Prerequisites

Before you begin this lab, you must restore a configuration file on Local-FortiGate.

To restore the Local-FortiGate configuration file

1. Connect to the Local-FortiGate GUI, and then log in with the username admin and
password password.

2. In the upper-right corner, click admin, and then click Configuration > Revisions.

3. Click + to expand the list.

4. Select the configuration with the comment Local-SD-WAN, and then click Revert.
 5. Click OK to reboot.

Configuring SD-WAN
In this exercise, you will configure a basic DIA setup using the FortiGate GUI. You will
create a zone for port1 and port2 on Local-FortiGate, and then configure SD-WAN rules to
steer traffic for critical and non-critical internet applications.

Remove Interface References

Before you can add port1 and port2 as SD-WAN member interfaces, you must remove all
firewall policies that reference the two interfaces.

Take the Expert

Challenge!
 On the Local-FortiGate GUI
(admin/password), remove all
firewall policies that
reference port1 and port2.

If you require assistance, or to

verify your work, use the step-
by-step instructions that
follow.

After you complete the

challenge, see Configure a
Zone and Members for DIA
on page 1.

To remove interface references

1. Connect to the Local-FortiGate GUI, and then log in with the username admin and
password password.
2. Click Policy & Objects > Firewall Policy.
3. Select the Full_Access policy, and then click Delete.

1. Click OK to confirm the deletion.

Configure a Zone and Members for DIA

You will configure the underlay zone, and then add port1 and port2 as members.

Take the Expert

Challenge!
On the Local-FortiGate GUI
(admin/password), complete
the following:

 Configure an SD-
 WAN
Zone named underlay.
 Configure SD-WAN
members with the
following
configuration, and add
them to
the underlay zone:
 port1 with Gateway 1
0.200.1.254
 port2 with Gateway 1
0.200.2.254

If you require assistance, or to

verify your work, use the step-
by-step instructions that
follow.

After you complete the

challenge, see Configure a
Performance SLA on page 1.

To create an SD-WAN zone

1. Continuing on the Local-FortiGate GUI, click Network > SD-WAN > SD-WAN
Zones.
2. Click Create New > SD-WAN Zone.
3. In the Name field, type underlay.

1. Click OK.
2. Click Create New > SD-WAN Member.
3. Configure the following settings:

Field Value

Interface port1
 Field Value

SD-WAN Zone underlay

Gateway 10.200.1.254

Status Enabled

1. Click OK.
2. Click Create New > SD-WAN Member.
3. Configure the following settings:

Field Value

Interface port2

SD-WAN Zone underlay

Gateway 10.200.2.254

Status Enabled

1. Click OK.
2. On the SD-WAN Zones tab, expand the underlay zone.

Your page should look similar to the following example:

port1 and port2 ar

e members of
the underlay zone.

The default SD-

WAN
zone virtual-wan-
link has no
members, and
 therefore is
represented with a
red icon.

Configure a Performance SLA

You will configure a performance SLA for monitoring the health of port1 and port2.

To configure a performance SLA

1. Continuing on the Local-FortiGate GUI, click Network > SD-WAN, and then click
the Performance SLAs tab.
2. Click Create New to add a performance SLA.
3. Configure the following settings:

Field Value

Name Level3_DNS

Server 4.2.2.1

Click +, and then

type 4.2.2.2.

Participan Click Specify, and

ts then
select port1 and por
t2.
 1. Click OK to save the settings.
2. Click Network > SD-WAN, and then click the Performance SLAs tab to refresh the
page.

The page should show that port1 and port2 are up (green up arrow).

FortiGate can reach the detect server through port1 and port2, and displays a green arrow
for Packet Loss, Latency, and Jitter.

1. To check the routing table, click Dashboard > Network, and then click the Static &
Dynamic Routing widget.

Your page should look similar to the following example:

 Stop and think!

There are no routes to 4.2.2.1

and 4.2.2.2, yet the
performance SLA shows that
port1 and port2 are up. Why?

To route the health check

probes, FortiOS installs
special routes in the
forwarding information base
(FIB) using the gateway
information of members.
These routes are not displayed
in the routing table, but you
can enter the get router info
kernel CLI command to see
them.

Configure Rules
You will configure two SD-WAN rules. One rule will be used to steer the traffic of critical
applications. The other rule will be used to steer the traffic of non-critical applications. Both
rules will use manual mode.

