How to configure SD-WAN in FortiGate Firewall

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi guys this is dorch today I will show you step by step on how to configure sd1 on fortigate firewall sd1 allows networks to connect more easily to the internet other networks data centers and or multiple clouds with lower latency better performance and more reliable connectivity the key idea behind sdw is to use software to dynamically direct traffic across a wide area network based on the most efficient path available which can include multiple connection types such as Broadband fiber MLS multi-protocol label switching and [Music] others let's begin for this demo we will use this 40 gate 60f device this device is running firmware version 7.4.1 let's first check the network interfaces I currently have two w connections when one is DHCP and W 2 has a fixed IP address after we successfully configure the sdw then we will configure pppoe on the port 4 interface as my third when link then we will add it on the sdw virtual interface let's check the W one as you can see the addressing mode is DHCP so I automatically received this IP address for when 2 I had set it the IP address manually if we check the reference tab notice that for w one we have one reference and W 2 have two for the when interfaces that you want to be a member of sdw make sure that it's not in used on any firewall policies if Inus then you cannot configure it to be a member of sdwan you can click on the reference number for more details you can also hover your cursor on it to view more details you can see the policy name policy ID Etc let's check the WAN 2 we have one firewall policy and one static route if we check the firewall policy we can see here that we have one policy for Wan one and one policy for Wan 2 we have two options we can either delete the policy or change the interface I usually change to a different interface especially if it's a special or complex policy no need to recreate the policy again after we configure the sdwan we use any of the unused interfaces since this is only temporary again it's based on your preference you can delete the policy and then recreate again later now let's check the interfaces again notice that the WAN one has now zero reference we can now use this interface to configure the SD Wan for the W 2 let's leave it first for now for you to see the difference now let's configure the sdw go to sdwan you can see see the default virtual sdw interface which is the virtual W link notice it's grayed out and if you hover your cursor on it it shows disabled this will automatically be activated once we add some interface if we click create new we have two options sdw member to add an interface on the default sdw virtual interface choose sdw Zone to create a new sdw Zone we will use the default for now then later on I will show you how to create new zone for the interface we will choose the interface which is going to be a member of the sdw which in our case is W one for the sdw Zone again we will use the default for now you can choose a different Zone if you have one the Gateway will be automatically added since this interface is DHCP unless you want to change the Gateway IP address then you need to specify for the cost and priority we will leave it to default make sure the status is enabled then click okay to apply notice that the virtual Wan link is now active after we added a member you can tick on the plus sign to expand and you will see the members of this Zone you can also see here the details the Gateway cost download and upload next is we will add another member which is wan 2 again trick create new choose sdwan member notice that Wan 2 is not on the list this is because it is still in used on firewall policy let's check the firewall policy you can see that Wan 2 is still bonded to a policy we can either change to different interface or delete the policy let's go back to sdw tab then refresh the window we will try to add again create new sdwan member W 2 is now available since it's no longer tied to any policy since I manually configured this interface IP address then I need also to manually specify the the gateway gateway is the ISP router's IP address we will leave the cost and priority to default make sure status is enabled then click okay to apply the changes from here you can already see the members of the sdwan which are Wan one and Wan 2 you can also tick the plus sign on the virtual interface to view the members if you want to modify the Gateway IP address you can also do it from here next is we will configure the default route go to static route this was my default static route for Wan 2 since Wan 2 is already a member of the sdw then we can delete this entry tick on it then choose delete click okay to proceed let's now create a static route for the sd1 Zone click create new for the interface choose the sdw zone you can hover your cursor over it to view the details you can see the members of this sdw Zone the destination would be subnet and leave it to 8 zeros 8 zeros means all or the internet you can leave a comment if you want make sure the status is enabled then click okay to apply the changes we can see the newly default route destination is 8 Zer or the internet gateway IP is blank because there's multiple interface on this Zone interface would be the sdw Zone status is enabled by default the distance is one if you want to change the distance then double click on the entry choose edit in CLI here you can modify the distance based on your preference now let's go back to sdw go to Performance slas tab here are the default SLA entries we can delete these entries then create a new one we need to delete them one by one let's now create a new SLA click create new since this entry is to Ping Google DNS then we will put a name ping Google DNS for our reference probe mode is active for the protocol we will choose ping you can choose different protocols if you prefer server IP would be Google DNS which is 8.8.8.8 we can add more servers we can add the cloud flare DNS best practice is to add more servers for failover purposes if it fails to Ping the primary server then it will fail to the secondary server for the participants we can leave it to all SD W members or you can tick specify then manually add the sdw members which in my case is W one and Wan 2 tick SLA Target to enable for the latency threshold we will set it to 50 so if the link latency threshold goes over 50 Mills then it's considered degraded the same goes with the Jitter threshold if it goes over 10 mills seconds then it's considered degraded and of course zero packet loss next is the link status check interval is 500 milliseconds which is two times per second and if there's a five consecutive probes failures in a row then it will consider that link and active you can hover your cursor on the information icon to