Q1
What is the difference between Fortinet SD-WAN and traditional WAN?
Traditional WAN relies on static routing, expensive MPLS circuits, and manual configuration with no application-awareness. Fortinet SD-WAN adds dynamic path selection based on real-time application performance, can use any combination of link types (MPLS, broadband, LTE), provides centralized visibility and management, and integrates security natively. SD-WAN reduces WAN costs by up to 60% while improving application performance through intelligent, policy-driven routing.
Q2
Does Fortinet SD-WAN require a separate license or is it included in FortiGate?
Fortinet SD-WAN is built natively into FortiOS and is included at no additional cost in every FortiGate firewall — you do not need a separate SD-WAN license. However, advanced features like FortiManager for Zero-Touch Provisioning, FortiAnalyzer for SD-WAN reporting, and cloud-based orchestration via FortiSASE require separate licensing. Basic SD-WAN with all path selection, health monitoring, and failover features are fully available with a standard FortiGate.
Q3
What is the maximum number of WAN members in a Fortinet SD-WAN zone?
Fortinet SD-WAN supports up to
255 member interfaces per SD-WAN configuration (across all zones). In practice, most deployments use 2–4 WAN links (e.g., broadband + MPLS + LTE backup). Each member can be a physical interface, VLAN sub-interface, IPsec VPN tunnel interface (for overlay SD-WAN), or even an SDWAN zone itself in hierarchical configurations. You can have multiple SD-WAN zones to logically group links by type (internet zone, MPLS zone, overlay zone).
Q4
What happens to existing traffic when an SD-WAN failover occurs?
When an SD-WAN Performance SLA detects link degradation (based on your failtime threshold), the FortiGate immediately moves new sessions to the best available link. Existing TCP sessions that were on the failed link will be reset and clients will reconnect through the new path. UDP sessions (like VoIP RTP streams) are more sensitive — this is why using Best Quality mode with strict SLA thresholds is recommended for real-time traffic, so failover happens before the link fully fails rather than after. Session-aware failover with seamless handoff is available in newer FortiOS versions using session synchronization.
Q5
How does Fortinet SD-WAN identify applications for traffic steering?
Fortinet SD-WAN uses multiple methods for application identification:
1. ISDB (Internet Service Database) — Fortinet's constantly updated database of cloud service IP ranges (Microsoft 365, Salesforce, AWS, etc.) with over 350,000+ entries.
2. Deep Packet Inspection (DPI) — identifies 5,000+ application signatures at Layer 7.
3. Application Control profile — recognizes encrypted apps using SSL/TLS SNI, JA3 fingerprinting, and behavioral analysis.
4. Manual IP/Port — traditional 5-tuple matching for legacy applications. ISDB-based rules are highly recommended for cloud apps as IP ranges change constantly.
Q6
What is the difference between SD-WAN overlay and underlay in Fortinet?
Underlay: The physical WAN connections (MPLS circuit, broadband internet, LTE). These are the actual transport links provided by ISPs. In underlay SD-WAN, FortiGate directly uses these physical interfaces as SD-WAN members and routes traffic based on physical link performance. Overlay: IPsec VPN tunnels built on top of the underlay links. Each physical WAN link carries IPsec tunnels to the hub/data center. SD-WAN then manages traffic across these logical tunnel interfaces. Overlay provides encryption, consistent IP addressing across sites, and enables ADVPN for spoke-to-spoke connectivity. Most enterprise SD-WAN deployments use overlay architecture for multi-site connectivity.
Q7
How do I configure BGP over SD-WAN for dynamic routing?
BGP is configured over the SD-WAN VPN tunnel interfaces, not the physical WAN interfaces. Each tunnel interface connects to a BGP peer (hub router). The hub advertises branch LAN routes, and branches advertise their local subnets. Key steps: configure iBGP or eBGP neighbors on each tunnel interface, redistribute connected routes, apply route-maps for filtering. Use BGP route-reflector at the hub to propagate branch routes to all spokes. Example: config router bgp → set as 65001 → config neighbor → edit [hub-tunnel-IP] → set remote-as 65001 → set soft-reconfiguration enable → end. Always use loopback interfaces as BGP router-IDs for stability.
Q8
How do I configure load balancing across multiple WAN links in Fortinet SD-WAN?