By default,
application
detection for SD-
WAN rules is not
visible on the GUI.
This feature has
been enabled for
you on the Local-
FortiGate GUI.

The commands to
enable the
 visibility of
application
detection for SD-
WAN rules are:

config system
global

set gui-app-
detection-sdwan
enable

end

To configure rules

1. Continuing on the Local-FortiGate GUI, click Network > SD-WAN, and then click
the SD-WAN Rules tab.
2. Click Create New to add a rule.
3. Configure the following settings:

Field Value

Name Critical-DIA

Source LOCAL_SUBNET
address

Internet Select Slack-Slack

service and Dropbox-
Web.

Applicatio Select Bloomberg.

n

Outgoing Select Manual.

Interfaces

Interface Select port1, and

preference then select port2.

You can combine the

traffic detection
for Internet
service and Applicat
 ion in the same rule.

When you
select Internet
service, FortiGate
uses the Internet
Service Database
(ISDB) list of IP
addresses and
protocols for each
application. The
FortiGuard server
regularly updates and
loads this list on
FortiGate.

When you
select Application,
FortiGate detects the
application according
to the first packets
exchanged with the
initial session.

Your page should look similar to the following example. Note that you might not be able to
view the application icons at this stage.
 1. Click OK to save the settings.
2. Repeat the previous steps to configure a rule for non-critical traffic using the
following settings:

Field Value

Name Non-Critical-DIA
Field Value

Source LOCAL_SUBNET
address

Applicati Select Apps, and

on then
select Addicting.Ga
mes.

Select Category, and

then
select Social.Media.

Outgoing Select Manual.

Interface
s

Interface Select port2.

preferenc
e
1. Click OK to save the settings.
2. Continuing on the SD-WAN Rules tab, double-click the implicit sd-wan rule.
3. Select the Source-Destination IP load balancing algorithm.
4. Click OK to save the settings.
5. Your page should look similar to the following example:
 Stop and think!

port1 is the preferred member

for rule 1, and port2 is the
preferred member for rule 2.
Why?

port1 is the preferred member

for rule 1 because it is
configured first in the list and
it is alive. port2 is the
preferred member for rule 2
because it is the only member
for this rule and it is alive.

Configure a Static Route and Firewall Policy

You will configure a static route and firewall policy for routing and allowing SD-WAN traffic.
Both objects will reference the underlay zone.

To create a static route for SD-WAN

1. Continuing on the Local-FortiGate GUI, click Network > Static Routes.

2. Click Create New to add a static route.
3. Configure the following settings:

Field Value

Destination Subnet

0.0.0.0/0.0.0.0

Interface underlay
 4. Click OK.

Your page should look similar to the following example:

You don't need to

configure a
gateway when you
use an SD-WAN
zone as the
outgoing interface
for a static route.
FortiGate
automatically uses
the gateway
configured for
each interface of
the SD-WAN
zone.

Stop and think!

The static route table shows

two routes. The default route
through the SD-WAN zone
underlay that you have
configured, and a static route
through port1 that was already
configured. Is this a valid
configuration?

Yes, this configuration is

valid. You can configure static
routes for each SD-WAN zone
and routes for each SD-WAN
member for additional
granularity.

To create a firewall policy to allow DIA traffic

1. Continuing on the Local-FortiGate GUI, click Policy & Objects > Firewall Policy.
2. Click Create New.
3. Configure the following settings:
Field Value

Name DIA

Incoming port3
Interface

Outgoing underlay
Interface

Source LOCAL_SUBNET

Destinatio all
n

Schedule always

Service ALL

Action Accept

NAT Enable

Security Enable Applicatio

Profiles n Control, and
then select default.

For SSL
Inspection,
select certificate-
inspection.

Logging Enable Log

Options Allowed Traffic,
and then select All
Sessions.
 4. Click OK to save the settings.

To review the routing table

1. Open an SSH session to Local-FortiGate.

2. Log in with the username admin and password password.
3. Enter the following command to verify the list of active routes in the routing table:

get router info routing-table all

 1. Verify that both default routes, through port1 and port2, have the same distance
value and are active in the routing table.

After you create a

static route for an
SD-WAN zone,
FortiGate
automatically adds
individual routes,
with the same
distance value, for
all member
interfaces. This
ensures that all
routes are active in
the routing table,
which makes them
eligible for traffic
steering.

