Skip to content

Create SD-WAN Rules

SD-WAN rules decide WHICH SD-WAN member each flow uses. By default, all traffic load-balances across all members. Rules let you steer specific apps (VoIP, Salesforce, backups) over specific links based on app-detection, source, destination, or SLA status.

Steps

  1. Network → SD-WAN → SD-WAN Rules → + Create New.
  2. Fill in:
    • Name — e.g. VoIP-via-Fiber.
    • Source:
      • Source Address — internal IPs that should match.
      • Source User Groups — by FSSO/RADIUS user.
    • Destination:
      • Address — destination IPs.
      • Internet Service — pick from FortiGuard's app/SaaS list (e.g. Microsoft-365, Salesforce, Zoom).
      • Application — by FortiGuard app signature.
    • Outgoing Interfaces — which SD-WAN members to use, in order.
    • Strategy:
      • Best Quality — pick the member with best SLA.
      • Lowest Cost (SLA) — cheapest member that meets SLA.
      • Maximize Bandwidth (SLA) — balance load across members meeting SLA.
      • Manual — first member in list always.
    • Required SLA — pick the SLA. If member fails SLA, fall to next member in the list.
  3. OK.

Drag rules into priority order. Top wins.

📸 Screenshot needed

SD-WAN Rules form showing a rule with Internet Service = Microsoft-365 + Strategy = Best Quality.

Example Rules

  • VoIP → fiber: Internet Service = Voice, Strategy = Best Quality, prefer wan1.
  • Backups → cable: Destination = backup server IP, prefer wan2 (cheaper / unmetered).
  • SaaS → best quality: Internet Service = Microsoft-365 / Google-Workspace, Strategy = Best Quality.

CLI Equivalent

config system sdwan
    config service
        edit 1
            set name "VoIP-via-Fiber"
            set mode sla
            set internet-service enable
            set internet-service-id 12345    # Voice ID
            set health-check "Google-DNS-Health"
            config sla
                edit "Google-DNS-Health"
                    set id 1
                next
            end
            set priority-members 1
        next
    end
end

Verify

diagnose sys sdwan service

Shows live decisions per rule.

diagnose firewall iprope-lookup vd 0 <src-ip> <dst-ip> <src-port> <dst-port> <protocol>

Shows which SD-WAN rule a specific flow matches.

Common Issues

  • Rule not matching. Source/dest/service criteria too narrow. Test with broader rule first.
  • Wrong member used despite rule. Higher-priority rule catches first. Reorder.
  • SLA failover not happening. "Required SLA" not set. Set it.