myITmicroblog

SD-WAN became very popular topic in recent months. Many vendors have developed their own solution - including Fortinet. You can configure SD-WAN starting from version 5.6. The solution is totally free, it doesn't require any additional license. It is also available on 6.0 and 6.2 but there are some differences in functionality and configuration steps. I will cover them in a separate post. Before we jump to the configuration steps I'd like to be sure you understand the concept of SD-WAN. The main goal is to have the ability to load-balance or just send specific type traffic using a specific path.  It sounds similar to what you can achieve by using Equal Cost Multipath (ECMP) and policy-based routing (PBR). SD-WAN gives you something else - the ability to the perform load balancing by checking following three parameters: packet loss, jitter and delay.  Let's' get started with version 5.6 and in this post I'll describe configuration steps for SD-WAN with two IPsec

There is one feature available on FortiGate, and I think you should know it, as it modifies a bit what we know about stateful firewalls. In past every packet was treated individually and you had to create policies in both directions. With stateful firewalls we can track connections, and by checking couple of attributes, we can treat them as part of the same session. For example when you initiate connection from a host1 to host2, the returning connection from host2 to host1 will be treated as part of the same connection (session). They have to have the same source/destination and destination/source IPs, port numbers and interfaces.There is an exception from this rule and FortiGate in some specific cases can accept connections on port which was not used in the initial connection. Let me explain how it works on the below example:      The host1 has a default gateway on R1 (10.0.1.2), but you may notice that it is not the optimal path to host2 subnet. When we analyze the packet flo