Configure SD-WAN rules with set mode maximize-bandwidth and set load-balance-mode source-dest-ip-based (or source-ip, dest-ip, source-dest-port, etc.). Load balancing options: Source IP Hash (same client always uses same link), Destination IP Hash, Source-Dest Hash (most common — spreads sessions across links), Weight-based (assign custom weights per member proportional to link capacity). For weighted load balancing: set weight 6 on 100Mbps link and set weight 4 on 40Mbps link for proportional distribution.
Q9
What FortiGate models are best for SD-WAN at branch offices?
Fortinet offers purpose-built SD-WAN branch appliances: FortiGate 40F/60F — Small branches (up to 25 users), 5 Gbps firewall throughput. FortiGate 80F/100F — Medium branches (25–100 users). FortiGate 200F/300E — Large branches or regional hubs. FortiGate 600F/1000F — Data center hub concentrators. FortiGate Rugged 70G — Industrial/OT environments. FortiGate VM — Cloud branch (AWS, Azure, GCP). All models support identical SD-WAN features — the difference is hardware capacity (throughput, sessions, VPN tunnels). For zero-touch provisioning, pair with FortiManager on-premise or FortiCloud.
Q10
How does ADVPN (Auto Discovery VPN) work with Fortinet SD-WAN?
ADVPN allows dynamic spoke-to-spoke IPsec tunnels to be created on-demand, eliminating the need for traffic to traverse the hub for inter-branch communication. Process: 1. Spoke-A wants to reach Spoke-B's subnet. 2. Traffic initially goes through the hub. 3. Hub detects this and sends ADVPN shortcut notifications to both spokes with each other's endpoint addresses. 4. Spokes establish a direct IKEv2 tunnel between themselves. 5. Subsequent traffic uses the direct spoke-to-spoke tunnel. ADVPN 2.0 (FortiOS 7.4+) improves this with SD-WAN-aware shortcut creation, allowing the system to select the best underlay path for the spoke-to-spoke shortcut tunnel.
Q11
What is the role of FortiManager in Fortinet SD-WAN deployments?
FortiManager is the centralized management platform for large-scale Fortinet SD-WAN deployments. It provides: SD-WAN Orchestrator — template-based provisioning of SD-WAN zones, performance SLAs, and rules pushed to all branches simultaneously. Zero-Touch Provisioning (ZTP) — new FortiGate devices automatically register to FortiManager and receive their full configuration on first boot. Policy packages — manage firewall policies, security profiles, and SD-WAN rules as reusable templates. Compliance and audit — track configuration changes. FortiManager is essential for any SD-WAN deployment with 5+ sites. Deployable on-premise or in cloud (FortiManager Cloud).
Q12
How do I configure SD-WAN with a 4G/LTE interface as a failover link?
Add the LTE/USB modem interface as an SD-WAN member with a higher cost value (e.g., cost=100) compared to primary links. FortiGate supports FortiExtender LTE devices and native USB modems. Configure: config system sdwan → config members → edit 3 → set interface "usb" → set gateway [auto] → set cost 100 → set priority 100. Create a Performance SLA that monitors all three interfaces. In SD-WAN rules, list LTE as the last priority member. LTE will only be used when all primary links breach SLA thresholds. Set a bandwidth threshold to avoid unnecessary mobile data usage: use policy-based routing to limit which traffic types can use LTE as fallback.
Q13
What is AppQoE in Fortinet SD-WAN and how does it improve application performance?
AppQoE (Application Quality of Experience) is a Fortinet SD-WAN feature that monitors actual end-user application performance rather than just link-level metrics. While Performance SLA measures link health (latency, jitter, loss), AppQoE measures the user experience at the application level — specifically tracking Mean Opinion Score (MOS) for VoIP and response time for business applications. AppQoE enables SD-WAN to make remediation decisions (path switching, QoS adjustment) based on whether the user is actually experiencing good service quality, not just whether the link appears healthy at the network layer. Configured under Network → SD-WAN → AppQoE Profiles.
Q14
How do I enable SD-WAN reporting and analytics with FortiAnalyzer?
