitor
monitor
TWAMP
TWAMP Two-Way
Two-Way Active
Active Measurement
Measurement Protocol
Protocol
Use
Use an
an IP
IP address
address or
or FQDN
FQDN of of aa server
server
located
located beyond
beyond the
the ISP
ISP gateway
gateway
16
Link Quality Measurements
• Status check also measures the link quality of each member interface based on
latency, jitter, and packet loss percentage
17
Performance SLA-SLA Targets
Network > Performance SLA
• You can specify multiple SLA targets
in one performance SLA
Automatically
Automatically disables
disables static
static routes
routes for
for
inactive
inactive interfaces,
interfaces, and
and restore
restore routes
routes
on interface recovery
on interface recovery
18
SD-WAN Performance SLA CLI Configuration
# config system virtual-wan-link
Alternate
Alternate status
status check
check
# set status enable
protocols
protocols that
that are
are not
not
# config health-check available
available on
on the
the GUI.
GUI.
# edit <name>
# set protocol [ ping | tcp-echo | udp-echo | http | twamp ] Warning
Warning and and alert
alert thresholds
thresholds
for
for the
the different
different link
link quality
quality
# set threshold-warning-packetloss <percentage>
measurement
measurement metrics
metrics can
can be
be
# set threshold-alert-packetloss <percentage> configured
configured on on the
the CLI.
CLI.
# set threshold-warning-latency <ms>
# set threshold-alert-latency <ms>
# set threshold-warning-jitter <ms> Multiple
Multiple SLA
SLA targets
targets with
with
# set threshold-alert-jitter <ms> different
different values
values can
can be
be
configured
configured on
on GUI
GUI and
and CLI
CLI
# config sla
# edit <id>
# set link-cost-factor [latency | jitter | packet-loss]
# set latency-threshold <integer> (0 - 10000000, default = 5)
# set jitter-threshold <integer> (0 - 10000000, default = 5)
# set packetloss-threshold <integer> (0 - 100, default = 0)
# next
19
Knowledge Check
1. Which one of the following link attributes is used in SD-WAN link quality
measurements?
A. Cost
B. Latency
2. Which of the following status check protocols is only available from the CLI?
A. TCP-Echo
B. HTTP
20
Lesson Progress
SD-WAN Rules
SD-WAN Diagnostics
21
SD-WAN Rules
Objectives
• Identify SD-WAN rule matching criteria.
• Configure dynamic link selection based on link quality.
SD-WAN Rules
Network > SD-WAN Rules • Route traffic through the member interfaces with
the best link quality
o Link quality measured based on latency, jitter, or packet
loss percentage
• Rules can match traffic based on:
o Source IP address, destination IP address, or port
number
o Internet services database (ISDB) address object
o Users or user groups
o Type of service (ToS)
Skype
Skype traffic
traffic will
will be
be dynamically
dynamically
routed
routed to
to the
the member
member interface
interface
with
with the
the least
least amount
amount ofof
latency.
latency.
23
SD-WAN Rules–Internet Services
Internet Service Application Control
Destination Type > Internet Services
24
SD-WAN Rules-Best Quality
Network > SD-WAN Rules
26
SD-WAN Rules
• SD-WAN rules are evaluated in the same way as the firewall policies: from top to
bottom, using the first match
Application-specific rules
Implicit rule
28
Knowledge Check
1. Which of the following is an SD-WAN rule matching parameter for traffic sources?
A. User groups
B. IPS signatures
2. You can configure SD-WAN rules to choose the egress interface based on which
one of the following parameters?
A. Cost
B. Latency
29
Lesson Progress
SD-WAN Rules
SD-WAN Diagnostics
30
SD-WAN Diagnostics
Objectives
• Monitor SD-WAN link usage
• Monitor SD-WAN link quality status
• Verify SD-WAN traffic routing
SD-WAN Usage Monitor
• Real time SD-WAN usage monitor
o View SD-WAN traffic distribution by bandwidth or volume
Volume
Volume of of
traffic
traffic sent
sent and
and
received per
received per
Network > SD-WAN
member
member Number
Number ofof sessions
sessions
Bandwidth
Bandwidth interface
interface passing
passing through per
through per
utilization
utilization by
by member
member interface
interface
each
each
member
member
interface
interface
32
SD-WAN Link Status Monitoring
Network > Performance SLA
33
Verify SD-WAN Traffic Routing
• Use the Forward Traffic logs or the packet capture tool to verify traffic routing
Log & Report > Forward Traffic
The
The filter
filter will
will match
match any
any packets
packets
with
with the SYN flag
the SYN flag on,
on, so
so the
the
sniffer
sniffer output
output will
will show
show all
all SYN
SYN
packets to port 443 (HTTPS).
packets to port 443 (HTTPS).
34
Knowledge Check
1. Which of the following should be used to monitor the session distribution across
the SD-WAN member interfaces?
A. SD-WAN Link Status monitor
B. SD-WAN Usage monitor
2. When verifying SD-WAN traffic routing with the CLI packet capture tool,
which verbosity level should you use?
A. 1
B. 4
35
Lesson Progress
SD-WAN Rules
Diagnostics
36
Review