SD-WAN configuration on Fortigate Firewall 6.4.0

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi friends uh welcome to my channel today i'm going to do a brief session on how to configure sd van in 4d firewall and how to test it and i'm going to cover all the features that you have in sd van and by the way i am having the firmware 640 which is the latest firmware version that we have from 40 so let's get started um this is my main firewall you can see port one is the highest p1 port two is the isp2 these two ports are connected to the isp1 and isp2 and my clients are serving the clients traffic is coming to port three so this is my lan port which is connected to 192.168.1.108 and my isp ip is 192.168.0.108 so the upstream device is doing the nat and in isp2 we have the interface ips 14 140 4108 so we have upstream open source firewall which is doing the nightingale which is our pf sense firewall so okay so so we have three interfaces on 40 gate firewall and i'll show you how to configure the st van so [Music] i guess you will have to enable this or by default this will be enabled if not you will have to enable this and then apply and i'm looking for some other features as well related to sd-wan if there is any okay there's no other sd-wan feature here so we are good network and then you will have to click on sd-wan zone since i have already created the sound so if you want to create you will have to click on create and [Music] add the member so the port that you want to add as a sd van member interface you will have to do it here by clicking on create new or if you want to create a new zone you will have to click here and then you know try to put the interfaces in in the group so it is going to create test with two interface isp1 and isp2 after that you can click ok but then i already have the default virtual van link and in that i have selected isp1 and isp2 let me show you how to do that so once you create your sdwan zone it will look like this then you look click ok then you have to choose the interface okay so once you do that it is going to remove the configuration from the existing virtual van link this is the default i guess so we have created sd-wan test and in that we have isp2 isp1 defined okay and whenever you do that you will have to define the gateway 192.168.0.1 is the isp1 gateway and for isp2 you will have to put the gateway so you might not see this configuration if you are doing it for the first time since i have already added this so that is the reason why you are able to see that let me try to delete everything i will stop the video for some time so that i can remove all the configuration and i can show you from scratch all right friends so i have removed all the configuration so now if you go to sd-wan zone you will just see the one okay i have removed that as well so no problem you can see there's nothing here absolutely nothing here so i'm going to do it from scratch let's go to sd-wan zone create the sd-wan zone first and then once you create on member it is going to show like this it is not going to show you the interfaces well you will have to create the interfaces click on isp1 and then put the gateway 192.168.0.1 the cost as 2 because i want to put the traffic on isp2 okay click here and then create one more put the gateway as put the cost as one so you have two interfaces in sd-pan zone okay i guess i uh added it to the wrong zone i'm gonna give it as two i'm going to keep it as one so we have to okay so we have two interfaces here okay so i believe it is going to be inside this and then you can assign zones for the sd-wan interfaces well that is what i believe so we will see it later let's see if we can add another interface just for testing okay so whatever interface you have it goes inside the virtual van link and then that goes inside the sd band zone so we will check that after some time okay so now we have we have a virtual van link which is having isp 1 is v2 and we are going to create the ipsla to you know regulate the traffic flow from isp1 and isp2 so one is going to be ping and i'm going to ping the server okay and my all all the interfaces that are there in the sd band virtual link is going to all of them are going to ping the ip address 8.8.h so click here i don't want latency threshold i don't want zero threshold i want the packet last ratio let's keep it as 10 let's keep it as five keep it as one yep and the link status i want the interval to be 500 milliseconds and this is the number of retries and the interval between the retries so update static route well by default it is enabled so we'll keep that we'll keep it as it is okay so now you can see here so it will start pinging the ip address and it is going to update the status well right now you see ip isp2 having big loss let's wait for some time we're going to create uh default route pointing to sd van so these are the probes sent from port one let's see what we have from portuguese okay um okay so the gateway is incorrect here is going to be 109 so that was the issue okay once i do that let's see the status now okay that's cool okay so both the highest p1 is v2 both are up with almost similar latency there's no loss on the link by the way and my sla is okay so whoever meets this criteria will be chosen okay so now we are done with the virtual link and the member definition here isp one