Home

FortiGate SD-WAN Configuration: A Complete Guide for Network Professionals

.

In today's hybrid work environment, reliable and intelligent network connectivity is not just an advantage—it's a necessity. Fortinet's Software-Defined Wide Area Networking (SD-WAN) solution, integrated into FortiGate next-generation firewalls, provides a powerful framework for aggregating multiple network connections, steering traffic intelligently, and maintaining business continuity. This comprehensive guide distills essential configuration knowledge from Fortinet's official documentation across multiple FortiOS versions, providing network administrators with both foundational understanding and practical implementation steps.

The Core Architecture: Understanding SD-WAN Components

Before diving into configuration, it's crucial to understand the three fundamental building blocks of FortiGate SD-WAN, which form the intelligent traffic steering system.

1. SD-WAN Interface Members and Zones

SD-WAN Interface Members define your SD-WAN bundle—the interfaces where outgoing traffic can be potentially steered. Almost any interface supported by a FortiGate device can become an SD-WAN member, including:

  • Physical ports and VLAN interfaces
  • Link aggregation groups (LAGs)
  • IPsec, GRE, or IPIP tunnels
  • FortiExtender interfaces

For organizational convenience, SD-WAN Members are grouped into SD-WAN Zones. In a complete SD-WAN solution, all your WAN-facing underlays and overlays are typically configured as SD-WAN members. The selected FortiGate interfaces must be removed from any other configurations on the FortiGate before being added to the SD-WAN.

2. Performance SLA (Service Level Agreement)

Performance SLA constitutes the health-check probes that actively measure the health of each available path. You can define which server to probe and what protocol to use, including:

  • Ping (ICMP)
  • HTTP
  • TCP/UDP Echo
  • TWAMP (Two-Way Active Measurement Protocol)
  • DNS

Each probe measures latency, jitter, and packet loss percentage over a configured subset of SD-WAN members. Multiple SLA Targets can be configured for each probe, allowing SD-WAN to determine which paths are acceptable for particular applications and which are "out of SLA."

3. SD-WAN Rules

SD-WAN Rules combine all elements together—these are the business rules that steer particular applications to specific SD-WAN members based on current health and SLA status. Each rule contains:

  • Matching Criteria: Defines what applications or traffic will match the rule using various inputs including:

    • Signature-based L7 Application detection (Application Control Database)
    • Dynamic feeds (Internet Service Database or ISDB)
    • User Identity providers
    • Information from dynamic routing (using Route-Tags)
    • DSCP/ToS fields
    • Traditional L3/L4 criteria

  • SD-WAN Strategy: Defines the logic for selecting an SD-WAN member:

    • Best Quality: Selects the member with the best measured quality
    • Lowest Cost (SLA): Selects the cheapest member that meets given SLA targets
    • Manual: Manually specifies a member to select
    • Load-Balance: Distributes traffic across multiple members or only those meeting SLA targets

SD-WAN rules are evaluated in order of configuration, similar to firewall rules, but serve complementary purposes: firewall rules define security, while SD-WAN rules define path selection. Every outgoing session must be permitted by a firewall rule after matching an SD-WAN rule.

Step-by-Step Configuration Guide

Phase 1: Initial Interface Configuration

The foundational step involves preparing interfaces before adding them to the SD-WAN bundle. Consider this example using a mix of static and dynamic IP addresses:

  1. Configure the WAN interfaces (e.g., wan1 and wan2)
    • Set wan1 Addressing mode to DHCP and Distance to 10
      • Important Note: By default, a DHCP interface has a distance of 5, while a static route has a distance of 10. For proper 50/50 load balancing, you must equalize these by setting the DHCP interface's distance to 10.
    • Set wan2 IP/Netmask to 10.100.20.1/255.255.255.0 (or your specific static IP)

Phase 2: Enabling SD-WAN and Adding Members

  1. Navigate to Network > SD-WAN and set Status to Enable
  2. In the SD-WAN Interface Members table, click Create New
  3. Select wan1 as the interface
  4. For DHCP interfaces like wan1, leave Gateway as 0.0.0.0 (default)
    • IPv6 Note: If IPv6 visibility is enabled, an IPv6 gateway can also be added for each member
  5. Leave Cost as 0 (the lowest possible value, used by Lowest Cost strategy)
  6. Set Status to Enable and click OK
  7. Repeat for wan2, setting Gateway to the ISP's gateway (e.g., 10.100.20.2)
  8. Click Apply to save changes

After configuration, SD-WAN Usage displays pie charts of usage per interface member, providing visual feedback on traffic distribution.

