🛠️ How to Create SD-WAN on FortiGate 60F with 4 ISPs

Complete step-by-step guide (GUI + CLI) — setup, rules, monitoring & troubleshooting.

---

Introduction

SD-WAN on a FortiGate allows you to use multiple Internet links intelligently for load balancing, high availability, and application-aware steering. In this guide you will learn how to configure SD-WAN on a FortiGate 60F using four ISPs (WAN1, WAN2, WAN3, WAN4). The instructions include both GUI steps and CLI snippets so you can follow whichever you prefer.

Prerequisites & Topology

• FortiGate 60F with a recent FortiOS version (recommend ≥ 7.x).
• 4 ISP links connected to interfaces (example names: wan1, wan2, wan3, wan4).
• Static IPs or DHCP on each WAN as provided by ISPs.
• Basic knowledge of FortiGate GUI and administrator credentials.

Step 1 — Prepare WAN Interfaces

Goal: Ensure each ISP interface is configured and has internet access.

1. Login to FortiGate GUI: https://<firewall-ip> → Admin credentials.
2. Go to Network → Interfaces.
3. Edit each WAN interface:
   • Name: wan1, wan2, wan3, wan4
   • Addressing mode: DHCP or Static (use the values from ISP).
   • Role: WAN
   • Enable Allow access only for required services (ping/https) if needed.
4. Test internet connectivity for each link (Diagnostics → Ping from Firewall to 8.8.8.8 using each interface).

Step 2 — Create Link Health Monitors / SLAs

SD-WAN needs to check link health. Create performance SLAs (latency/packet loss) or use ping targets.

GUI Steps

1. Go to Network → SD-WAN.
2. Open the Performance SLA tab → Create New.
3. Example SLA:
   • Name: sla-google
   • Server: 8.8.8.8 (or pick reliable public IPs)
   • Package Loss Threshold: 20%
   • Latency Threshold: 300 ms
   • Jitter Threshold: 50 ms (optional)
4. Create a few SLAs if you want different targets (e.g., sla-isp1, sla-isp2) or reuse one common SLA.

CLI Example (create SLA)

config system link-monitor
  edit "lm_google_1"
    set srcintf "wan1"
    set server "8.8.8.8"
    set threshold 20
    set interval 5000
    set failtime 3
    set recoverytime 3
  next
end

Step 3 — Configure SD-WAN Members (Add the 4 ISPs)

Add each WAN interface as an SD-WAN member and attach SLA(s). Set weight and health-check options.

GUI Steps

1. Go to Network → SD-WAN → SD-WAN Members → Create New.
2. Add each interface:
   • Interface: wan1
   • Weight: 50 (higher = more traffic)
   • Priority: (optional) you can set priority-based failover
   • Health Check: attach the SLA created earlier
3. Repeat for wan2, wan3, wan4. Adjust weights based on link capacity (eg. wan1:100, wan2:100, wan3:50, wan4:50).

CLI Example (add member)

config system sdwan
  config members
    edit 1
      set interface "wan1"
      set weight 100
      set priority 1
    next
    edit 2
      set interface "wan2"
      set weight 100
      set priority 1
    next
    edit 3
      set interface "wan3"
      set weight 50
      set priority 2
    next
    edit 4
      set interface "wan4"
      set weight 50
      set priority 2
    next
  end
end

Step 4 — Create SD-WAN Rules & Strategies

SD-WAN rules determine how to steer traffic: by application, source, destination, or performance SLA.

Common Strategies

• Load Balance (Volume): Spread traffic using weights.
• Source-based: Route groups of IPs via specific ISPs.
• Performance SLA Based: Prefer links that meet latency/loss targets.
• Priority/Fallback: Use WAN1 primary, others as fallback.

GUI: Add SD-WAN Rules

1. Network → SD-WAN → SD-WAN Rules → Create New.
2. Example: Critical App routing
   • Name: VoIP-priority
   • Source: Internal subnet (eg. 192.168.10.0/24)
   • Destination: Any or specific SIP provider IPs
   • Service/Application: SIP/VoIP ports or use Application Control
   • Member Selection: Select SD-WAN members and choose "Use lowest jitter/latency" or "Priority based"
   • Set Cost or preference order if needed.
3. Example: Default internet traffic — use load balancing (volume-based) across all members.

Step 5 — Configure Static Routes / SD-WAN as Gateway

Replace single default routes with SD-WAN virtual gateway:

1. Go to Network → Static Routes.
2. Create a new route with:
   • Destination: 0.0.0.0/0
   • Device/Interface: sd-wan (choose SD-WAN virtual interface)
   • Distance: 10 (example)
3. Remove or lower priority of old single-WAN default routes so SD-WAN takes effect.

Step 6 — Firewall Policies & NAT

Ensure your outgoing policies use the SD-WAN interface.

1. Go to Policy & Objects → IPv4 Policy.
2. Create/Edit the outbound policy from internal → sd-wan:
   • Incoming Interface: LAN (e.g., internal)
   • Outgoing Interface: sd-wan
   • Source: internal subnets
   • Destination: all
   • NAT: Enable (use appropriate IP)

Step 7 — Monitoring & Verification

Keep an eye on SD-WAN operation and verify traffic distribution & health.

• Real-time: Network → SD-WAN → Monitor (shows member status, latency, loss)
• Logs: View system event logs for link failover events.
• Diagnostics: CLI: diagnose sys sdwan health-check and diag sys sdwan status

Useful CLI commands

diagnose sys sdwan status
diagnose sys sdwan health-check 1
get system performance top
execute ping 8.8.8.8 -i wan1

Best Practices & Tips

• Use reliable public IPs (Google DNS, Cloudflare) for SLA checks — but avoid overloading them.
• Set weights proportional to actual link bandwidth (e.g., 100 for 100 Mbps, 50 for 50 Mbps).
• Prefer multiple SLA targets (two public IPs) to avoid false link-downs if one target is unreachable.
• For VoIP, create a low-latency SLA and a rule that prefers low jitter paths.
• Test failover by simulating link failure (disconnect WAN cable) and observe route change & session behavior.
• Monitor for asymmetric routing if you have inbound services — SD-WAN is typically for outbound traffic; inbound needs NAT/DNS considerations.

Troubleshooting

1. Link shows down but internet working: Check SLA server reachability (try alternate targets).
2. Traffic not using SD-WAN: Ensure default route points to sd-wan and outbound policy uses sd-wan as outgoing interface.
3. Sessions drop on failover: Enable session-persistence features where needed or tune session timeouts; consider session-based routing for critical apps.
4. Performance wrong: Re-check weights, SLA thresholds and ensure the interval/failtime are reasonable (not too aggressive).

Example Small Checklist (Quick)

1. Configure each WAN interface and test connectivity.
2. Create Link Monitors / SLAs.
3. Add SD-WAN members and attach SLA(s).
4. Create SD-WAN rules (VoIP priority, Web default).
5. Create default route via sd-wan.
6. Update outbound firewall policy to use sd-wan.
7. Monitor & test failover behavior.

Need a ready-made config? If you want, I can prepare a sample CLI configuration for your exact interface names, IPs and weights — just tell me your interface names (e.g., wan1, wan2), link bandwidths, and SLA targets. I will generate the CLI blocks you can paste into your FortiGate.

---

Meesum Tech Lab — Fortinet & Network Solutions

Contact: 0303 2267706 • Email: meesumtechlab@gmail.com

Want this post translated to Urdu/Hinglish or turned into a step-by-step video script? Say "Urdu" or "Video script" and I’ll create it.