view the details it will bring that link back up as active after it receives five consecutive probe responses in a row also the interface where we lose the probes will also remove any static routes associated with that when interface click okay to apply the changes for a few seconds the entry will be grayed out and you will see those question marks wait for it to initialize the entry then refresh the page now you can see the interfaces are up and the packet loss percentage you can also see the latency threshold which is around 5 milliseconds Jitter threshold which is around 020 milliseconds failure and Recovery threshold which are five checks from the graph you can see my connection is very stable this is because I'm using fiber for both lines now let's configure the firewall policy this was the firewall policy before which we changed the outgoing interface we will modify this policy again if we check the outgoing interface the WAN one and Wan 2 is not already in the list once we configure the SD Wan we can no long longer use those Wan member interfaces to configure a firewall policy instead we will use the sdwan Zone interface click okay to apply the changes let's create a new policy this will be a very basic policy just to allow Land network to access the internet let's give a name of L to internet the incoming interface would be the internal outgoing interface we will choose the sdw interface you can hover your cursor over it to view the members The Source would be the internal or Land network destination to all schedule to all ways and services to all net should be enabled now choose the security profiles based on your preference I just simply use the default profiles for this demo log allowed traffic I personally choose all sessions for troubleshooting purposes click okay to apply the changes I will just create a new policy for the guest Network we have now configured the firewall policy using the sdwan Zone interface now let's go back to sdwan go to sdwan rules tab this is where you specify the outgoing interface based on your preference it's like a hybrid version of policy based route or PBR let's create a new rule click create new for this policy I want this computer to access Internet through W one we will give a name of Jack to WAN one make sure status is enabled first would be the source for the address I will choose this computer address which is Jack you can also use the address group if you want next is the destination you can choose either address or Internet service based on your preference I want this computer to access anything so I will choose the address and choose all for the protocol number you can also specify if you prefer I will leave it to any so that I can access anything next is the outgoing interface choose the interface selection strategy choose manual if you want to manually assign outgoing interface choose best quality if you want to select the interface with the best measured performance lastly is the lower cost for this demo we will choose the best quality for the interface preference again I prefer this user to pass through when one so I will choose W one you can choose Zone preference if you want to use the sdw Zone next is the measured s SLA we will choose the performance SLA we created earlier which is the Ping Google DNS for the quality criteria we will choose latency you can choose different options based on your preference click okay to apply the changes we receed some error input value is invalid we will remove the spaces or we will simply give a name of Jack to make it simple we have now configured a new sdw rule for a specific user this user Jack can access anything through the W one interface if the W one interface is down or it doesn't meet the criteria then it will automatically fail over to W 2 no worries we will do a test later on next is we will create an sdwan rule for the rest of the internal users we can give a name of Lan The Source address would be the internal destination address would be all since I want to allow everything we will choose also the best quality for the interface preference we can choose our preferred interface for this rule I want W 2 to be the primary so I will put it on top if the W 2 is down or it doesn't meet the criteria then it will automatically fail over to WAN one we can also use the performance SLA that we created earlier quality criteria will be latency click okay to apply the changes I also created another rule for the guest Network let's refresh the page go back to sd1 rules if you notice there are some check signs on some of the interfaces on each rule this means traffic are running through those interfaces you can see that rule number one is going through W one rule number two is going through W 2 and rule number three is going through W 2 as well you can also see here the hit count and last update time let's do a test we will first check my laptop's IP address you can see that I have the IP address 10. 255.255 254 it's the Jack address that is running on rule number one and the outgoing interface is W one we will do a continuous ping to google.com now let's go to network interfaces to disable the WAN one interface let's check the command prompt notice that we don't have any packet loss if we go back to sdwan rules we can see here that the W one interface is physically down all the traffic fail over to W 2 let's go back to the network interfaces to enable the W one assuming that the connection has been restored let's wait for it to receive IP address since this interface is DHCP now when one is back online notice that we don't also have packet loss let's go back to sdwan rules notice that the traffic automatically fell over to WAN one let's check the firewall policy you can see that it's running on those firewall policy again we only configure the sdwan rule to Define our preferred outgoing interface apply load balancing Etc I hope by now you know how to configure sdwan well that's all for today's demonstration and I really hope you like this video if you are new to my Channel please don't forget to like share subscribe and click on the notification Bell for more amazing tutorials thank you and see you in the next video

Info

Channel: IgoroTech Official

Views: 4,716

Rating: undefined out of 5

Keywords: how to configure sd wan in fortigate firewall - google.com, how to configure sd wan in fortigate firewall - youtube.com, sd wan configuration, configure sd wan, sdwan, sd wan, how to configure sd wan, fortigate sd wan, tutorial, tutorials, beginners, step by step, fortinet firewall, fortigate, setup, set up sd wan, how to configure sd wan on fortigate - youtube.com, how to configure sd wan on fortigate - google.com, guide, step by step tutorial, sd wan configuration on fortigate firewall

Id: K9IUwPXTt3U

Channel Id: undefined

Length: 15min 48sec (948 seconds)

Published: Wed Dec 13 2023