FortiAnalyzer provides dedicated SD-WAN reports and dashboards. Steps: 1. Register FortiGate to FortiAnalyzer (config log fortianalyzer setting → set status enable → set server [FAZ-IP]). 2. Enable SD-WAN logging: set sdwan-monitor enable. 3. In FortiAnalyzer GUI → Log View → FortiGate → SD-WAN Reports. Available reports include: Link Usage by Volume, Link Performance Over Time, Application Routing Distribution, SLA Compliance per application, Failover Event History, and Bandwidth Utilization per WAN member. Set up automated email reports for weekly WAN performance summaries delivered to management.
Q15
What is the Internet Service Database (ISDB) and how is it used in SD-WAN rules?
The ISDB (Internet Service Database) is a Fortinet-maintained intelligence feed containing IP address ranges, URLs, and geographic data for 350,000+ cloud services, CDNs, SaaS applications, and internet services worldwide. It is updated automatically via FortiGuard. In SD-WAN rules, use ISDB entries like Microsoft-Office365, Salesforce, Zoom, AWS-Amazon to automatically capture all IP ranges for that service without manual IP management. As Microsoft or Zoom changes their IP ranges, FortiGuard updates the ISDB automatically — keeping your SD-WAN rules accurate without manual updates. This is far more reliable than hardcoding IP addresses.
Q16
How do I configure QoS (traffic shaping) alongside Fortinet SD-WAN?
Fortinet SD-WAN integrates with FortiOS traffic shaping for complete QoS control. Configure: 1. Shaping Policy (Policy & Objects → Traffic Shaping Policy) to classify and mark traffic. 2. Traffic Shaper to define bandwidth limits and guarantees. 3. SD-WAN Rule with QoS settings. Example — guarantee 2Mbps for VoIP while limiting YouTube to 20% of WAN bandwidth: Configure per-IP or per-VLAN shapers, apply DSCP marking (EF for VoIP), and use egress shaping on WAN interfaces to enforce outbound queuing. config firewall shaper traffic-shaper → edit "VoIP_Guarantee" → set per-policy enable → set guaranteed-bandwidth 2048 → set maximum-bandwidth 5120
Q17
How does Fortinet SD-WAN handle asymmetric routing?
Asymmetric routing occurs when outbound traffic uses WAN1 but inbound traffic returns via WAN2. FortiGate handles this using asymmetric routing detection and reverse path forwarding (RPF) checks. By default, FortiGate's stateful firewall can drop asymmetric traffic. Solutions: 1. Enable set asymroute enable in config system settings. 2. Use SD-WAN sticky session to pin return traffic to the same interface. 3. For active-active load balancing, ensure both ISPs use proper NAT so return traffic comes back through the same interface. In overlay SD-WAN, tunnel encapsulation inherently prevents asymmetric routing as tunnels are bidirectional.
Q18
What is the difference between FortiGate SD-WAN and Cisco Viptela (SD-WAN)?
Fortinet SD-WAN: Security-first approach — SD-WAN is natively integrated into the FortiGate NGFW. No additional appliances needed. FortiOS manages routing, SD-WAN, firewall, IPS, web filtering in one OS. Lower total cost of ownership. Better choice for organizations prioritizing security. Cisco Viptela (Catalyst SD-WAN): Requires separate vManage controller, vSmart routing controller, vBond orchestrator, and vEdge/cEdge routers. More complex architecture but highly scalable. More routing protocol options. Better suited to large service providers or organizations with existing Cisco WAN infrastructure. Key difference: Fortinet is security-led, Cisco is networking-led. For SMB to enterprise deployments prioritizing integrated security and TCO, Fortinet wins. For carrier-grade or massive scale-out, Cisco Viptela may be preferred.
Q19
How do I migrate from virtual-wan-link (FortiOS 6.4) to the new SD-WAN zone model (FortiOS 7.x)?
FortiOS 7.0+ introduced the multi-zone SD-WAN model replacing the single virtual-wan-link interface. Migration steps: 1. Upgrade FortiGate to FortiOS 7.0+ (FortiOS automatically migrates virtual-wan-link config to a default zone called virtual-wan-link). 2. Review all firewall policies that referenced virtual-wan-link as interface — update to new zone name. 3. Create separate zones if needed (e.g., separate INTERNET and MPLS zones). 4. Move members to appropriate zones. 5. Update SD-WAN rules and static routes to reference new zone names. Always test in a maintenance window and keep a backup configuration before migrating.
