互联网出口场景

网络拓扑与需求

image-20231215103538963

  1. FortiGate通过三个运营商(联通、电信、移动)接入Internet,其中联通和电信线路为固定IP,移动线路为PPPoE线路。
  2. 联通和电信线路使用运营商分配的IPPool转换SNAT访问Internet,移动线路借用PPPoE接口IP作为SNAT的源地址访问Internet。
  3. 配置SD-WAN,基于应用、用户、ISDB等做选路的调用,可以实现更加智能的互联网出口选择和备份,这也是SD-WAN的价值所在。
  4. 部署SD-WAN通常是一个全新的设备进行配置,而如果是已有配置的情况下,要修改成SD-WAN则比较的麻烦,会涉及到删除相关策略、路由、link-monitor等,SD-WAN才可以正常的配置和部署,无法直接平滑的切换,特别是在线业务,不能去进行切换SD-WAN的操作,会引起业务中断,所以SD-WAN最好是从一开始就规划并部署。

配置步骤

SD-WAN基础配置

  1. 配置三条运营商线路的IP或PPPoE用户(PPPoE请通过CLI配置,参考部署前注意事项→PPPoE接口配置章节)与内网口IP。

    image-20231214173439246

    PPPoE接口配置:
    config system pppoe-interface
        edit "CMCC"
            set device "port4"
            set username "user1"
            set password xxxxxxxx
        next
    end
    
    固定IP接口配置:
    config system interface
        edit "port2"
            set vdom "root"
            set ip 101.103.1.2 255.255.255.0
            set allowaccess ssh
            set alias "WAN_Unicom"
        next
        edit "port3"
            set vdom "root"
            set ip 202.103.1.2 255.255.255.0
            set allowaccess ssh
            set alias "WAN_Telecom"
        next 
        edit "port5"
            set vdom "root"
            set ip 192.168.10.1 255.255.255.0
            set allowaccess ping https ssh http
            set alias "LAN"
        next
    end
    
  2. 进入FortiGate的网络→SD-WAN→SD-WAN区域页面,新建用于访问Internet的区域“to_Internet”(也可以直接使用预置的SD-WAN区域)。

    image-20231214174022211

    image-20231214174200849

    image-20231214174424951

    config system sdwan
        set status enable
        config zone
            edit "to_Internet"
            next
        end
    end
    
  3. 在此页面新建用于访问Internet的SD-WAN成员(联通、电信、移动线路3个接口)加入上步创建的SD-WAN区域,注意PPPoE加入SD-WAN区域时不需要填写网关。

    如果WAN口存在相关配置引用的情况下,是无法加入到SD-WAN接口成员的,需要将WAN接口的相关配置删除引用,包括策略、Link-monitor、所属区域等。

    image-20231214175015043

    image-20231214175315745

    image-20231214175453757

    config system sdwan
        config members
            edit 1
                set interface "port2"
                set zone "to_Internet"
                set gateway 101.103.1.1
            next
            edit 2
                set interface "port3"
                set zone "to_Internet"
                set gateway 202.103.1.1
            next
            edit 3
                set interface "CMCC"
                set zone "to_Internet"
            next
        end
    end
    
  4. 配置默认路由指向SD-WAN区域“to_Internet”。

    image-20231214175810036

    config router static
        edit 1
            set distance 1
            set sdwan-zone "to_Internet"
        next
    end
    
  5. 查看FortiGate路由表,默认路由在三个运营商线路上负载。

    FortiGate # get router info routing-table all
    
    Routing table for VRF=0
    S*      0.0.0.0/0 [1/0] via 202.103.1.1, port3, [1/0]
                      [1/0] via 58.103.1.1, CMCC, [1/0]
                      [1/0] via 101.103.1.1, port2, [1/0]
    C       58.103.1.1/32 is directly connected, CMCC
    C       58.103.1.2/32 is directly connected, CMCC
    C       101.103.1.0/24 is directly connected, port2
    C       192.168.10.0/24 is directly connected, port5
    C       202.103.1.0/24 is directly connected, port3
    
