As organizations grow increasingly reliant on cloud-based services and distributed networks, traditional WAN architectures can no longer keep up with the demand for speed, flexibility, and resilience. That’s where FortiGate SD-WAN comes in—a software-defined solution that transforms your WAN infrastructure into a dynamic, intelligent network capable of delivering application-aware routing, better performance, and significant cost savings.
In this guide, we’ll walk through everything you need to know to successfully configure SD-WAN on your FortiGate firewall, from core concepts to advanced settings that can fine-tune performance across multiple WAN links.
Table of Contents
What is FortiGate SD-WAN?
FortiGate SD-WAN is an integrated feature in Fortinet’s next-generation firewalls that replaces traditional WAN routing with a more agile, policy-based system. It allows you to:
- Combine multiple internet or MPLS links into a single virtual interface
- Route traffic dynamically based on application, performance metrics, or business intent
- Monitor real-time link health (latency, jitter, packet loss)
- Optimize bandwidth usage and failover with minimal downtime
Why Use FortiGate SD-WAN?
Here are some of the top reasons organizations switch to FortiGate SD-WAN:
- Improved performance for cloud and SaaS applications (like Microsoft 365, Zoom, and Salesforce)
- Lower WAN costs by replacing expensive MPLS with broadband or LTE
- Centralized management with FortiManager and FortiAnalyzer
- Built-in security with unified threat protection
Before You Begin: Requirements
To follow this configuration guide, ensure you have:
- A FortiGate appliance with FortiOS 6.2 or higher (FortiOS 7.x recommended)
- At least two WAN interfaces (e.g., ISP1 and ISP2)
- Administrative access to the FortiGate GUI or CLI
- A clear understanding of your ISP gateways, bandwidth speeds, and routing needs
Step-by-Step FortiGate SD-WAN Configuration
Let’s get into the practical setup.
Step 1: Enable SD-WAN Feature
- Go to Network > SD-WAN
- Click Enable if it’s not already active
- Add your WAN interfaces (e.g.,
wan1,wan2) to the SD-WAN interface group
Once added, FortiGate creates a virtual interface called sd-wan that abstracts the physical interfaces.
Step 2: Configure Interface Members
For each WAN interface:
- Set Interface to
wan1,wan2, etc. - Define the gateway IP for each link
- Enter the bandwidth (up/down) to reflect actual ISP speeds
- Optionally set cost or priority to influence routing behavior
Step 3: Set Up Performance SLA
Performance SLAs (Service-Level Agreements) let FortiGate test link quality in real time.
- Navigate to Network > SD-WAN > Performance SLA
- Click Create New
- Name it (e.g.,
Google-DNS) - Target IP: Use something like
8.8.8.8or1.1.1.1 - Protocol: Choose Ping or HTTP
- Add all SD-WAN members to the SLA test
This helps FortiGate detect link degradation and reroute traffic accordingly.
Step 4: Define SD-WAN Rules (Policy-Based Routing)
SD-WAN rules determine how traffic is routed across WAN links.
- Go to Network > SD-WAN Rules
- Create a new rule (e.g.,
Microsoft365_Routing) - Source: Define internal network or user group
- Destination: Select Application, Internet Services, or specific IP/URL
- Preferred Member: Choose
wan1orwan2 - Use Performance SLA to enable dynamic path selection
You can create rules based on:
- Application category (e.g., VoIP, Video)
- User group (for custom routing policies)
- Measured metrics (jitter, latency, loss)
Step 5: Configure SD-WAN Zones (Optional)
Zones allow you to group multiple SD-WAN members for better control.
- Navigate to Network > Interfaces > SD-WAN Zones
- Create a new zone (e.g., “Internet-Zone”)
- Assign both
wan1andwan2to this zone - Apply the zone in SD-WAN rules and firewall policies
This is particularly useful for multi-region or segmented SD-WAN deployments.
Step 6: Adjust Health Checks and Failover Logic
Each SLA target can trigger automatic failover if thresholds are breached.
- Go to the SLA config you created
- Set thresholds:
- Max Latency: e.g., 100ms
- Max Jitter: e.g., 20ms
- Max Packet Loss: e.g., 3%
- When a link exceeds any threshold, FortiGate shifts traffic to the backup link based on your SD-WAN rule settings
You can enable logging for these events under Log & Report > Events.
Step 7: Update Firewall Policies
Ensure your firewall rules use the sd-wan interface instead of the physical wan1 or wan2.
- Go to Policy & Objects > Firewall Policy
- Edit your outgoing internet policies
- Change Outgoing Interface to
sd-wan
This is required for SD-WAN rules to apply properly.
Step 8: Monitor and Optimize
Once configured, monitor your SD-WAN in real-time:
- Network > SD-WAN Monitor shows current link usage, health, and active routes
- FortiView > Traffic > Application helps identify top applications
- Use CLI commands like
diagnose sys virtual-wan-link health-checkto troubleshoot
Advanced Tips and Best Practices
1. Use Application Control with SD-WAN
Enable application control profiles to classify and route traffic more intelligently, especially for critical business apps.
2. Integrate with FortiManager
For multi-site SD-WAN deployments, FortiManager enables centralized SD-WAN orchestration and template-based configuration.
3. Enable BGP with Overlay Networks
If you’re integrating SD-WAN with MPLS or VPNs, use BGP to advertise dynamic routes between branches and data centers.
4. Use the CLI for Precision Tuning
Commands like:
bashCopyEditconfig system virtual-wan-link
config members
edit 1
set gateway x.x.x.x
set priority 1
next
end
end
…allow you to fine-tune failover behavior, interface weights, and more.
Troubleshooting SD-WAN Issues
Common Issues:
- Traffic not routing as expected: Ensure correct SD-WAN rules are in place and firewall policies reference the
sd-waninterface - Failover not triggering: Check SLA target, thresholds, and logs
- Latency spikes on one link: Adjust link cost or remove it from critical application rules
Use CLI commands like:
bashCopyEditdiagnose sys virtual-wan-link service
diagnose sys virtual-wan-link member
…to inspect current states and decision logic.
Final Thoughts
FortiGate SD-WAN is more than just a WAN optimizer—it’s a next-gen solution that fuses performance, resilience, and security into one unified system. Whether you’re trying to lower costs, improve cloud app performance, or ensure seamless failover between links, SD-WAN gives you the control and flexibility you need.
When configured properly, it becomes an intelligent traffic director that reacts to real-time conditions, all while being deeply integrated into FortiGate’s broader security ecosystem.
0 Comments