4. Migrating to an SD-WAN Solution on the FortiGate 6.0

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everyone welcome back to another video here my name is Devin Adams I'm a four net certified trainer in Tempe Arizona for dynamic worldwide training consultants and I record these videos for my students and yeah so in our last few videos we're talking about load balancing our way in traffic and we did the traditional primary backup link we also looked at some equal cost multi path allowed load balancing algorithms we even went out of our way and created an SD win lab alright so what that means is that we use these Nets term boxes here that we can adjust and tweak our traffic for our simulated win wing links so which brings us to our next one which is migrating what we already have in the FortiGate to an SD win solution now here's the thing guys if you have a FortiGate out of the box and you're about to implement it into your production network okay there's really no excuse not to use the SD win features even if you only have one interface that's a win facing link so because essentially once you create that logical SD win interface you can throw as many circuits as you want at it okay the real tricky part is when you already have something in place all right and you want to migrate to an SD win solution now the lab environment that I have here is actually the one that I was using in my my NSE for studying impromptu lab and we already have our wanne configured in a zone with the static routes with our link monitors and everything's already in place okay and for us just to go to an SD win solution that's gonna that's gonna take some time so in other words it's gonna take some planning some maintenance windows some rollback windows right but of course we're in a lab environment hahaha so I'm gonna wing it and so that's my goal for this video here is simply just to get the SD win in our four de gates and to switch over from her old win solution and the last video that I'll do probably not tonight because it's already getting close to midnight here is to explore the different SD win rules now the whole point of this set of videos was not SD win rules alright so that's gonna have to be something later on there's way too much to it but at least we can we can get a look at it alright and so because I did get a request for this from one of my past participants so anyways let me take a deep on who and let's go ahead and do this so let's login to our FortiGate right now and see what we have already going for us all right so here's our Windows machine and let me just load up a web browser here and get to it yeah the FortiGate alright so 10 there we go 10 10 1 2 5 4 there we go and I can use my LDAP credentials all right - whoo who's ok getting a little loopy guys it's a little bit late it's been a long day but I need to get these videos wrapped up so alright so here we go we got our FortiGate it's up it's running everything looks good alright and if we go to our network you'll see here underneath our interfaces that we have our port 1 and port 2 labeled primary and backup when alright so and they are zones together and the whole idea of using a zone is to simply combine these two interfaces into a a like security profile alright in other words they have identical security goals so when we're writing our wait for it our IP for policies instead of having all these redundant policies we can simply just say hey land going out to the WAM zone let it happen and we don't need to write twice as many firewall policies for the exact same goal so that's really the beauty of zones is that it's gonna simplify management and also the complexity of our firewall rules because believe it or not guys in my personal opinion that's where we start screwing up as security professionals is when things get too complex and that's when things get sloppy alright so try to keep things simple meaning use as few moving parts or as little configuration as you can to accomplish the same kind of security goals all right not not saying simple as in lack of security so all right so here's the thing all right if we go to our network now and we see SD win here we'll see that it's turned off okay now if you don't see this here what you can do is that you can go over to your system and go over to feature visibility and just make sure that the SD win solution is selected which is turned on all right so that's all you need to do to see it and all FortiGate support it as long as you're running the newer versions of 40 OS and the older versions like with 5-4 is called the win link load balancer in fact you can find a couple of examples on my playlist there so but here we go so as long as these oh excuse me as long as we see that there we can go over to network now go to SD win and let's go ahead and enable it and now as you can see we have our SD win interface members and that's the whole point here guys we're gonna throw interfaces at this and it's gonna abstract the difficulty of redundancy failover and you're gonna see here in the next video we can do some really cool rules alright so but let's go ahead and add our interfaces and as you can see here we have a problem ports 1 & 2 are they there no they are not so here's your first catch all right here's the first caveat if the interface is you want to drop in the SD win are in use you cannot add them to or you cannot add them to the SD win so if the interfaces on the FortiGate are already being referenced either by routes or by firewall rules or by natin rules you can't do it so where do we start with the migration process here so I'm gonna challenge myself just because you know I don't have a life and this is what I guess admins do by themselves in the middle of the night is I'm gonna pull and while I'm doing this I'm gonna put a loop I'm gonna just ping out to Google here - te I'm