  6. 配置联通和电信线路的IPPool,并绑定对应的WAN接口。

    重要:在SD-WAN场景下,防火墙上网策略选用出接口时只能选择SD-WAN区域接口“to_Internet”(Central-NAT模式例外),不能选择具体的WAN接口,所以配置IPPool时必须将IPPool与具体的WAN接口绑定,否则FortiGate只会使用防火墙策略中配置的第一个IPPool做SNAT。

    config firewall ippool
        edit "IPPool_Unicom"
            set startip 101.203.1.3
            set endip 101.203.1.5
            set associated-interface "port2"
        next
        edit "IPPool_Telecom"
            set startip 202.103.1.3
            set endip 202.103.1.5
            set associated-interface "port3"
        next
    end
    
  7. 配置防火墙策略,放通内网port5(LAN)到三个运营商线路的Internet访问,并开启SNAT,引用联通和电信线路上的IPPool,开启应用控制功能,用于SD-WAN策略基于应用的识别。

    有了第6步中IPPool关联接口的配置,防火墙策略的SNAT引用IPPool时,会使用具体WAN接口上关联的IPPool中的地址来执行SNAT,而移动线路(PPPoE)则仍会使用出接口地址来作为SNAT的源地址。

    image-20231215155435471

    config firewall policy
        edit 1
            set name "to_Internet"
            set srcintf "port5"
            set dstintf "to_Internet"
            set action accept
            set srcaddr "LAN_192.168.10.0/24"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set ssl-ssh-profile "certificate-inspection"
            set application-list "default"
            set nat enable
            set ippool enable
            set poolname "IPPool_Telecom" "IPPool_Unicom"
        next
    end
    
  8. 此时SD-WAN的基本配置已经完成,如果不配置SD-WAN规则,所有的访问Internet的流量将会按照源IP负载均衡的方式,也就是我们手工配置的SD-WAN默认路由,按照三条默认路由进行负载均衡处理,如下默认隐式SD-WAN策略所示,编辑此策略,可以修改为其他负载模式。

    image-20231215111423756

    config system sdwan
        set load-balance-mode source-ip-based
    end
    

    image-20231215112146594

SD-WAN策略配置

需求举例1:去往AWS的重要业务从联通或电信线路(固定IP),选择延迟较低的出口出去。

  1. 配置去往AWS的HTTP健康检查。

    image-20231215150429685

    image-20231215152743974

    config system sdwan
        config health-check
            edit "HC_AWS"
                set server "www.amazonaws.cn"
                set protocol http
                set members 0
            next
        end
    end
    
  2. 查看健康检查的状态,可以看到目前联通线路延迟最低,其次是电信线路,移动线路延迟最高。

    image-20231215153348763

    FortiGate # diagnose sys sdwan health-check status 
    Health Check(HC_AWS): 
    Seq(1 port2): state(alive), packet-loss(0.000%) latency(3.216), jitter(0.347), mos(4.402), bandwidth-up(65534995), bandwidth-dw(65534993), bandwidth-bi(131069988) sla_map=0x0
    Seq(2 port3): state(alive), packet-loss(0.000%) latency(53.634), jitter(0.451), mos(4.376), bandwidth-up(65534995), bandwidth-dw(65534993), bandwidth-bi(131069988) sla_map=0x0
    Seq(3 CMCC): state(alive), packet-loss(0.000%) latency(153.830), jitter(0.392), mos(4.307), bandwidth-up(65534995), bandwidth-dw(65534993), bandwidth-bi(131069988) sla_map=0x0
    
  3. 新建SD-WAN规则1:

    • 源地址选择内网网段;目标地址使用ISDB,选择AWS相关的ISDB条目,以及AWS相关的应用控制特征库条目。
    • 接口选择策略与质量标准:选择Best Quality和延迟,选用SD-WAN规则接口成员中延迟最低的接口,如果成员接口的延迟差小于10%(默认值),则使用接口偏好中配置较前的接口。
    • SLA衡量标准:选择上步创建的健康检查。
    • 接口偏好:选择联通线路接口与电信线路接口,联通线路接口排序在前。

