My FortiGate SDWAN Configuration and Some Use Cases

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

let's do an overview of St Wynn and see what benefits you get from Software Defined win stay tuned [Music] hey guys Mike here from fortinet guru you guys all know me you know I love outside zone inside zone I throw my Wayne interfaces in the outside zone and a let it ride I usually use some manual type of health check that I can figure myself that has no real SLA tied to it and also usually use policy routes if I want traffic to go over a link that I consider more desirable for that traffic type now obviously that's an incredible manual way of doing it well Mikey has gotten another internet provider installed at his home office so I'm gonna dive in and do a high level overview of how I have s Dewayne configured at my house use cases that make sense to everybody else and what we can do to help make life better with that people have made comments that they wish to see more on-screen tutorials which is absolutely understandable that's what we're gonna do in this video I have here my fortigate my home fortigate my 4880 EP we almost forgot my own model anyways I have it running sixth up 4.1 don't run it in production but I'm running it at my house because it's a house unit and it only has three people it has the support though it does have about sixty devices on that network but anyways like I said I have dual internet at the house now I have a one gig symetrical fiber line and then I have a one gig down fifty mega come on cable catch fiber can't be beating you that bad right anyways have that setup for a backup link reason why I did this fiber is incredibly reliable at least it has been for me but I do live in a new-construction neighborhood and the Fiber has gone out at times so due to the fact that I work from home great deal my wife does as well and my kids have to do their schooling from home I decided I need some high availability configuration from an Internet perspective that way if one dies the other one picks up the load so a couple of things about my particular setup one I have those two gigabit lines they're not equal though the Fiber has lower jitter the fiber has a faster latency and it's just a better circuit not to mention it's one gig symmetrical the cable modem though has a gig down 50 mega and it certainly does whatever I need it to so what I'm going to do now is I want to dive into my to get a te peewee which is my home unit I'm gonna make sure to block my IP addresses so you guys don't start harassing me but it is what it is so I'm gonna log in to my unit here and as you can see Prewitt HQ that is my house I have dual internet links I'm running SD when it's running 641 and all of its glory and all of its limitations but that is what it is right so we're sitting here and as you can see I have my AT&T fiber through u-verse and it's just got its links and it's pushing anywhere between 0 and 50 megabits depending on what we're streaming and then of course I have my cable modem that is serving a very specific function for this video if you actually look at the SDA and monitor you can see both links are up the number of sessions that are going across each link the amount of upload and download that each one is using so if we jump into network and instead of going to interfaces we're gonna look at SD wins owns both of these connections our DHCP which means I do not have static IPS the benefit of the fiber line is that the IP is actually tied to the physical port I'm plugged into at the tap so as long as my fiber doesn't get cut and I stay in that port I'm good so if you look here you guys know I love zones I love them it is it's amazing great organization I hated SD winning 6-2 because you have a single SD one interface you through all your interfaces in there which means if you had weighing interfaces and IPSec interfaces they were all in the same group it was ugly it was gnarly I didn't like it 64 brings on the ability to have a SD when zones which means you could actually group SD when members into specific zones and use those for policies and routes and what that means is you can have multiple IPSec interfaces that give you the ability to have its own SD win for the IPSec tunnels so traffic that's meant for IPSec can go over those links you can have SD win interfaces or zones specifically for your internet connectivity etc etc now why do we want SD wind well SD when gives you the ability to do things with less expensive direct internet access circuits IPSec tunnels and things like that that you would normally have to buy higher quality private lines like MPLS circuits tyonne's direct point-to-point set cetera internets getting faster Internet's getting cheaper the quality of Internet is also getting better latency and jitter is improving especially as we have more fiber providers so it just makes sense to use less expensive links to provide the SDM functionality that you need so we're sitting here right as you can see I have an outside zone I created an outside zone and I through each one of my connections in it so it's simple my outside zone the internet the outside so we threw it in there AT&T fiber cable modem now if we double-click