Scribd
Upload
166 views38 pages

FortiGate Inf 02 SDWAN+

Uploaded by

Mohamed Mr
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
166 views38 pages

FortiGate Inf 02 SDWAN+

Uploaded by

Mohamed Mr
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 38

FortiGate Infrastructure

Software-Defined WAN (SD-WAN)

FortiOS 6.2
© Copyright Fortinet Inc. All rights reserved. Last Modified: 2 November 2022
Lesson Overview

Introduction to SD-WAN

SD-WAN Performance SLA

SD-WAN Rules

SD-WAN Diagnostics
Introduction to SD-WAN
Objectives
• Identify use cases for SD-WAN
• Identify the implementation requirements for SD-WAN
• Configure the SD-WAN virtual link and load balancing
• Configure static routes and firewall policies for SD-WAN
What is SD-WAN?
• Virtual interface consisting of a group of member interfaces that can be connected
to different link types
• Allows effective WAN usage with various load balancing algorithms
• Supports link quality measurement
• Dynamic link selection based on link quality
• Ensures high availability of business-critical applications HQ/Datacenter

Public Cloud

SaaS

Branch Office

4
Enterprise SD-WAN Use Cases
MPLS Migration
MPLS Dependency
Inflexible, expensive, good QoS

MPLS
Private Cloud

Branch

Traffic secured in the MPLS


Business Apps Provider Cloud
All traffic routed Breakout in the provider cloud
through MPLS circuits. for all traffic
QoS applied for
Public Cloud
business apps

Internet

5
Enterprise SD-WAN Use Cases
MPLS backup with local breakout
Critical Apps (Voice & Video)
Best path is chosen depending
on latency, jitter, and packet
loss

MPLS
Private Cloud

Critical Apps (Voice & Video)


Branch Redirected to a new tunnel in case the WAN
conditions are worse than the threshold
IPSec VPN

Business Apps Direct secure access to Internet,


Load balanced across SaaS and IaaS content
different lines so Load balanced if needed
bandwidth is optimized Public Cloud

Internet
6
Enterprise SD-WAN Use Cases
Critical Apps (Voice & Video)
Best path is chosen depending
on latency, jitter, and packet MPLS Replacement
loss

IPSec VPN
Private Cloud

Critical Apps (Voice & Video)


Branch Redirected to a new tunnel in case the WAN
conditions are worse than the threshold
IPSec VPN

Business Apps Direct secure access to Internet,


Load balanced across SaaS, and IaaS content
different lines so Load balanced if needed
bandwidth is optimized Public Cloud

Internet
7
SD-WAN Configuration
• Specify at least two member interfaces and their associated gateways
• Interfaces should not be referenced by any other configuration element (for example, routes or
policies)
• Supports aggregate, VLAN, and IPsec interfaces
• An implicit rule is automatically generated for balancing the traffic
Network > SD-WAN

Member interfaces

Network > SD-WAN Rules

8
SD-WAN Load Balancing Methods
• Source IP (default)
• Sessions from the same source IP address use the same interface
• Source-destination IP
• Sessions with the same source and destination IP pair use the same interface
• Usage (spillover)
• Use one interface until threshold is reached; then, use the next interface
• Weight
• Traffic will be distributed based on weights assigned on the interfaces
• Volume
• Sessions are distributed so that traffic volume is distributed by the interface weights

SD-WAN load balancing uses traffic distribution methods that are similar to those
used by equal cost multipath (ECMP).

9
SD-WAN Virtual Interface
• The sd-wan virtual interface is automatically created
• All static routes and firewall policies must be configured using this virtual interface

Network > Interfaces

Policy & Objects > IPv4 Policy

Network > Static Routes

10
SD-WAN Routes in the Routing Table
Network > Static Routes

Even though you must configure


routes using the sd-wan virtual
interface, FortiGate installs
individual routes for the member
interfaces in the routing table

# get router info routing-table all


...omitted output...

S* 0.0.0.0/0 [1/0] via 10.200.2.254, port2


[1/0] via 10.200.1.254, port1
C 10.200.2.0/24 is directly connected, port2
C 10.200.1.0/24 is directly connected, port1

11
Knowledge Check
1. Which method of load balancing is supported by SD-WAN but not supported by
ECMP routing?
A. Sessions
B. Volume

2. Which of the following configuration tasks is correct when implementing SD-WAN?


A. Configure a default route using the sd-wan virtual interface.
B. Configure firewall policies for each individual member interfaces.

12
Lesson Progress

Introduction to SD-WAN

SD-WAN Performance SLA

SD-WAN Rules

SD-WAN Diagnostics
SD-WAN Performance SLA
Objectives
• Configure the SD-WAN performance SLA
• Identify how FortiGate measures link quality
Performance SLA
Network > Performance SLA

Link Health Monitor

SLA Targets

Link Status

15
Performance SLA-Link Health Monitor
• You can use two servers to test the quality of a link
• You can specify which SD-WAN members this SLA applies to

Network > Performance SLA


Available Protocols Through CLI:

ping PING link monitor


http HTTP-GET link monitor
tcp-echo TCP echo link monitor
udp-echo UDP echo link monitor
TWAMP Two-Way Active Measurement Protocol

Use an IP address or FQDN of a server


located beyond the ISP gateway

16
Link Quality Measurements
• Status check also measures the link quality of each member interface based on
latency, jitter, and packet loss percentage

Graphical
representation based on
Packet Loss, Jitter, and
Network > Performance SLA Latency

17
Performance SLA-SLA Targets
• You can specify multiple SLA targets in one performance SLA
• Only used when referenced by a rule
• Check Interval, failure and restore limits are used to prevent flapping
• You can select any of the recommended values to set SLA targets
Network > Performance SLA