    image-20231215153625634

    image-20231215155851961

    config system sdwan
        config service
            edit 1
                set name "to_AWS"
                set mode priority
                set src "LAN_192.168.10.0/24"
                set internet-service enable
                set internet-service-name "Amazon-AWS" "Amazon-AWS.API.Gateway" "Amazon-AWS.AppFlow" "Amazon-AWS.Chime.Meetings" "Amazon-AWS.Chime.Voice.Connector" "Amazon-AWS.Cloud9" "Amazon-AWS.CloudFront" "Amazon-AWS.CodeBuild" "Amazon-AWS.Connect" "Amazon-AWS.DynamoDB" "Amazon-AWS.EBS" "Amazon-AWS.EC2" "Amazon-AWS.Global.Accelerator" "Amazon-AWS.GovCloud.US" "Amazon-AWS.Kinesis.Video.Streams" "Amazon-AWS.Route53" "Amazon-AWS.S3" "Amazon-AWS.WorkSpaces.Gateway"
                set internet-service-app-ctrl 27210 37172 36740 10000051 35944 47432 47433 10000199 51269
                set health-check "HC_AWS"
                set priority-members 1 2
            next
        end
    end
    
  4. 查看上步创建的SD-WAN规则目前的选路状态,由于联通线路(port2)的延迟较低,电信线路(port3)的延迟较高,访问AWS的业务优先选择联通线路(port2)。

    image-20231215161603030

    FortiGate # diagnose sys sdwan service 1
    
    Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla
     Tie break: cfg
      Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(latency), link-cost-threshold(10), heath-check(HC_AWS)
      Members(2): 
        1: Seq_num(1 port2), alive, latency: 3.135, selected    //联通线路优先
        2: Seq_num(2 port3), alive, latency: 53.637, selected   //电信线路其次
      Internet Service(27): Amazon-AWS(393320,0,0,0,0) Amazon-AWS.API.Gateway(393478,0,0,0,0) Amazon-AWS.AppFlow(393484,0,0,0,0) Amazon-AWS.Chime.Meetings(393483,0,0,0,0) Amazon-AWS.Chime.Voice.Connector(393479,0,0,0,0) Amazon-AWS.Cloud9(393471,0,0,0,0) Amazon-AWS.CloudFront(393481,0,0,0,0) Amazon-AWS.CodeBuild(393482,0,0,0,0) Amazon-AWS.Connect(393480,0,0,0,0) Amazon-AWS.DynamoDB(393472,0,0,0,0) Amazon-AWS.EBS(393470,0,0,0,0) Amazon-AWS.EC2(393477,0,0,0,0) Amazon-AWS.Global.Accelerator(393476,0,0,0,0) Amazon-AWS.GovCloud.US(393452,0,0,0,0) Amazon-AWS.Kinesis.Video.Streams(393475,0,0,0,0) Amazon-AWS.Route53(393473,0,0,0,0) Amazon-AWS.S3(393474,0,0,0,0) Amazon-AWS.WorkSpaces.Gateway(393403,0,0,0,0) Amazon.AWS(4294836343,0,0,0,0 27210) Amazon.AWS.Console(4294836344,0,0,0,0 37172) Amazon.AWS_EC2(4294836345,0,0,0,0 36740) Amazon.AWS_IoT(4294838823,0,0,0,0 10000051) Amazon.AWS_S3(4294836346,0,0,0,0 35944) Amazon.AWS_S3.Download(4294838824,0,0,0,0 47432) Amazon.AWS_S3.Upload(4294838825,0,0,0,0 47433) Amazon.AWS_Smart.Plug(4294838826,0,0,0,0 10000199) Amazon.AWS_Workspaces.Health.Status(4294838827,0,0,0,0 51269) 
      Src address(1): 
            192.168.10.0-192.168.10.255
    
  5. 查看SD-WAN规则对应的策略路由状态,出接口优先选择延迟较低的联通线路(port2)。

    
    FortiGate # diagnose firewall proute list 
    list route policy info(vf=root):
    