this you can see they're just members too or if you wanted to add an SD win member you just go to create new SD one member you choose the link for instance mine used to have you know when one and cable modem listed here but of course there there is team members already so they're not there anymore if I were to add another link and hung it off way into we just click this say what its gateway is assign it to the appropriate zone be on my way but anyways so step one create your SD win zone cool step to create your SD win members with the links that you wish to be a member of that zone if you have a whole bunch of IPSec tunnels they're gonna load internal private networks at each one of those as an SD one interface separately assign them to an SD win zone boom you're good to go you can set your SL A's and things of that nature so I have an SD Wayne's own mine is incredibly simple I have my outside zone that has my two internet connections in them next I decided to define SD win rules SD win roles what you use to define what traffic goes over which link very very simple they are basically policy routes really that's pretty much what you are highly configurable policy routes but policy routes nonetheless as you can see here my top roll is Prewitt primary my last name is bruit I called my network the Pruitt I'm not very creative oh well Prewitt land of ten got 100 100 0/24 if you were on the Pruitt land I want your primary member to be the fiber now if the fiber link were to fail this route this policy would not be used it would use the link that's still existing my Internet of Things out policy which is my IOT network I know shocking very simple very very creative right anyways my IOT network going to any destination use the cable modem is preferred interface and that's the number of hits for that and then of course guest out I have a third SSID that hangs off my ubiquity unified AP's ubiquity I think I said that right I always butcher that name Southern drawl messes it up anyways but as you can see I have guests Wi-Fi and it's told to go out the cable modem as well now your policies can be fairly granular you can come in here name your policy whatever you want if you have four Dannette single sign-on or LDAP integration you can actually define user groups so maybe you have a whole bunch of people you don't like send them out the crappy link man it is what it is it's your network right so you can define your source address your source user group more importantly you can actually assign destination addresses internet services or applications which gives you the ability to say if you'd go into this destination go over this link if you're going to this internet service go over this link if you're using this application you should use this specific link and then of course you can choose your outgoing interfaces via a plethora of strategies the four main ones are manual which means you just assign the outgoing interface best quality lowest cost or maximum bandwidth all of these have a short little you know description explaining exactly what you are all of mine are currently using interface preferences because that's the way I like to do it and then of course you can set SL A's and then you click OK and your your policies built mine are fairly simple I do not do anything by application right now next you have your performance SL A's this is how you rate your link quality this is how you assign quality your link this is how you assign preference this is how you say this link is better than the other one it is it's very simple and there's three major criteria if you go in here I have one called Google its quad 8 it's as simple as it comes is this 100% reliable no I recommend having multiple DNS servers in there specifically so if one goes down you at least have a higher quality list right but for my purposes this works and you know it's my house I only care about what works for me so what we have here is I'm using a DNS protocol from my SLA I'm specifying the server as quad 8 because that's what I care about I want to use Google they use multicast and cast all kinds of cast whatever it is it's broadcast everywhere it's relatively reliable right if this was a production environment for an enterprise I would probably say bump this puppy up and use a couple more just to be safe but you can use ping HTTP and DNS DNS has been fairly reliable for me Maya sell a target these are the three things that I'm able to set my SLA on latency threshold if a link gathers above 25 milliseconds for its communication to qua date it's considered degraded if my jitter threshold goes over 5 milliseconds you got it it's considered degraded my packet loss threshold goes above zero the hell think it's definitely degraded both of these links are actually really good from a packet loss perspective haven't had any issues if you have lower cost links or maybe you have cable modem service that's not as quality you might want to bunk this up adjust this to meet your needs and then of course you can check the interval I have mine check every 500 milliseconds and if it fails five times in a row it will pull the route just like a standard health monitor that we used to do back on the manual way of doing