isp2 under virtual van link and then we are done with the sla creation okay let's try to okay sla is done now we will go to sd-wan rule we will create a sd-wan rule source i'm going to keep it as all destination keep it blank address all any and then here is the options so first of all i will go with best quality [Music] okay so i'm going to put the interface preference as high speed to isp1 so by default it is going to use isp2 if the isp2 is not meeting the sla which i have defined in sla then it is going to fail over to isp one automatically so let's try with best quality interface with the best measure performance is selected so let's try this measured sla i'm going to select the one that i've created and the quality criteria i'm going to put it as packet loss since the latency is almost similar for both the isp1 and isp2 so let's click ok so now our sdband rule is configured hit count is zero since we don't have any traffic sd-wan interface and zones both are configured you have performance sla is also defined so you can see here the performance sla and the loss and we have a static route default route pointing to sdvan interface and sd-wan we have already defined the gateway under this and once you are done with these three configuration then you can create a normal firewall policy to allow the traffic you can see here so now we are done now we will try to initiate some traffic so this is the client that is going to initiate the traffic and the client is connected to the port like i said earlier it is going to connect to port three so both three is having the ipad is 192.168.1.108 and the client is having the ip address 192 to 168 1.107 so let's check if we have the connectivity to our port 3 of the fiber okay so we have the 108 axis you can see here every all the traffic all the traffic is supposed to go or exit out where o3 and it comes to this firewall and then the sd1 magic happens okay so what we can do here is we are going to paint the open dns ip and let me show you the sla info so right now the sla is isp one zero percent loss is between zero percent loss latency is almost the same and then if you click on sd band rule it is going to show you that isp2 is preferred since the isp2 cost is 1 um in the configuration here you can see that the cost is one for isp2 because i want to put the traffic on isp2 and the cost of isp one is one or sorry two since i don't want to put the traffic on isp1 only if isp2 fails i want to put the traffic on isp1 so you can see the stats here okay so our rule says isp2 is the one which is actively processing the traffic so let's test that so i'm going to bring the open gnsip so you can see here i'm able to ping that and matter of fact i can show you that it is not exiting out where put one rather it is going out we have put two so you can see here the request initiated from the client is getting out exiting out via both two so now let's say that the isp2 is going to get faulty just to demonstrate how seamless the traffic flow or the failover is so now as you can see here on sdvan tab that isp2 is active so what i'm going to do here is i'm going to go and i'm going to black hole the traffic i'm going to black hole this traffic and i'm going to show you the effect as well so you can see here immediately it took over to isp1 and in the zone ipsl if you go see you can see here isp2 is down so isp with this processing traffic you can check the status here in sdvan rule which says isp1 is active which is a automated behavior shown by the 40 gate firewall you can see here it is still pinging so might take some time to you know clear the session you can see here the session is resumed on port one earlier it was from port two you can see here so now again i'm going to do a failover this time i'm going to bring up the isp2 sma ip so that the traffic fails over back to o2 so what i'm going to do here is i'm going to go to bf sends i'm going to disable this route and then i'm going to apply this let's check the status here so you can see the isb1 is still active the performance sla is 80 percent that's the reason why it's not failing over back to isp 2 let's wait for some time it might subside in some time okay it is going down you can see here it is still preferring isp one and my thing is still going on there is no ping on ice port two so now both are okay it brought down to eleven person just one person okay so now there is no loss on isp2 so if you go to ran rule it says rsp2 so now you will not see the traffic because of the existing session and since the isp one is already active so what i'm going to do is i'm going to stop the traffic i'm going to reinitiate the traffic and then i should be seeing the traffic here as you can see here the traffic resumed over to port two the traffic is going out where port two so this was about the redundancy with isp one and isp two using the sd van feature with the pink sla well you can create multiple types and kinds of sla here this was the pink base sla you can have it http dns whatever you want and you can have multiple members as well so one is enough for me so now i'm done with this i'm going to create a new sla for load balancing so that we can test the feature of load balance i'm going to put the ips okay and i'm going to put all sd band member because i want both the interface to ping i 1.1.1.1 so that i can you