    id=2132869121(0x7f210001) vwl_service=1(to_AWS) vwl_mbr_seq=1 2 dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0(any) dport=1-65535 path(2) oif=4(port2) oif=5(port3)     //选择延迟较低的联通线路
    source(1): 192.168.10.0-192.168.10.255 
    destination wildcard(1): 0.0.0.0/0.0.0.0 
    internet service(27): Amazon-AWS(393320,0,0,0,0) Amazon-AWS.API.Gateway(393478,0,0,0,0) Amazon-AWS.AppFlow(393484,0,0,0,0) Amazon-AWS.Chime.Meetings(393483,0,0,0,0) Amazon-AWS.Chime.Voice.Connector(393479,0,0,0,0) Amazon-AWS.Cloud9(393471,0,0,0,0) Amazon-AWS.CloudFront(393481,0,0,0,0) Amazon-AWS.CodeBuild(393482,0,0,0,0) Amazon-AWS.Connect(393480,0,0,0,0) Amazon-AWS.DynamoDB(393472,0,0,0,0) Amazon-AWS.EBS(393470,0,0,0,0) Amazon-AWS.EC2(393477,0,0,0,0) Amazon-AWS.Global.Accelerator(393476,0,0,0,0) Amazon-AWS.GovCloud.US(393452,0,0,0,0) Amazon-AWS.Kinesis.Video.Streams(393475,0,0,0,0) Amazon-AWS.Route53(393473,0,0,0,0) Amazon-AWS.S3(393474,0,0,0,0) Amazon-AWS.WorkSpaces.Gateway(393403,0,0,0,0) Amazon.AWS(4294836343,0,0,0,0, 27210) Amazon.AWS.Console(4294836344,0,0,0,0, 37172) Amazon.AWS_EC2(4294836345,0,0,0,0, 36740) Amazon.AWS_IoT(4294838823,0,0,0,0, 10000051) Amazon.AWS_S3(4294836346,0,0,0,0, 35944) Amazon.AWS_S3.Download(4294838824,0,0,0,0, 47432) Amazon.AWS_S3.Upload(4294838825,0,0,0,0, 47433) Amazon.AWS_Smart.Plug(4294838826,0,0,0,0, 10000199) Amazon.AWS_Workspaces.Health.Status(4294838827,0,0,0,0, 51269) 
    hit_count=0 last_used=2023-12-15 15:59:10
    

需求举例2:其他不重要的业务从移动线路(PPPoE)接口转发。

  1. 新建SD-WAN规则2:

    • 源地址选择内网网段;目标地址使用应用分类,选择视频/语音、游戏、社交媒体等对于客户不重要的业务应用分类(SD-WAN规则中的目标地址可以选择应用分类在7.2.0开始支持,之前的版本只支持选择具体的应用特征条目)。
    • 接口选择策略:选择Manual模式。
    • 接口偏好:选用SD-WAN规则接口成员中的移动PPPoE线路。

    image-20231215163020209

    config system sdwan
        config service
            edit 2
                set name "to_Unimportant"
                set src "LAN_192.168.10.0/24"
                set internet-service enable
                set internet-service-app-ctrl-category 5 8 23
                set priority-members 3
            next
        end
    end
    
  2. 查看此SD-WAN规则状态。

    FortiGate # diagnose sys sdwan service 2
    
    Service(2): Address Mode(IPV4) flags=0x200 use-shortcut-sla
     Tie break: cfg
      Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
      Members(1): 
        1: Seq_num(3 CMCC), alive, selected
      Internet Service(3): Video/Audio(0,5,0,0,0) Game(0,8,0,0,0) Social.Media(0,23,0,0,0) 
      Src address(1): 
            192.168.10.0-192.168.10.255
    

需求举例3:其他类型的流量从电信线路(port3)或移动线路(PPPoE)中延迟较低的线路转发。

  1. 新建SD-WAN健康检查,协议为HTTP,检查目标为网站www.baidu.com ,参与接口选择电信线路(port3)和移动线路(PPPoE)。

    image-20231215165550603

    config system sdwan
        config health-check
            edit "HC_Baidu"
                set server "www.baidu.com"
                set protocol http
                set members 3 2
            next
        end
    end
    
  2. 创建完成后,可以看到电信线路(port3)比移动线路(PPPoE)的延迟要低(超过了10%的阈值)。

    image-20231215165712040

    FortiGate # diagnose sys sdwan health-check status HC_Baidu
    Health Check(HC_Baidu): 
    Seq(3 CMCC): state(alive), packet-loss(1.000%) latency(165.551), jitter(1.748), mos(4.267), bandwidth-up(65534991), bandwidth-dw(65534974), bandwidth-bi(131069965) sla_map=0x0
    Seq(2 port3): state(alive), packet-loss(0.000%) latency(64.622), jitter(1.523), mos(4.369), bandwidth-up(65534989), bandwidth-dw(65534969), bandwidth-bi(131069958) sla_map=0x0
    
