Redundant Internet with SD-WAN

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

The following example demonstrates how to configure redundant Internet using the new SD-WAN feature in FortiOS 5.6. 

The goal of SD-WAN is to seamlessly manage traffic at the Layer 2 level of the OSI model without the need to manage hardware-based switches or WAN controllers.

1. Connecting your ISPs to the FortiGate

Connect your ISP devices to your FortiGate so that the ISP you wish to use for most traffic is connected to WAN1 and the other connects to WAN2.

2. Modifying existing policies

You will not be able to add any interface to the SD-WAN interface that is already used in the FortiGate’s configuration. So, in this scenario, you must delete any security policies that use either WAN1 or WAN2, such as the default Internet access policy. Traffic will not be able to reach WAN1 or WAN2 through the FortiGate after you delete the existing policies.

It is also advisable to check for any other references to WAN1 or WAN2 and make the necessary modifications.

If you have many policies that reference WAN1 and/or WAN2, a simple method is to redirect those policies to unused ports, rather than delete them, to avoid having to recreate each policy from scratch. Obviously, you should redirect those same policies back to the SD-WAN interface once it is created.

Go to Policy & Objects > IPv4 Policy and delete any policies that use WAN1 or WAN2.

3. Creating the SD-WAN interface

Go to Network > SD-WAN.

Set the Interface State to Enable.

Under SD-WAN, add the two WAN interfaces.

Under Load Balancing Algorithm, select Volume and prioritize the WAN1 interface to serve more traffic.

In the example, the ISP connected to WAN1 is a 40Mb link, and the ISP connected to WAN2 is a 10Mb link, so we balanced the weight 75% to 25% in favor of WAN1.

To help visualize the effectiveness of the algorithm selected, the WAN Links Usage graph shows you the Bandwidth and Volume usage.

4. Configuring SD-WAN Status Check

You can optionally configure SD-WAN Status Check to verify the health and status of the links that make up the virtual WAN link.

This configuration uses the Ping protocol to verify the status of the SD-WAN.

Go to Network > SD-WAN Status Check and (if you wish to use Google) enter the values shown here.

5. Allowing traffic from the internal network to the SD-WAN interface

Go to Policy & Objects > IPv4 and create a new policy.

Set Incoming Interface to your internal network’s interface and set Outgoing Interface to the SD-WAN interface.

Enable NAT and apply Security Profiles as required.

Enable Log Allowed Traffic for All Sessions to allow you to verify the results later.

At this point, you should recover any policies that may have been redirected or deleted in Step 2 and point them to the SD-WAN interface.

6. Results

Browse the Internet using a computer on the internal network and then go to Network > SD-WAN > SD-WAN Usage.

You can see the bandwidth and volume of traffic traversing the SD-WAN interfaces.

Verify that Status Check is working by viewing the table at Network > SD-WAN > SD-WAN Status Check.

Go to Monitor > SD-WAN Monitor to view the number of sessions for each interface, bit rate, and more.

7. Testing failover

To test failover of the redundant Internet configuration, you must simulate a failed Internet connection to one of the ports. Do so by physically disconnecting the Ethernet cable connected to WAN1.

Verify that users still have Internet access by navigating to Monitor > SD-WAN Monitor. Note the Upload/Download of each WAN interface.

Furthermore, go to Network > SD-WAN > SD-WAN Usage to see that bandwidth and volume have diverted entirely through WAN2.

Users on the internal network should have no knowledge of the WAN1 failure. Likewise, if you are using the WAN1 gateway IP to connect to the admin dashboard, nothing should change from your perspective. It will appear as though you are still connecting through WAN1.

Reconnect the WAN1 Ethernet cable when you have verified successful failover.

  • Was this helpful?
  • Yes   No

Keith Leroux

Keith Leroux

Technical Writer at Fortinet
Keith Leroux is a writer on the FortiOS 'techdocs' team in Ottawa, Ontario. He obtained a Bachelor's degree from Queen's University in English Language and Literature, and a graduate certificate in Technical Writing from Algonquin College. He spent a year teaching ESL in South Korea. Annyeong!
Keith Leroux
You can use any stable server that responds to ICMP requests, such as the ISP’s gateway. We recommend something with the fewest hops.
  • V-P

    I tried to get SD-WAN working with my FGT30E 3g4g but it seems that traffic cannot be routed over wwan (DHCP). Isn’t that scenario supported? I wanted to try this as normal link monitoring and using static routes with different priorities (same distances) there is still SNAT problem as existing session will stay alive as long as there is active route in routing table. So if WAN1 (primary) is down, traffic will flow over WWAN (secondary) but when WAN1 comes back there is still active route over WWAN (secondary) and existing sessions will use that and not WAN1 (primary).
    Also is there any recipe how to get route based IPsec site to site tunnels working in dual WAN scenario?

  • Unai Falagan

    Hello. With SD-WAN is possible to use to ip nat pools? We need to do an ISP load balance of two isp link with one ip nat pool each one.

    Regards

  • Keith Leroux

    Hi Peter,

    This configuration includes failover. Health Link is now located under SD-WAN Status Check.

  • Victoria Martin

    Hello Peter,

    I have added this topic to our to-do list.

  • Victoria Martin

    Hi Alexander,

    The WWLB feature has been re-named to SD-WAN, so you are correct that it is essentially the same feature. However, new functionality has also been added to it in FortiOS 5.6, which will be featured in future Cookbook recipes.

  • nirmal roshan

    Hi Keith,

    In this kind of set up how will I be able to set up port forwarding to an internal web server, or how can i do a VPN configuration.

    • Keith Leroux

      Hello nirmal roshan,

      We are currently working on an IPsec VPN over SD-WAN recipe, so stay tuned. I’ll see if I can add port forwarding to the docket!

      • Yoann

        Hi,
        I just setup my fgt with sdwan, but we can’t use port forwarding to an internal server.
        Virtual IP allow us to select WAN1, WAN2 but no SDWAN
        Rules won’t allow to select WAN1 or WAN2 virtual IP
        We simply loose our messaging server and all connexion from outside.
        Will the next firmware allow us to put this in place ?

  • Ian

    In Step 4 you cite using Google’s public DNS server, 8.8.8.8. However, they have recently been more stringent about allowing this and in some cases have started filtering ICMP traffic to those DNS servers making them unreliable for these kinds of tests. One possible source for this is: https://groups.google.com/forum/#!msg/public-dns-discuss/p1o62SJElck/w0flYsmqBQAJ

    • Keith Leroux

      Hi Ian,

      Thank you for the excellent information! As the asterisk in Step 4 indicates, you can use any stable server that responds to ICMP requests. We recommend one with the fewest hops.