Q20
How do I configure Fortinet SD-WAN in a high availability (HA) cluster?
SD-WAN is fully supported in FortiGate HA (Active-Passive and Active-Active clusters). In Active-Passive HA: Both units share the SD-WAN configuration. The primary handles all traffic and SD-WAN health-check probes. If the primary fails, the secondary takes over with the same SD-WAN config — Performance SLA probes restart from the new primary within seconds. In Active-Active HA: All members participate in traffic forwarding. SD-WAN session sync ensures both units have consistent session tables. HA heartbeat interface must NOT be in the SD-WAN zone. Configure HA: config system ha → set mode a-p → set group-id 1 → set password [HA-password] → set hbdev "port6" 50
Q21
How do I configure Fortinet SD-WAN for Microsoft 365 (Office 365) optimization?
Microsoft recommends three categories of M365 traffic: Optimize (critical real-time — Teams audio/video), Allow (important — Exchange, SharePoint), Default (standard). Create three SD-WAN rules: Rule 1 (Optimize category): Use ISDB Microsoft-Office365.Optimize, mode=best-quality, prefer broadband WAN (direct internet breakout). Rule 2 (Allow): Use ISDB Microsoft-Office365.Allow, mode=sla, use either WAN meeting SLA. Rule 3 (Default): Route through hub/MPLS for security inspection. Enable local internet breakout at branches so Teams traffic takes the shortest path to Microsoft's network rather than hairpinning through HQ. Use HTTP performance SLA probing against www.office.com.
Q22
What is the FortiGate SD-WAN Orchestrator in FortiManager and how does it simplify deployment?
The SD-WAN Orchestrator in FortiManager provides a topology-aware GUI for designing and deploying SD-WAN overlays across all sites simultaneously. Features: Visual topology map — drag-and-drop to design hub-and-spoke or full-mesh topologies. Template-based provisioning — define SD-WAN zones, members, SLAs, and rules once and push to hundreds of branches. Pre-built templates for common scenarios (single hub, dual hub, internet breakout). ADVPN auto-configuration — automatically generates all IPsec phase1/phase2 configs for each overlay. Day-2 operations — push configuration changes to all sites instantly. This reduces branch deployment time from hours to minutes and eliminates manual per-device configuration errors.
Q23
How do I configure SLA-based failover with specific thresholds in Fortinet SD-WAN?
SLA-based failover uses the Performance SLA health check results to determine link status. In SD-WAN rules with mode sla, FortiGate uses the first member that meets the SLA criteria. If WAN1 exceeds latency threshold (e.g., >150ms), it is marked as SLA-failed and traffic automatically moves to WAN2. When WAN1 recovers (passes recoverytime consecutive probes), traffic moves back. Configure SLA criteria in the health-check SLA section: latency-threshold, jitter-threshold, packetloss-threshold. In the SD-WAN rule, reference the health-check and set tie-break fib or tie-break cfg-order for tiebreaking when multiple members meet SLA simultaneously.
Q24
Can I use Fortinet SD-WAN with MPLS-only environments (no internet links)?
Yes. Fortinet SD-WAN works equally well with MPLS-only, internet-only, or hybrid environments. In an MPLS-only setup: Add multiple MPLS circuits from different carriers as SD-WAN members. Configure performance SLAs to monitor each MPLS link health. Create SD-WAN rules to load balance or failover between MPLS providers based on latency and packet loss metrics. This gives you application-aware routing, link health monitoring, and automatic failover across MPLS circuits — benefits previously unavailable with traditional static or BGP-only routing. You get SD-WAN intelligence without internet access, improving reliability on MPLS-dependent networks for branch-to-datacenter traffic.
Q25
What is FortiSASE and how does it extend Fortinet SD-WAN to remote users?
FortiSASE (Secure Access Service Edge) extends the Fortinet SD-WAN fabric to remote workers and micro-branches by delivering cloud-based security (ZTNA, CASB, SWG, NGFW) from Fortinet's global PoP (Points of Presence) network. Architecture: Remote users connect to the nearest FortiSASE PoP → FortiSASE applies security policies → traffic is forwarded to the destination or back to the HQ via SD-WAN overlay. FortiSASE integrates with on-premise FortiGate SD-WAN to form a unified SASE fabric managed from FortiManager. Use cases: Work-from-home users, micro-branches with only internet access, and direct cloud app access with inline security inspection without backhauling traffic through HQ.