  3. 新建SD-WAN规则3:

    • 源地址选择内网网段;目标地址选择all。
    • 接口选择策略和质量标准:选择Best Quality和延迟,选用SD-WAN规则接口成员中延迟最低的接口,如果成员接口的延迟差小于10%(默认值),则使用接口偏好中配置较前的接口。
    • SLA衡量标准:选择上步创建的健康检查。
    • 接口偏好:选择电信线路接口(port3)与移动线路接口(PPPoE),电信线路接口(port3)排序在前。

    image-20231215165933204

    config system sdwan
        config service
            edit 3
                set name "to_Others"
                set mode priority
                set dst "all"
                set src "LAN_192.168.10.0/24"
                set health-check "HC_Baidu"
                set priority-members 2 3
            next
        end
    end
    
  4. 查看上步创建的SD-WAN规则目前的选路状态,由于电信线路(port2)的延迟较低,移动线路(PPPoE)的延迟较高,访问其他的业务优先选择电信线路(port3)。

    image-20231215170500224

    FortiGate # diagnose sys sdwan service 3
    
    Service(3): Address Mode(IPV4) flags=0x200 use-shortcut-sla
     Tie break: cfg
      Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(latency), link-cost-threshold(10), heath-check(HC_Baidu)
      Members(2): 
        1: Seq_num(2 port3), alive, latency: 66.413, selected    //优先选择电信线路
        2: Seq_num(3 CMCC), alive, latency: 167.769, selected
      Src address(1): 
            192.168.10.0-192.168.10.255
    
      Dst address(1): 
            0.0.0.0-255.255.255.255
    

结果验证

  1. 使用内网PC客户端访问AWS业务,在转发流量日志中查看相关流量,可以看到出接口从联通线路(port2)转发。

    image-20231215175235076

  2. 查看SD-WAN规则学习应用控制特征的列表。

    FortiGate # diagnose sys sdwan internet-service-app-ctrl-list 
    
    Amazon.AWS(27210 4294836343): 54.222.23.0 6 443 Fri Dec 15 17:12:37 2023
    Amazon.AWS(27210 4294836343): 58.254.138.131 6 443 Fri Dec 15 17:12:28 2023
    Amazon.AWS_S3(35944 4294836346): 52.82.189.181 6 443 Fri Dec 15 17:14:35 2023
    Amazon.AWS_S3(35944 4294836346): 54.222.48.19 6 443 Fri Dec 15 17:12:33 2023
    Amazon.AWS_S3(35944 4294836346): 54.222.52.141 6 443 Fri Dec 15 17:10:13 2023
    Amazon.AWS_S3(35944 4294836346): 54.222.97.19 6 443 Fri Dec 15 17:11:45 2023
    
    通过如下命令可以清除此列表:
    diagnose sys sdwan internet-service-app-ctrl-flush
    

    💡关于SD-WAN调用应用特征,大致需要满足以下要求:

    第1步:应用特征是需要先通过内网用户使用AWS,然后FortiGate进行应用识别的,因此策略里面一定要开启APP Control才可以。
    第2步:识别之后将会学习到相应的应用特征的IP地址,然后形成一个动态的应用程序IP地址数据库(如上所示),最终才会将这个学习到的IP数据库加入到SD-WAN规则(策略路由)里面。
    因此这需要有一个学习的过程,因此在没有成功学习之前,AWS的流量会走到其他线路上去(匹配SD-WAN规则3),这并非问题,而是SD-WAN调用应用的工作逻辑就是这样,学习完毕之后,新发起的AWS流量才会匹配到SD-WAN规则1。
    如果直接匹配上了ISDB条目,则会直接匹配SD-WAN规则,不会有以上需要学习的过程。
  3. 模拟联通线路(port2)到AWS的延迟增加到300ms。

    image-20231215172924549

    FortiGate # diagnose sys sdwan health-check status HC_AWS
    Health Check(HC_AWS): 
    Seq(1 port2): state(alive), packet-loss(0.000%) latency(303.826), jitter(0.410), mos(3.767), bandwidth-up(65534995), bandwidth-dw(65534993), bandwidth-bi(131069988) sla_map=0x0
    Seq(2 port3): state(alive), packet-loss(0.000%) latency(53.633), jitter(0.326), mos(4.376), bandwidth-up(65534991), bandwidth-dw(65534973), bandwidth-bi(131069964) sla_map=0x0
    Seq(3 CMCC): state(alive), packet-loss(0.000%) latency(153.905), jitter(0.378), mos(4.307), bandwidth-up(65534992), bandwidth-dw(65534975), bandwidth-bi(131069967) sla_map=0x0
    