Exercise 2: Monitoring the SD-WAN Setup

In this exercise, you will generate internet traffic from the Local-Client VM. Next, you will
monitor DIA traffic distribution and logs using the SD-WAN tools available on the FortiGate
GUI.

Generate Internet Traffic From the Local-Client

VM
You will generate internet traffic from the Local-Client VM using a script.
To generate internet traffic from the Local-Client VM

1. On the Local-Client VM, log in with the username Administrator and

password password.

2. Open a terminal window, and then enter the following commands:

cd Desktop

sh traffic-generation.sh

Your output should look similar to the following example:

The Local-Client
VM is generating
various types of
internet traffic.

The script takes about 2 minutes to complete, and then the terminal window
displays Script was successfully completed . You can move to the next task while the
script is running.

Monitor DIA Traffic Distribution

You will use the SD-WAN page on the FortiGate GUI to monitor the DIA traffic distribution.
Next, you will view the traffic logs to obtain additional details.

To monitor DIA traffic distribution

1. On the Local-FortiGate GUI, log in with the username admin and

password password.

2. Click Network > SD-WAN, and then click the SD-WAN Zones tab.

3. Click Bandwidth to display SD-WAN distribution graphs based on bandwidth.

Your page should look similar to the following example:

 The traffic
distribution in this
example may be
different from
yours.

4. Hover over each graph to display the bandwidth that each member (port1 and
port2) uses.

5. Click the Volume and Sessions graphs to explore them.

To monitor the performance SLAs

1. Click the Performance SLAs tab.

2. Click Latency to display a graph that shows the latency for the performance
SLA Level3_DNS monitored over the past 10 minutes.

Your page should look similar to the following example:

3. Notice the green arrows beside port1 and port2 in the Packet Loss, Latency,
and Jitter columns.

They indicate that the port is up and that the measured performances are within acceptable
values.

4. Click Packet Loss and Jitter to explore them.

To view SD-WAN traffic logs

1. On the Local-Client VM, confirm that the script completed successfully.

The terminal window should display The traffic was successfully generated .

2. On the Local-FortiGate GUI, click Log & Report > Forward Traffic.

3. Hover over the upper-left corner of the log table to display the table column settings
icon.

A gear icon is displayed.

4. Click the gear icon, select Destination Interface, select SD-WAN Quality, and
then select SD-WAN Rule Name.

5. Click Apply.

6. For the display time period, select 1 hour.

7. To simplify the view, beside a DNS log message, right-click DNS, and then select
the Not exact match filter.

Your page should look similar to the following example:

 8. Browse the log table, and then confirm the following:

 Dropbox traffic matches the Critical-DIA rule, and uses port1.

 Social-Media—Facebook and Pinterest— traffic matches the Non-Critical-
DIA rule, and uses port2.

Stop and think!

Logs for all other traffic

(DNS, HTTP_BROWSER,
and so on) show no
information in the SD-WAN
Quality and SD-WAN Rule
Name columns. Why?

The traffic doesn't match any

of the configured SD-WAN
rules. As a result, it matches
the implicit SD-WAN rule.
The SD-WAN implicit rule
load balances sessions based
on the source and destination
IP addresses and the FIB
contents.

Check SD-WAN System Events

You will use the System Events log page on the FortiGate GUI to review some messages
related to SD-WAN activity.

To monitor SD-WAN system events

 1. Continuing on the Local-FortiGate GUI, click Network > Interfaces.

2. Right click port1, and then select Set Status > Disable.

3. Wait about 20 seconds, and then enable port1.

4. Click Log & Reports > System Events.

5. In the upper-right corner, click the time selection list, and then select 1 hour to
display a summary of events in the past hour.

6. On the Summary page, scroll down, and then click the SD-WAN Events summary
widget to expand it.

7. Double-click a few messages to view the details.

8. Double-click the first Service will be redirected in sequence order message

received, and then review the details.

You can see that FortiGate directs the traffic only to member 2 after you switched off port1.
 9. Double-click the second Service will be redirected in sequence order message
received, and then review the details.

When both interfaces are back up, the member sequence order corresponds to the
configured order—member 1, and then member 2.

10. Close the Local-FortiGate GUI session and the terminal window on the Local-Client
VM.