things right guys link monitors work this is a more granular level of link monitor and then of course you can restore the link as well after X number of successes I use five fulfill your five four successes if it jumps up and packet loss or jitter or latency for one out of five times it's not going to be a big deal for me and then of course I have it told to day the static route link is good have the static route installed link is bad bull the static route so both of my links go through that SLA and as you can see both of them are 0 percent packet loss both of them have really really close latency I'm actually impressed with the cable modem in this regard it's only about a millisecond higher jitter is about a millisecond and a half higher that usually is actually a bigger spread it's usually around 2 to 3 but as you can see that's at fiberline steady man it stays the course it is it's it's old reliable cable modem more flexibility more fluctuation it's a cable modem way you expect but it works right so major benefit of 641 as far as sd1 is concerned is the fact that they have added SD when specific events to the log monitor so if you jump into the log report you go to events one of the drop downs over here in the top right is SD when events now what this will do is it makes you infinitely easier for you to know what's going on with your links why did my interface remove itself from the when load why did the interface showdown wire why is my packet loss seeming high etcetera you know you have all this stuff oh look the link is outside of the SLA well which link is that so you're diving in here you're actually able to look at SD win events that are related to your device it makes troubleshooting a lot easier as you can see you can look and see up number of past member changed you know it's it's passing SLA a member and SLA is failing for some reason you can actually scroll down and it's just giving you in this case little the links are fairly quality so you don't actually see a whole lot when one jumps out of SLA it tells you and then from there you can actually do deeper digging and see what's going on with it right I do all my logging local to the device it does have some forticloud logging built in but I don't use it this is a home unit it doesn't even have 4 - guard or UTM on but it does what I need so there you have it guys SD when in the most simplest of deployments right we want to start simple I wanted to start simple I didn't want my internet connection act on wonky while I'm trying to upload videos or play video games cuz lord knows playing Call of Duty war zone last thing I need is high pings or IPs jumpin but that's how I have my SD Wang configured I am brand-new to 6041 I literally installed 641 when I knew I was getting my secondary line because I liked some of the things that were bringing from an SD win feature set I avoid 6 - I hate 6 - I'm never ever gonna deploy a client to that I guess that's a lie I already have I've had clients deploy themselves to that but 6 4 so far has been fairly stable I do not recommend it from a production environment but if you're if you have a home unit or a lab unit and you're wanting to try out SD win and you actually want the flexibility to do SD way in the way it's actually intended to be done please follow me and jump on and remember SD win so purpose is to let you use software to define how your packets flow across your network what links they use so that you can use less expensive more direct links or consumer level links you no longer have to use private lines and pls point to points all those expensive things that cost like $1,000 for a 10 Meg line because you're pretty much set up right dive in with your you know I have a hundred and sixty dollars a month worth of internet because both of the lines cost roughly eighty bucks a pop it's a shame DOCSIS 3.1 isn't pushing higher uploads as far as a symmetrical thing but it is what it is hey guys if you liked this video and you found it helpful do me a favor hit the like button share it around tell your friends post it whatever if you didn't like it hit the thumbs down screw it man I just want people to interact so they can actually help me pick the content that you guys find useful if this is your first video that you've ever seen by me do me a favor hit the subscribe button and notify Bell that way you can stay up to date if you liked the video of course if you didn't like it just go away do your thing but um hopefully this video was helpful like it subscribe notify it stay tuned for more videos as we jump in and do what's necessary to help educate the masses I'm for the net gear and also maybe if you watch some of my rant educate for the net on where they're messin up but anyways until next time guys stay safe and you know don't catch the Rona's and if you do meet it I don't know I think I'm getting a little cabin feverish from not leaving the house but oh well so you guys stay tuned see you next time [Music]

Info

Channel: Fortinet Guru

Views: 20,838

Rating: 4.9422574 out of 5

Keywords: SDWAN, Fortinet SDWAN, FortiGate SDWAN, SDWAN Configuration

Id: mOw3VAjQLsE

Channel Id: undefined

Length: 16min 24sec (984 seconds)

Published: Wed Jul 08 2020