  4. 查看SD-WAN规则1的选路优先选择电信线路(port3)去往AWS业务。

    image-20231215173114075

    FortiGate # diagnose sys sdwan service 1
    
    Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla
     Tie break: cfg
      Gen(2), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(latency), link-cost-threshold(10), heath-check(HC_AWS)
      Members(2): 
        1: Seq_num(2 port3), alive, latency: 53.560, selected   
        //优先选择延迟较低的电信线路//
        2: Seq_num(1 port2), alive, latency: 304.084, selected
      Internet Service(27): Amazon-AWS(393320,0,0,0,0) Amazon-AWS.API.Gateway(393478,0,0,0,0) Amazon-AWS.AppFlow(393484,0,0,0,0) Amazon-AWS.Chime.Meetings(393483,0,0,0,0) Amazon-AWS.Chime.Voice.Connector(393479,0,0,0,0) Amazon-AWS.Cloud9(393471,0,0,0,0) Amazon-AWS.CloudFront(393481,0,0,0,0) Amazon-AWS.CodeBuild(393482,0,0,0,0) Amazon-AWS.Connect(393480,0,0,0,0) Amazon-AWS.DynamoDB(393472,0,0,0,0) Amazon-AWS.EBS(393470,0,0,0,0) Amazon-AWS.EC2(393477,0,0,0,0) Amazon-AWS.Global.Accelerator(393476,0,0,0,0) Amazon-AWS.GovCloud.US(393452,0,0,0,0) Amazon-AWS.Kinesis.Video.Streams(393475,0,0,0,0) Amazon-AWS.Route53(393473,0,0,0,0) Amazon-AWS.S3(393474,0,0,0,0) Amazon-AWS.WorkSpaces.Gateway(393403,0,0,0,0) Amazon.AWS(4294836343,0,0,0,0 27210) Amazon.AWS.Console(4294836344,0,0,0,0 37172) Amazon.AWS_EC2(4294836345,0,0,0,0 36740) Amazon.AWS_IoT(4294838823,0,0,0,0 10000051) Amazon.AWS_S3(4294836346,0,0,0,0 35944) Amazon.AWS_S3.Download(4294838824,0,0,0,0 47432) Amazon.AWS_S3.Upload(4294838825,0,0,0,0 47433) Amazon.AWS_Smart.Plug(4294838826,0,0,0,0 10000199) Amazon.AWS_Workspaces.Health.Status(4294838827,0,0,0,0 51269) 
      Src address(1): 
            192.168.10.0-192.168.10.255
    
  5. 再次使用内网PC客户端访问AWS业务,在转发流量日志中查看相关流量,可以看到出接口从电信线路(port3)转发。

    image-20231215175119733

  6. 使用内网PC客户端访问视频网站业务,在转发流量日志中查看相关流量,可以看到出接口从移动线路(PPPoE)转发。

    image-20231215174308162

  7. 查看SD-WAN规则学习应用控制特征分类的列表(注意和规则1是不一样的命令,这里看的是应用分类,而不是应用)。

    FortiGate # diagnose sys sdwan internet-service-app-ctrl-category-list 
    
    Bilibili(53243 4294839067): 27.222.0.173 6 7826 Fri Dec 15 17:41:47 2023
    Bilibili(53243 4294839067): 112.65.211.215 6 443 Fri Dec 15 17:41:48 2023
    Bilibili(53243 4294839067): 112.83.140.17 6 443 Fri Dec 15 17:39:16 2023
    Bilibili(53243 4294839067): 114.250.52.78 6 443 Fri Dec 15 17:41:48 2023
    Bilibili(53243 4294839067): 116.130.196.134 6 443 Fri Dec 15 17:41:43 2023
    Bilibili(53243 4294839067): 121.22.227.2 6 443 Fri Dec 15 17:39:14 2023
    Bilibili(53243 4294839067): 121.22.227.5 6 443 Fri Dec 15 17:41:47 2023
    Bilibili(53243 4294839067): 123.234.3.166 6 443 Fri Dec 15 17:41:43 2023
    Bilibili(53243 4294839067): 123.234.3.169 6 443 Fri Dec 15 17:42:28 2023
    Bilibili(53243 4294839067): 125.39.177.219 6 443 Fri Dec 15 17:39:13 2023
    ......
    
