SD-WAN Lab:

WAN-1 Gateway 192.168.1.254

WAN-2 Gateway 192.168.2.254
WAN-1 Port Port1
WAN-2 Port Port2
Server to Check 8.8.8.8 and 1.1.1.1
Protocols to Use Ping
SD-WAN Zone named SDWAN-ZONE
SD-WAN Members Port1 and Port2
SD-WAN Load Balance Method source-dest-ip-based

1 | P a g e Created by Ahmad Ali E-Mail: [email protected] , WhatsApp: 00966564303717

SD-WAN Zones:
Go to Network > SD-WAN Zones. Click Create New > SD-WAN Zone.

Name the New SD-WAN Zone in this case SDWAN-ZONE and click OK to create.

New SD-WAN Zone are ready however, down there is no interface that’s why.

2 | P a g e Created by Ahmad Ali E-Mail: [email protected] , WhatsApp: 00966564303717

SD-WAN Members:
Go to Network > SD-WAN Zones. Click Create New > SD-Member.

Set the Interface to WAN-1. Change the SD-WAN Zone to SDWAN-ZONE created earlier.
Set Gateway set to 192.168.1.254. Leave the Cost as 0. Leave the Priority to 1. Set Status to
Enable, and click OK.

Repeat the above steps for WAN-2, setting Gateway to the ISP's gateway: 192.168.2.254.

3 | P a g e Created by Ahmad Ali E-Mail: [email protected] , WhatsApp: 00966564303717

Finally, both the ISPs interfaces are added to SDWAN-ZONE now it showing up and green.

Adding Static Route:

Go to Network > Static Routes. Click Create New. The New Static Route page opens. Set
Destination to Subnet, and leave the IP address and subnet mask as 0.0.0.0/0.0.0.0. From the
Interface drop-down list, select SD-WAN. Ensure that Status is Enabled. Click OK.

4 | P a g e Created by Ahmad Ali E-Mail: [email protected] , WhatsApp: 00966564303717

SD-WAN Algorithm:
FW1 # config system sdwan
FW1 (sdwan) # set load-balance-mode source-dest-ip-based
FW1 (sdwan) # end

Firewall Policies for SD-WAN:

Go to Policy & Objects > Firewall Policy. Click Create New. The New Policy page opens. Set the
name, incoming interface, outgoing interface, source, destination, schedule, service, action
details as below and Enable the policy, then click OK.

5 | P a g e Created by Ahmad Ali E-Mail: [email protected] , WhatsApp: 00966564303717

Testing and Verification:
Let’s ping from internal LAN PC to outside two different IPs in this case 8.8.8.8 and 1.1.1.1.

Let’s enable this command: diagnose sniffer packet any icmp 4 it is using both interfaces.

Also, can be verified from navigate to Log & Report > Forward Traffic.

6 | P a g e Created by Ahmad Ali E-Mail: [email protected] , WhatsApp: 00966564303717

SD-WAN Rules:
Go to Network > SD-WAN > SD-WAN Rules. When creating a new SD-WAN rule, or editing an
existing SD-WAN rule, use the Source and Destination sections to identify traffic, and use the
Outgoing interfaces section to configure WAN intelligence for routing traffic.

If the traffic is destination to DNS: 1.1.1.1 it will use WAN-1 link.

7 | P a g e Created by Ahmad Ali E-Mail: [email protected] , WhatsApp: 00966564303717

Let’s go again to Network > SD-WAN > SD-WAN Rules. Create a new rule for rest of traffic.

If the traffic is from any source going to any destination besides, DNS:1.1.1.1 it will goto WAN-2.

Order of the rules matter first it will check if the traffic is destination to 1.1.1.1 will use WAN-1

8 | P a g e Created by Ahmad Ali E-Mail: [email protected] , WhatsApp: 00966564303717

Testing and Verification:
Let’s ping from internal LAN PC to outside two different IPs in this case 8.8.8.8 and 1.1.1.1.

Navigate to Log & Report > Forward Traffic. Here you can see if the traffic destination is
DNS:1.1.1.1 it used WAN-1 Link while for rest of traffic it used WAN-2 Link.

Let’s enable this command: diagnose sniffer packet any icmp 4 it is using both interfaces.

9 | P a g e Created by Ahmad Ali E-Mail: [email protected] , WhatsApp: 00966564303717

Performance SLAs:
Go to Network > SD-WAN, select the Performance SLAs tab, and click Create New.

Enter a name for the SLA and select a protocol. In the Server field, enter the detection server IP
address 8.8.8.8 in this case. In the Participants field, select both wan1 and wan2 or All SD-WAN
Members. Enable SLA Targets and configure the setting as per your requirements. Configured
the remaining settings as needed, then click OK.

10 | P a g e Created by Ahmad Ali E-Mail: [email protected] , WhatsApp: 00966564303717

Let’s delete the previous created SD-WAN Rules to create a new rule to use Performance SLA.

Go to Network > SD-WAN > SD-WAN Rules. Create a new SD-WAN rule. Name the rules in this
case SDWAN-Rule, set the source address to all, set the destination to all, set the protocol
number to ANY, leave the Internet Service and Application.

11 | P a g e Created by Ahmad Ali E-Mail: [email protected] , WhatsApp: 00966564303717

Set the outgoing Interfaces Maximize Bandwidth (SLA), Interface preference WAN-1 and WAN-2
in order, in Required SLA target choose previously configured SLA and click OK.

Testing and Verification:

Let’s ping from internal LAN PC to outside two different IPs in this case 8.8.8.8 and traceroute.
This PC is using WAN-2 Link is it shown in the traceroute output.

12 | P a g e Created by Ahmad Ali E-Mail: [email protected] , WhatsApp: 00966564303717

Let’s suspend WAN-2 Link and see the result back in Internal LAN PC.

To verify again this time, the traffic is diverted to WAN-1 Link.

Let’s enable back WAN-2 again this time change the Delay, Jitter and Packet Loss.

13 | P a g e Created by Ahmad Ali E-Mail: [email protected] , WhatsApp: 00966564303717

Can be verify navigate to Network>SD-WAN>Performance SLAs tab.

To verify, the traffic is again diverted to WAN-1 Link because of Packet Loss, Latency and Jitter.

14 | P a g e Created by Ahmad Ali E-Mail: [email protected] , WhatsApp: 00966564303717