know measure the criteria so i don't want this i don't want this um let's say 10 person and if both the interface meets this criteria we are going to use both the interface for load balancing okay you can increase this and you can decrease this i mean you can adjust the configuration here click okay and then check the status it says up zero percent loss so you can use isp1 and isp2 as well since if by any means if by any chance this is not reachable then it will uh you know remove the interface from the load balancing criteria so you can see here it has removed the interface from the load balance criteria i mean this is just a sla if you use this sla in the sd-wan rule it is not going to consider the isp2 so since i'm going to use it so what i'm going to do here is i'm going to disable this save yes apply the change okay so now you can see both the ports are active but since the criteria is 10 percent it has to come below 10 percent so that the sd-wan rule can you know use both okay i'm going to put the option of maximum bandwidth sla i'm going to do i'm going to select the sla that i created so you can see here maximum bandwidth total the traffic is load balanced among interfaces that meets the sla target so right now i have two interfaces isp1isp2 and i believe isp2 is facing the loss and it might subside in some time so it is uh ten percent right now so let's try to do this and by the way if you want to you know have further granularity in the sd-wan rule then you can do that via cli so you can see here it is choosing both the interface interface 1 and interface 2. when you have the sd van feature the sla is here both the interfaces are way below the 10 loss threshold and then the traffic will you know i think it is based on the session so if you initiate the traffic it should go out via port one and then if you have multiple users or multiple sessions it might load balance the session amongst among the interfaces that met the sla under the load balancing criteria since i'm initiating the wrapping from a single client so you should you will not be able to see that on port 2 because uh is you know having the existing session on isp one link so yeah so you don't have any traffic on port two let's try to do something so you can see here isp1 isp2 rule says prefer isp2 or sp1 okay this is the maximum bandwidth sla which says load balancer traffic and these two interfaces will be used if it falls under the sla that we have created the load balancing sla so let's try to um block the ip 1.1.1.1 so that we can bring down the highest p1 since the traffic was going out where is p1 so i'll try to bring down the isp1 by bringing down the sla so you can see here now i have brought down okay i have brought down the isp2 so okay that's not our issue so let's try to see since i don't have any control over isp one so i cannot do things with isp one so i can only test it with isp2 so isp2 is down and then in the band rule you can see here it is choosing rsp1 it is not choosing rsp2 for any kind of traffic once that is up it is going to bring up the sla and even then okay sp2 is up sp1 is up once it is under sla it is going to consider both the interface for load balancing since in a load balancing criteria we have given the packet threshold as 10 loss threshold has 10 so once this comes under 10 percent threshold it is going to consider isp1 as well as isp2 for the processing of traffic so you can see here it is putting the traffic on port two [Music] i believe you should not see the traffic on port 1 since it is doing load balancing based on the session and the client so the session load balancing is happening on port 1 and port 2 earlier you were able to see that on port 1 now it is on port 2 since i guess it is session based load balancing or maybe the client base load balancing i am not sure so this was about the load balancing feature where both the links will be used and you will have to define that under sd van feature here and one more thing that i was trying to tell you is the granularity that you can bring into the sd-wan rule here if you see the by default you don't see that information like uh you know the in interface selection or the negate option but you can do that where cli if you go to config system sd van config service so if you set the input device you can select the input interface here so my input interface is going to be port 3 which will receive the traffic from the clients and then i'm going i can do multiple things with cli like i can negate the source you can see here destination negate source negate so there are multiple options here available that you don't see it in gui so the gui is not showing up all those granularity but then you can do it from this dli like i showed you here there was no there was no option of incoming interface selection in gui but then in cli well you can do that and i have done that let me show you one more time you can see here in service option you have the input input device as for three so you have one more level one more a level of granularity in terms of the sd-wan rule which decides what to do so you can see here this is the criteria you can have multiple interfaces in this particular interface selection tab and if the interface meets the sla it is going to do the load balancing among all the individuals that met the sla and i don't know whether