gonna try not to drop a single packet while I'm doing this alright so but obviously in the real world you'll have a plan you'll you'll test things how you'll roll it out the remains and its window whatever so the first place that we want to start though is that we want to come to interfaces all right and down here you'll see that port 1 and port 2 are being referenced three times all right we need to have that as 0 in order to drop it into our SD wayne's solution now we have a primary and we have a backup and that's fortunate and right now it is participating in the equal cost multi path from our last example so the very first thing I'm gonna do after I check the 3 here is I am going to remove our link monitor that we had on these two connections why we don't need it anymore and you're gonna see that here because our performance SLA s is the link monitor just a GUI more advanced version of it so I'm gonna pop out my terminal here and I'm gonna do a config system link monitor and if I do a show you'll see that we have two of them I'm simply going to delete one one and then also deletes way into and then do it into commits all right because the last thing I want is for you know links to start dropping and stuff like that so alright so that is done and oops let me go ahead and hit refresh here okay so and now that I've taken off the link monitors look what happened r3 went down to 2 now you can select this number and it will pop over here and say hey you have a static route and you also have a system zone that's referencing this and we hit the 1 over here you'll see that it's a firewall policy 1 now we don't want to lose Internet connectivity and let me check my ping status here all right right so things are still good so I'm going to remove port 2 from the zone and it's going to be the first one that I drop into the SD Wham ok so that way our primary stays up and we don't lose connectivity so let's go ahead and do this so the first thing I'm going to do is come to static routes alright I'm gonna find my backup plan and I'm going to delete that static route now that that's deleted I should be able to go up to interfaces now and remove it from the zone ok so here we go I'm gonna come here I'm gonna hit edit see the members I'm gonna remove wind to and it was able to do it and I'm actually gonna take the opportunity right now just for kicks just for giggles I don't really need that as in back-up plan I'm just gonna simply say when to for my alias ok and there you guys go we've now removed it from our port 1 and also from our winds own and if you notice it did not affect our connectivity at all alright so alright now we can actually do the SD win so let's go over to the SD win let's enable it and we're going to drop what oh look at that when - ok so the first thing we have to do is tell it where the next hop is alright so this is what's gonna kind of be like you know on the other side of our of our whatever's terminating our connection so here we go but in our lab environment that was come on num lock that was 2.25 for all right and we hit apply and it says it saved it successfully and what's nice here too is that you get a usage monitor and nothing is passing through there right now and that's ok alright so I'm gonna go ahead and hit apply one more time just for good luck the next step we have to do is now write the static route and that is true too even if you're using the SD wind rules you still need that quad zero in there all right so I'm gonna say if you're trying to go out the Internet's I need you to use what interface now we're going to use our SD win ok and we're going to hit ok you cannot have duplicate SD win and non SD wind interfaces ooh interesting I did not know that's ok so it's not letting me it's not letting me do that you cannot have duplicated routes on SD winnin on SD web interfaces so let me try and change the administrative distance well let me do that nope it won't you know what guys I did not know if that was gonna work or not and I guess it won't so that's ok I just don't know if I can still keep up we might have some some down time here I can at least write the firewall rule though so let's do that let me hit cancel now nothing that's gonna happen unfortunately until I write the route though but I should still be able to write a firewall policy for this and what's nice is that you can come here and you can actually just copy and paste this bad boy right below it alright and as you can see it may be identical firewall policy it's just disabled so I'm gonna double click to edit it now but now I'm gonna say hey you know what instead of going out the winds on I want you to go down the sd1 and keep everything identical and also enable this policy alright and I'm gonna call this SD when internet access all right so now we at least have the firewall policies that are able to push out both of them now I don't know if I'm gonna it's it's gonna drop guys I know for a fact it's gonna drop it shouldn't have been dropping that fast though that's probably my lab environment anyways I'm gonna have to do some kind of cut over it looks like I was hoping I could I could have to default route there and I guess I can't so here we go alright we're gonna have to have some down time because we're gonna have to delete that quad zero before we can before we can do it so at least everything's set up right at least everything's ready for that cut over so let's try it sorry guys ready so let's go down to our static routes and I guess it doesn't want me to have this quad zero here so here we go are you guys ready Oh makes me so nervous all right there we go and now I can just simply say okay whew how many packets did I drop too many oh that's horrible guys 1 2 3 4 5 6 7 people are calling up saying they can't get to their interwebs now here's the thing about these timeouts right here guys this is