Q26
Why is SD-WAN traffic not failing over even though the WAN link appears down?
Common causes for failover not working: 1. No Performance SLA configured — without health-checks, FortiGate only detects physical link failures, not performance degradation. 2. Failtime threshold too high — if failtime 10, FortiGate waits for 10 consecutive failed probes. Reduce to 5 or 3. 3. SD-WAN rule not referencing the health-check — rules must explicitly reference the SLA: set health-check "SLA_Name". 4. Probe server unreachable from both links — if health-check probes to 8.8.8.8 fail on both links, no failover occurs. Use multiple probe servers. 5. Mode is "manual" — manual mode always uses the specified member regardless of SLA status. Change to sla or best-quality.
Q27
How do I configure passive health check (link quality monitoring) vs active probing?
Active health-check (default) — FortiGate sends probe packets (ICMP, HTTP, DNS) every [interval] seconds to measure link quality. Adds a small overhead but provides continuous monitoring regardless of user traffic. Passive health-check — FortiGate measures link quality from actual user traffic flows (packet loss and jitter extracted from real sessions) without sending additional probe traffic. Useful when ISPs block ICMP probes or when you want zero probe overhead. Configure passive: config system sdwan → config health-check → edit "SLA_Name" → set detect-mode passive → end. Hybrid mode (FortiOS 7.2+) combines both for accuracy — active probes plus passive traffic monitoring.
Q28
How do I implement Zero-Touch Provisioning (ZTP) for branch FortiGate SD-WAN devices?
ZTP allows new FortiGate appliances to self-configure without on-site engineering. Process: 1. Pre-register the FortiGate serial number in FortiManager or FortiCloud. 2. Create a device blueprint/template in FortiManager with full SD-WAN config. 3. Ship the FortiGate to the branch. 4. Connect WAN and LAN cables and power on. 5. FortiGate gets DHCP IP, connects to Fortinet cloud DDNS (FortiCloud), registers with FortiManager. 6. FortiManager pushes the pre-configured template including SD-WAN zones, members, SLAs, rules, firewall policies, and VPN configuration. 7. Branch is fully operational in 15–30 minutes with no engineer on-site. Requires: FortiManager with valid license, FortiGate with FortiCare, internet access on WAN link.
Q29
What are the best SLA threshold values to configure for VoIP, video conferencing, and general browsing?
| Application | Max Latency | Max Jitter | Max Packet Loss |
|---|
| VoIP / SIP | ≤ 50ms | ≤ 10ms | ≤ 1% |
| Video Conference | ≤ 80ms | ≤ 20ms | ≤ 1% |
| Microsoft Teams | ≤ 100ms | ≤ 30ms | ≤ 5% |
| Web / SaaS | ≤ 150ms | ≤ 30ms | ≤ 5% |
| Bulk / Backup | ≤ 300ms | ≤ 50ms | ≤ 10% |
Q30
What are the most common Fortinet SD-WAN configuration mistakes and how to avoid them?
❌ Mistake 1: Using individual WAN interfaces in firewall policies instead of the SD-WAN zone. Always use the zone name as outgoing interface.
❌ Mistake 2: Not configuring Performance SLA health-checks. Without them, failover only happens on physical link failure — not performance degradation.
✅ Fix 2: Always create at least one Performance SLA with multiple probe servers and reference it in every SD-WAN rule.
❌ Mistake 3: Placing SD-WAN rules in wrong order. Less specific rules before specific ones. SD-WAN rules match top-to-bottom — always put specific app rules first.
❌ Mistake 4: Using only IP-based matching when ISDB is available. Microsoft constantly changes M365 IP ranges — ISDB auto-updates these for you.
❌ Mistake 5: Not setting correct WAN link cost values. All members at cost=0 means equal cost routing. Use cost to reflect link priority and price.
❌ Mistake 6: Not testing failover in a maintenance window before going live. Always manually disconnect WAN1 and verify WAN2 takes over correctly before deployment.