there is any flexibility of choosing how you want to do the load balancing but then yes this is what you get out of box and let's try the manual one so the manual one says manually assign outgoing interfaces okay so since i have selected isp2 okay let's try to do it as isp one and then isp2 okay so i'm going to prefer isp1 over isp2 so this is the manual uh settings that you can do you can see here isp one is preferred let's try to initiate some traffic you can see here it is going our port 1 which is our manual selection here you can see this is the sla it is still having the load balancer if you want you can change it so the sla says 10 person pack loss okay okay okay in this particular criteria which is having a manual failover you don't have any sla so you don't have to worry about that so the only criteria is that uh you know the preference port one is preferred and then if not port one then port 2 is preferred so let's try to reverse the okay that's better so now you can see here isp2 is preferred over isp1 well this is manual what you call settings and let's try to do something let's try to disable the interface okay it's going to bring down that not a good idea so i'm going to bring down the interface just to see if it fails over to sp1 or not so you can see here but then since it is a manual setting so you don't have to worry about the sla because you don't have to define sla while doing a manual thing so you can see here it automatically adjusted the correct isp for two was down so it automatically adjusted to port one so let's bring up the port one to see whether it fails over to port one or not port two or not okay so let's go back to van roo okay so now it fails over back to isp2 let's try to test it with the help of traffic disable this now we will okay so now we are initiating the traffic let's see where i'll be receiving it so we are receiving it on port one row o2 is down so you cannot basically see the track 142 but then let us do some changes here let us break up people too so you can see here it failed over to isp2 let's try to check that maybe because of the existing session well we'll try it one more time okay so now we are able to see the traffic on port 2 automated well that is also working so the other options that we have here is uh best quality well under best quality if the interview is best measured performing is selected so you will have to basically define the sla i'm going to go back to the ping sla and i'm going to use the same preference isp2 first i speak one second so the criteria here is the ping sla packet threshold one person so if the criteria is met then it is going to select that interface and by default my preference is o2 so as long as 42 is having the packet loss less than one percent or one percent it is going to select four two if isp2 is having lost more than one percent like how i have defined here in sla it is going to fail over to the port 1 which is isp 1. so let's test that by blocking 8.8.8.8 here so let's try to see ping sla you can see here van rule okay so it is now selecting isp1 so we don't have to test that uh if you want you can test let's try to do testing since the session is active you can see here the traffic resumed on port one so that is also working and before that i would show you that the traffic is not there on post too okay so as soon as i do [Music] this disable okay so now our preferred body isp2 the best of okay okay i guess i selected the wrong option here you can see here best effort okay so now let's see so isp2 is not preferred maybe because of the loss yeah once the loss subsides it is going to prefer a higher speed like i said so this is the third options that you have under a performance under the policy and the other one is the low cost interface that means the seller target is selected okay so basically the same the interface with the lowest assigned cost is selected in our case it is going to select two since uh sp2 is having the cost of one that's why you see isp2 being preferred that completes our options that we have in rules basically so this was the one that i was talking about so you can select the zone as well instead of outgoing interface you can select the outgoing zone [Music] anyways uh i think we are done with all the attributes all the options available with us on 40 gauge firewall for the sd van feature on 640 and we have tested the failover scenarios as well we have created a lot of slas as well so that brings us to the end of this video i hope you enjoyed it and please do subscribe to my channel hit the like button and stay safe stay tuned have a good day bye

Info

Channel: TechTalkSecurity

Views: 10,363

Rating: undefined out of 5

Keywords: fortigate, firewall, Fortigate, Fortinet, fortinet, security, sd, wan, SD-WAN, SD, WAN, feature, configuration, load, balancing, loadbalancing, rules, policy, test, configure, config, failover, redundancy, isp, links, link, ISP, scenario, ping, loss, packet, session, vmware, virtual, machine, explained, redundant, software, defined, interfaces, zones, secure, traffic, best, SD-WAN-Rule, sd-wan, performance, Performance SLA, routes, routing, tutorial, all, how, to, demo, demonstrate, multiple, latency, threshold, jitter, graphs, percentage, new, latest

Id: BAHzz0x9Szk

Channel Id: undefined

Length: 47min 56sec (2876 seconds)

Published: Sat Jul 18 2020