probably just my lab environment to be honest with you what I really wanted was to see how many packets I dropped 5 I think it was but here's the beauty are you ready to add that primary one in there right to add it into our SD win all we come in here now is just add that additional interface and we just say hey where is it oh that's right I gotta take it out of the zone all right here we go no big deal so we plug this up we hit edits I think I edited the interface dang it that's ok because I wanted to call this LAN 1 anyways there we go then I also want to edit remove it all right there we go and we should now be able to delete this zone oh I have to delete the firewall policy before I can delete the zone itself but at least I can now stick that primary one into the SD win right give it the next hop which will be the other side of our internet connection there we go hit apply boom baby there you go and now we have both of those connections up all right now how is it actually load balancing traffic well we'll get there in just a moment ok as you can see though did I and did I really take out my my command prompt here sorry about that guys and if you can see here I mean we haven't lost any kind of connection after the facts cuz it's always been up and running so which is nice and now I'm going to take out that firewall policy that we don't need anymore all right so which is going to be this guy right here so we'll go ahead and delete the policy and now that we've deleted the policy it's no longer being referenced therefore we can delete the zone itself and clean up shop all right so as you guys can see it's gonna be a little bit more work than just starting out with it from the get-go but after that I mean we can literally throw as many circuits as we want at this thing and like I said these timeouts here guys are probably my my lab environment so and there you guys go and now that SD Wan is almost treated like an interface ok so you just have to make sure that you have the static route for it boom all right and you also have the firewall policy for it and you saw that we can just did a little copy there to make it really easy and there you guys go it is now is now using an SD win solution so I'm gonna stop it right there with my video but just just to kind of keep things a little bit more clean here if we go to our network now and we go to our SD win rules there is our load balancing algorithm that we saw me in the ecmp example so remember how we had source we also had source destination we had spillover and we had waited which is now called sessions but we also have this new one called volume which I'll talk about but here because we have so few machines I'm gonna load balance between the source and destination IP address instead of just source alright so that way each connection going out we'll get a different interface of load balance between the two and let's just test that out before we in this video so let's go to make Internet noise alright and we'll make some noise there we go and let's just make sure that it's using both of the interfaces alright so we're going to come up here to our for to view once again and what I like about using the the session table in the in the GUI guys is that you don't have to bombard your logging just to take a look at if it's distributing the traffic or use any kind of weird sniffer commands here we go and if we look over here all the way see how we have peppered throughout it when to when one way into and one so it is load balancing between the two and what's also nice is like we didn't have in the ecmp example if we go to our monitor now and we go to SD wham monitor you can see that it is up all right now you're not seeing anything here because we haven't built any link monitors for it but if that's the case you can always go to network you can also go to SD win itself and scroll down to look at the utilization by bandwidth by volume by session distribution I mean how cool is that guys so all right I'm gonna into right there as you saw we migrated from an SD win solution from our zoning solution to an SD win solution dropped about five packets while doing so see you can do a single interface just to kind of future-proof it down the road and then that way you can throw circuits at it more circuits at it you know what in fact why don't we do that real quick or should I wait till the next video you know what forget it I'm going all out on this are you guys ready we're gonna do poured three because remember we had our extra connections here all right oops come on there we go see our port 3 and our port 4 why don't we add those just for giggles here's internet connection so we plug it in and give it the next stop right we hit apply we go to port 4 we give it an X top-25 4 we had apply I mean look at that as these refresh itself it should start utilizing those other connections as it goes out to different sources so pretty dark there it goes see that guys oh come on that's cool everyone just calm down that is just awesome I mean look how easy it is and that's the whole beauty about the SD way in here also failover is now automatic and you're gonna see in the next video I'll probably not do it tonight it's too late maybe I will I'm not too sure haha we're gonna see here how we can write rules two point traffic specifically down certain pipes all right and even do some kind of SLA is there to guarantee that we picked the best connection no matter what so hopefully someone found that helpful especially the person who I made this for and yeah I'll see you guys in the next video take care
Info
Channel: Devin Adams
Views: 13,753
Rating: undefined out of 5
Keywords: SD-WAN, Migration, Load Balancing, WAN, FortiGate
Id: EBIFbagYIB4
Channel Id: undefined
Length: 21min 32sec (1292 seconds)
Published: Mon Sep 09 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.