I am building a Fortinet Fortigate SD-WAN lab using a few VM64-KVM FortiOS 6.4.4 which you can download from the Fortinet website. This will be a series of blogs starting from the most basic to advanced concepts. I am starting off with a basic SD-WAN setup per site using all the available WAN links to connect to the internet.
When building a Fortinet SD-WAN network, in this lab prior to setting up group policies and default route it’s important to add the member WAN interfaces to the SD-WAN interface. Having the NAT rules and default route applied on the interface will prevent you from adding these interfaces as a member.
Select Network > SD-WAN Zones > Create New > SD-WAN Member
Interfaces with firewall policies applied won’t show up under the interface section, hence its critical that this will be the first step. Click Interface > Select the WAN port to add > leave Cost as 0 > click Ok.
Repeat the process to add the additional WAN port as part of the SD-WAN interface. Once you’re done, click the virtual-wan-link to see all the interfaces added.
Add the default route, go to Network > Static Routes > Create New > under Interface select SD-WAN
This allows the Fortigate to use SD-WAN rules to determine outgoing interface between the members of the SD-WAN interface based on set criteria. Go to SD-WAN Rules > Named it as “LAB” > Source address: all > Destination > Address: all > Outgoing Interfaces: Best Quality > Interface preference: port1, WAN2(port2) > Measured SLA: Default_Gmail > Quality criteria: Latency.
For simplicity sake of setting up the most basic lab, I’ve selected Best Quality as the rule, and pre-set SLA and Quality criteria. Do not mind WAN2(port2) as down, I have not set up the second network as off yet at the time of writing. The rule just enables the fortigate to measure the link based on jitter using the gmail server to test the performance which has a threshold of 250ms.
Lastly, create the Firewall policy to allow users to access the internet and anything beyond the LAN. Policy and Objects > Firewall Policy > enter a name (I’ve named mine Internet > Incoming interface: LAN interface > Outgoing interface: virtual-wan-link (SD-WAN) > Source: all > Destination: all > Service: ALL. Keep everything as default then click OK.
This is pretty much the very foundation of building SD-WAN on a Fortigate firewall. Perform the same steps on the other fortigate in your lab. In the next blog, I will take you through building a simple Hub and Spoke network using the IPSec VPN wizard.