Automatically
disables static routes
for inactive interfaces,
and restore routes on
interface recovery

18
SD-WAN Performance SLA CLI Configuration
# config system virtual-wan-link
# set status enable Alternate status check
protocols that are not
# config health-check available on the GUI
# edit <name>
# set protocol [ ping | tcp-echo | udp-echo | http | twamp ] Warning and alert thresholds
# set threshold-warning-packetloss <percentage> for the different link quality
measurement metrics can be
# set threshold-alert-packetloss <percentage> configured on the CLI
# set threshold-warning-latency <ms>
# set threshold-alert-latency <ms>
# set threshold-warning-jitter <ms>
Multiple SLA targets with
# set threshold-alert-jitter <ms> different values can be
# config sla configured on GUI and CLI
# edit <id>
# set link-cost-factor [latency | jitter | packet-loss]
# set latency-threshold <integer> (0 - 10000000)
# set jitter-threshold <integer> (0 - 10000000)
# set packetloss-threshold <integer> (0 - 100)
# next

19
Knowledge Check
1. Which one of the following link attributes is used in SD-WAN link quality
measurements?
A. Cost
B. Latency

2. Which of the following status check protocols is only available from the CLI?
A. TCP-Echo
B. HTTP

20
Lesson Progress

Introduction to SD-WAN

SD-WAN Performance SLA

SD-WAN Rules

SD-WAN Diagnostics
SD-WAN Rules
Objectives
• Identify SD-WAN rule matching criteria
• Configure dynamic link selection based on link quality
SD-WAN Rules
Network > SD-WAN Rules • Route traffic through the member interfaces with
the best link quality
• Link quality measured based on latency, jitter, or packet
loss percentage
• Rules can match traffic based on:
• Source IP address, destination IP address, or port
number
• Internet services database (ISDB) address object
• Application
• Users or user groups
• Type of service (ToS)

Network > SD-WAN Rules

Skype traffic will be dynamically


routed to the member interface
with the least amount of latency
23
SD-WAN Rules–Internet Services and Applications
Internet Service Firewall Application

Network > SD-WAN Rules

• The use of Internet Service


makes Application Control easy

24
SD-WAN Rules-Manual
Network > SD-WAN Rules

Select an interface to
send traffic out from

25
SD-WAN Rules-Best Quality
Network > SD-WAN Rules

Network > SD-WAN Rules

Link Quality = (a*latency)+(b*jitter)+(c*packet loss)+(d/bandwidth)


26
SD-WAN Rules-Lowest Cost (SLA)
Network > Performance SLA Network > SD-WAN Rules

27
SD-WAN Rules
• SD-WAN rules are evaluated in the same way as the firewall policies: from top to
bottom, using the first match
Application-specific rules
Network > SD-WAN Rules

Implicit rule

30
SD-WAN Rules
• SD-WAN rules are treated as policy-based routes
Network > SD-WAN Rules

Monitor > Routing Monitor

31
Knowledge Check
1. Which of the following is an SD-WAN rule matching parameter for traffic sources?
A. User groups
B. IPS signatures

2. You can configure SD-WAN rules to choose the egress interface based on which
one of the following parameters?
A. Weight
B. Latency

32
Lesson Progress

Introduction to SD-WAN

SD-WAN Performance SLA

SD-WAN Rules

SD-WAN Diagnostics
SD-WAN Diagnostics
Objectives
• Monitor SD-WAN link usage
• Monitor SD-WAN link quality status
• Verify SD-WAN traffic routing
SD-WAN Usage Monitor
• Real-time SD-WAN usage monitor
• View SD-WAN traffic distribution by bandwidth or volume or session
Volume of
traffic sent and
received per
Network > SD-WAN
member Number of sessions
interface passing through per
Bandwidth
member interface
utilization by
each member
interface

35
SD-WAN Link Status Monitoring
Network > Performance SLA

Log & Report > System Events

36
Verify SD-WAN Traffic Routing
• Use the Forward Traffic logs or the packet capture tool to verify traffic routing
Log & Report > Forward Traffic

The filter will match any packets


with the SYN flag on, so the
sniffer output will show all SYN
packets to port 443 (HTTPS)

# diagnose sniffer packet any 'tcp[13]&2==2 and port 443' 4


5.455914 port1 out 192.168.1.254.59785 -> 192.168.1.11.443: syn 457459
5.455930 port2 out 192.168.1.11.443 -> 192.168.1.254.59785: syn 163440 ack 457460
5.455979 port2 out 192.168.1.32.49573 -> 192.168.1.25.443 : syn 927943
5.456043 port1 out 192.168.1.21.54711 -> 192.168.1.114.443: syn 930863

37
Knowledge Check
1. Which of the following should be used to monitor the session distribution across
the SD-WAN member interfaces?
A. SD-WAN Link Status monitor
B. SD-WAN Usage monitor

2. When verifying SD-WAN traffic routing with the CLI packet capture tool,
which verbosity level should you use?
A. 1
B. 4

38
Lesson Progress

Introduction to SD-WAN

SD-WAN Performance SLA

SD-WAN Rules

Diagnostics
Review
 Identify use cases for SD-WAN
 Identify the implementation requirements for SD-WAN
 Configure SD-WAN virtual link and load balancing
 Configure static routes and firewall policies for SD-WAN
 Configure SD-WAN status check
 Identify how FortiGate measures link quality
 Identify SD-WAN rule matching criteria
 Configure dynamic link selection based on link quality
 Monitor SD-WAN link usage
 Monitor SD-WAN link quality status
 Verify SD-WAN traffic routing

You might also like