    通过如下命令可以清除此列表:
    diagnose sys sdwan internet-service-app-ctrl-flush
    

    💡关于SD-WAN调用应用特征,大致需要满足以下要求:

    第1步:应用特征是需要内网用户先访问视频网站,然后FortiGate进行应用识别的,因此策略里面一定要开启APP Control才可以。
    第2步:识别之后将会学习到相应的应用特征的IP地址,然后形成一个动态的应用程序IP地址数据库(如上所示),最终才会将这个学习到的IP数据库加入到SD-WAN规则(策略路由)里面。
    因此这需要有一个学习的过程,因此在没有成功学习之前,AWS的流量会走到其他线路上去(匹配SD-WAN规则3),这并非问题,而是SD-WAN调用应用的工作逻辑就是这样,学习完毕之后,新发起的AWS流量才会匹配到SD-WAN规则2。
  8. 使用内网PC客户端访问其他业务网站,如搜索引擎,在转发流量日志中查看相关流量,可以看到出接口从电信线路(port3)转发。

    image-20231215175547949

  9. 模拟电信线路(port3)到Baidu的延迟增加到300ms。

    image-20231215180056023

    FortiGate # diagnose sys sdwan health-check status HC_Baidu
    Health Check(HC_Baidu): 
    Seq(3 CMCC): state(alive), packet-loss(0.000%) latency(165.041), jitter(0.734), mos(4.274), bandwidth-up(65534990), bandwidth-dw(65534969), bandwidth-bi(131069959) sla_map=0x0
    Seq(2 port3): state(alive), packet-loss(2.000%) latency(304.182), jitter(21.180), mos(3.573), bandwidth-up(65534991), bandwidth-dw(65534973), bandwidth-bi(131069964) sla_map=0x0
    
  10. 查看SD-WAN规则3的选路优先选择移动线路(PPPoE)去往其他业务。

    image-20231215180612923

    FortiGate # diagnose sys sdwan service 3
    
    Service(3): Address Mode(IPV4) flags=0x200 use-shortcut-sla
    Tie break: cfg
     Gen(4), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(latency), link-cost-threshold(10), heath-check(HC_Baidu)
     Members(2): 
       1: Seq_num(3 CMCC), alive, latency: 160.563, selected
       //优先从移动线路转发//
       2: Seq_num(2 port3), alive, latency: 310.831, selected
     Src address(1): 
           192.168.10.0-192.168.10.255
    
     Dst address(1): 
           0.0.0.0-255.255.255.255
    
  11. 使用内网PC客户端访问其他业务网站,在转发流量日志中查看相关流量,可以看到出接口从移动线路(PPPoE)转发。

    image-20231215180824633

注意事项

  1. 如果需要学习将到的应用数据库立马完全生效,旧的会话是会保持原有出口的,想要这些旧的会话立即生效需要清除旧的会话和路由缓存信息,而新建的会话则不需要此操作,具体命令如下。

    diagnose sys session filter src 192.168.10.100
    diagnose sys session clear    //清除测试机器的会话,让其重新匹配新的SD-WAN规则(有skype的IP数据库更新)
    
  2. 默认配置下,当SD-WAN选路出现变化后,已有的会话不会立即切换到新链路上,只有线路切换后新创建的会话会建立在新的线路上,如果想在SD-WAN线路切换后让已有会话立刻失效,需要使用如下命令(可能会增加CPU消耗,谨慎开启)。

    config system global
        set snat-route-change enable    //默认为disable
    end
    

Copyright © 2024 Fortinet Inc. All rights reserved. Powered by Fortinet TAC Team.
📲扫描下方二维码分享此页面👇
该页面修订于: 2023-12-25 10:04:57

results matching ""

    No results matching ""