Phase 3: Configuring Performance SLA

  1. Navigate to Network > SD-WAN > Performance SLAs
  2. Click Create New to define a new health check
  3. Configure probe parameters:
    • Target server (manually specified or from FortiGuard database)
    • Protocol (Ping, HTTP, etc.)
    • SLA targets for latency, jitter, and packet loss
    • Member interfaces to monitor
  4. Set appropriate frequency and thresholds for your network requirements

Phase 4: Creating SD-WAN Rules

  1. Navigate to Network > SD-WAN > SD-WAN Rules
  2. Click Create New to define a new rule
  3. Configure matching criteria based on applications, users, or traffic characteristics
  4. Select the appropriate SD-WAN strategy for the traffic type
  5. Specify priority (lower numbers evaluated first)
  6. Configure fallback behavior for when preferred paths are unavailable

Advanced Configuration: SD-WAN Setup Wizard

For simplified deployment, FortiGate offers an SD-WAN Setup Wizard (available in FortiOS 7.6.5 with appropriate licensing) that guides you through configuring:

  • Interface selection and zoning
  • Networking parameters (gateway, cost, priority)
  • Performance SLA configuration
  • SD-WAN rule creation

The wizard supports a maximum of two interfaces and is ideal for straightforward deployments. After wizard completion, you must still configure a default static route for the newly created SD-WAN interface.

Wizard Workflow Overview:

  1. Interface Step: Create or select an SD-WAN zone, then add one or two interfaces
  2. Networking Step: Set gateway (dynamic or specified), cost, and fallback priority for each interface
  3. Performance SLA Step: Configure health checks using FortiGuard or manual servers
  4. Rule Step: Create service rules or opt to use the implicit rule
  5. Review Step: Verify all settings before applying

Key Considerations and Best Practices

Administrative Distance Management

Proper configuration of administrative distance is critical for predictable load balancing. The default distances are:

  • DHCP interfaces: Distance 5 (with default gateway from server enabled)
  • Static routes: Distance 10

For equal-cost load balancing between DHCP and static interfaces, adjust the DHCP interface distance to 10 to match static routes.

Implicit Rule Understanding

FortiGate SD-WAN includes an implicit rule that acts as a catch-all for traffic not matching any configured SD-WAN rules. This rule uses a "lowest cost" strategy by default. Understanding this implicit rule is essential for troubleshooting unexpected traffic paths.

Zone-Based Policies

Once SD-WAN members are created and added to a zone, the zone can be referenced in firewall policies, and the entire SD-WAN can be used in static routes. This abstraction simplifies policy management when dealing with multiple potential egress paths.

Session Continuity

A significant advantage of FortiGate SD-WAN is seamless failover—existing sessions can switch to different paths when network conditions change without disrupting user connectivity. This is particularly valuable for real-time applications like VoIP and video conferencing.

Frequently Asked Questions

What types of interfaces can be SD-WAN members?

Virtually any FortiGate interface type can be an SD-WAN member: physical ports, VLAN interfaces, link aggregation groups (LAGs), IPsec/GRE/IPIP tunnels, and even FortiExtender interfaces. The key requirement is that interfaces must be removed from other configurations before being added to SD-WAN.

How do Performance SLA probes work?

Performance SLA probes actively measure path health by sending test traffic to configured targets (servers). They measure latency (round-trip time), jitter (variation in latency), and packet loss percentage. Multiple SLA targets can be set per probe to define acceptable thresholds for different applications.

What's the difference between SD-WAN rules and firewall rules?

SD-WAN rules determine which path traffic takes, while firewall rules determine whether traffic is permitted and how it's secured. Both rule sets use similar matching criteria and evaluation order, but serve complementary functions in the traffic flow.

When should I use the SD-WAN Setup Wizard vs. manual configuration?

The SD-WAN Setup Wizard is ideal for simple deployments with up to two interfaces or for administrators new to FortiGate SD-WAN. Manual configuration provides greater flexibility for complex scenarios, multiple interfaces, advanced SLA targets, and granular rule creation.

How does the "Lowest Cost (SLA)" strategy work?

This strategy selects the cheapest SD-WAN member (lowest configured "Cost" value) that meets all defined SLA targets. If multiple members meet SLA requirements with equal cost, selection may be based on additional criteria or randomization for load distribution.

What happens if all Performance SLA probes fail?

When all monitored paths fail SLA targets, SD-WAN employs fallback behavior as configured in SD-WAN rules. Typically, this means using the implicit rule or lowest priority paths, ensuring connectivity persists even if at reduced performance levels.

This guide synthesizes configuration information from Fortinet documentation across FortiOS versions 6.2.0 to 7.6.5. Always reference the specific documentation for your FortiOS version when implementing configurations, as features and interfaces may vary between releases.