FortiGate 7.0 - How to Configure SD-WAN

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everybody welcome to today's video today we're going to be talking about how to configure an sd-wan on a fortigate firewall in the 7.0 firmware [Music] all right so the first thing that we're going to do when we get in here is we're going to go to the menu and we're going to go to network interfaces and one of the cool things that uh fortinet is doing is they automatically change the sd-wan zone if you remember back in older versions of ford os this interface was actually named sd-wan and they opted in the 7.0 firmware to go with sase so for those of you who aren't familiar with that that is what fortinet is branding as a secure access service edge so that's going to be the interface that we're going to be working with today and we're going to be putting wan one and win2 into that sd-wan interface all right so we're going to go over here to the sd-wan menu and we are going to create a new member so it's important to note that you cannot add an interface here if it is already being referenced so if you look at win1 over here it has one reference so because it's being referenced we are not going to be able to add it into the sd-wan so we're going to add a new member and we're going to do win2 and we're going to put it in the sassy interface and the interface is going to be dhcp so i'm going to see how this looks after i plug it into the wind or into the actual isp right now this is sitting up in my studio and i'm configuring it from port 1 so we're going to just leave it at 0.0 for right now and then we're going to go to our policy and objects we're going to change our when our weigh-in policy from going to wan one to go into the sd-wan interface and then we're going to go back to network sd-wan and i should be able to create a member with wayne one on the sassy which is also going to have a dhcp when something uh it should pull the gateway hopefully after we get this configured all right so now we have two interfaces when one and when two and we're going to use this then we can create our sd-wan rules so these aren't separate menu items in the 7.0 firmware it appears keep in mind as you're going through this this is me kind of going flying into 7.0 i haven't really messed with 7.0 yet so we're going to learn this stuff together some previous iterations the sd-wan menus were over here so now they opted to put them at the top so this is where you're creating the weigh-in zones and then we're going to create the weigh-in rules and performance slas that's the fun part all right so let's enable when access to manage the firewall and i'll take it downstairs to my isp connection and i will get it plugged into the internet all right so i went downstairs and i hooked up uh port three of my ont into wayne one of the firewall and i put my network equipment on my middle shelf because i have kids and the xboxes and video games controllers are all going to get thrown on the top shelf so i'm going to put my network equipment on the middle shelf and i'm going to put my servers and stuff on the bottom shelf and then over here when we got the wan interfaces connected i actually hooked up my comcast isp2 so we're going to go into lan one and we're going to set the alias to the internet provider and we're going to set our estimated bandwidth so this is a gigabit connection i don't know why this is measured in kilobits but whatever so the cool thing was is that because they were set to dhcp they automatically picked up their ip their gateway et cetera so we have this enabled so we're going to hit ok yes i know i'm currently connected to this interface and then on wayne two this is going to be comcast and let's see they're 200 and these are going to be measurements that are used in the security fabric so it picked up it's not the the modem for this is not bridged so it's picking up a private ip so this is going to be our secondary route out um it's going to double that and uh we're gonna hit okay so now that we've got that configured both of those are in our sassy interface i did have to set the static route before i was able to actually connect to this thing from outside and then that is what this setting is so the the actual option for the gateway the gui it's a little bit buggy but when you turn it onto the sd-wan it actually doesn't require the gateway and then inside the sd-wan both of these interfaces picked up their gateway via dhcp so if you notice you're seeing a lot of stats here so we can turn on byte set receive status all right so all these are enabled right now we can go into our sd-wan rules so if you notice here the gui is a little bit glitchy but if we give this a maximum weight of 255 it should get 100 of the traffic unless that fails so this is our implicit rule and then we can go in here and we can create our performance slas so a good one that a lot of people use is to ping google let's see if that's in here default dns okay that's a good one gmail google.com all right so this is going to be an http check you can also do dns checks all sd-wan members participants sla targets so you don't want more than 250 millisecond latency or 50 millisecond jitter or 5 packet loss it's going to check every one second five failures before it inactivates that link so now we can see these health checks over here and we can see both of them side by side so there's a little bit more latency in jitter nothing too major no packet loss and now let's set up a ping check to google dns 8.8.8.8 8.8.4.4 sla targets we'll do 500 50 5 packet loss we're gonna check it every one second and we will update the static routes all right so now we have three triggers that will fail over so if dns fails it will fail to link over if http to google.com fails it will fail over if pings to the dns servers fail it will fail over and it's set to automatically update the static route so based on the routes in here it will switch over as needed so we got very low traffic here i don't really have anything behind this firewall to generate traffic right now so we can come back to this later on after we build the lan out a little bit but for now this is a basic sd-wan configuration if you want to set one as the primary and then if you want to set specific applications or whatever so anything that's sanctioned let's say that you're going to your microsoft shop so you're going to use office 365. so we could say all traffic to microsoft office 365. microsoft azure or the other miscellaneous microsoft services microsoft updates so we want the strategy for that to be the best quality um and if we have costs you can calculate in your weighing costs like let's say that you're paying you know 300 a month for your gigabit link or and you have to pay for overages or if comcast has you pay for overages you can put costs on these interfaces and you can optimize how your traffic flows through the land to minimize your monthly bill these are these links are free for me so um i'm just going to say that the preference is our fiber network and we're going to measure the sla of google dns before it fails over the link all right so this is say optimize microsoft services and apparently i can't create spaces in here anymore there we go optimize microsoft services and there is our sd-wan role and these are our performance slas that we can use to create rules off of and it will switch between the interfaces in these zones now another side note that i probably should mention is we enabled management on the wan interfaces which means they're accessible via the public internet so what we need to do is go into our administrators so we're going to go into system administrators and we're going to set up trusted hosts and that's what we're going to do for now eventually we're going to turn management off of the wan but until we build our lan interfaces and set up some networks internally management tunnels vpn we want to set up trusted hosts to keep our firewall from getting broken into while we have management enabled on the way in ports and that is your basic sd-wan configuration with two internet links and how you can set up rules to optimize your business flow based on performance slas that you set if you made it to the end of the video i appreciate you go ahead and hit that thumbs up click subscribe and turn on notifications because i'm going to be building out an entire enterprise network and you don't want to miss it catch you on the next video [Music] [Applause] [Music] you
Info
Channel: Connelly Ventures
Views: 771
Rating: undefined out of 5
Keywords: fortigate, fortigate7.0, firewall, dns, dynamicdns, cybersecurity, fortiswitch, fortios, fortios7.0, fortiswitch7.0, fortinet
Id: s-Gn_1HxhrU
Channel Id: undefined
Length: 12min 6sec (726 seconds)
Published: Fri Oct 01 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.