Rules
Rules
Two configuration sections:
Matching traffic criteria: Define pattern, ISDB, and application to match
Forward Policy:
Select preferred egress members and zones
Strategy
Required member performance metrics
Evaluated in descending order
Rules are used to steer traffic: Firewall policy required
Implicit rule
Used if user-defined rules are not matched
Traffic is usually load balanced
Default and Gateway Rule Settings
By default, SDWAN rules are skipped if best route to destination isn't an SDWAN member. Enable default to skip best route check for SDWAN rules
SDWAN rules are skipped if none of the configured members in the rule have a valid route to the destination. Enable gateway to skip FIB lookup for SD-WAN rule: uses gateway detected for member
# Default = disable
config system sdwan
config service
edit <id>
set gateway enable
set default enable
next
end
endConsider Best Route for Preferred Member
By default, during the SDWAN rule lookup, Fortigate checks the member routes twice
When looking for a matching rule: SDWAN rules are skipped if the best route to the destination isn't an SDWAN member
After the rule is matched: SDWAN rules are skipped if none of the configured members in the rule have a valid route to the destination => Preferred member doesn't have to be the best route to destination, it just needs to have a valid route to it.
To configure Fortigate to consider preferred members only those with the best route to the destination.
Implicit Rule and Load Balancing
If none of the user-defined SDWAN rules are matched, implicit rule is used which means standard FIB
SDWAN sites usually have ECMP routes -> sessions are load balanced
Load Balancing Algorithms:
Source IP (default): Traffic from a source is sent to the same member
Sessions: The higher the member weight, the more sessions are sent to it
Spillover: Send sessions to first member until spillover limit is reached, then send to next member
Source-Destination IP: Traffic from a source IP to a destination IP is sent to the same member
Volume: The higher the member weight, the more traffic is sent to it
System Settings Algorithm vs Implicit Rule Algorithm
Both v4-ecmp-mode and load-balance-mode control the VDOM ECMP algorithm
load-balance-mode replaces v4-ecmp-mode when SDWAN is enabled
Differences:
Load-balance-mode supports the volume algorithm, v4-ecmp-mode does not
load-balance-mode uses the weight defined under SDWAN member configuration, v4-ecmp-mode the weight defined in static route
load-balance-mode uses the spillover thresholds defined under SDWAN member configuration, v4-ecmp-mode the spillover thresholds defined in the interface settings
Use SDWAN for Local-Out Traffic
By default, local-out traffic doesn't use SDWAN
Enable SDWAN for system DNS
Interface select method is available on multiple features
config system dns | ntp | sflow | netflow
config system central-management
config system fortiguard
config user radius | ldap | fsso
config log fortianalyzer setting
config log syslogd setting
Enable SDWAN for ping and traceroute
execute ping-options sdwan
execute traceroute-options sdwan
Strategies
Define:
Requirements for preferred members
Single or multiple member traffic distribution
Preferred members:
Best candidates to steer traffic
Are used only if they have a valid route to the destination
Member selection:
Manual; Configuration order-based preference
Best Quality: Best performing member based on quality criteria
Lowest cost (SLA): Member that meets SLA target (tiebreakers: cost and priority)
Maximum Bandwidth (SLA): Member that meet SLA target, traffic is load balanced across multiple members
Troubleshooting
Check status of SDWAN rule: diagnose sys sdwan service
Check rule settings from policy route standpoint: diagnose firewall proute list
Last updated