Equal Cost Multi-Path ECMP:

ECMP stands for Equal Cost Multiple Path. ECMP is a mechanism that allows multiple routes to
the same destination with different next-hops and load-balances routed traffic over those
multiple next-hops. Equal Cost Multi-Path (ECMP) is a mechanism that allows a FortiGate to
load-balance routed traffic over multiple gateways. Just like routes in a routing table, ECMP is
considered after policy routing, so any matching policy routes will take precedence over ECMP.
Routes must have the same destination and costs. In the case of static routes, costs include
distance and priority. Routes are sourced from the same routing protocol. Supported protocols
include Static Routing, OSPF, and BGP. The default setting for the number of max ECMP paths
allowed by a FortiGate is 255. Lowest value of 1 is equivalent to disabling ECMP. ECMP with
static routes is effective if the routes are configured with the same distance and same priority.

Equal Cost Multi-Path (ECMP) Load Balancing and Failover are methods that extend static
routing. They are used to distribute traffic to the same destination across multiple routes.
FortiGate is automatically considering, and the default behavior is to consider the source IP
address from which the hash is calculated and the path assigned. It arranges the routing of
traffic to the Internet through a different path for different clients. The same source IP address
always uses the same path. If we want Failover to work as well, & when one path is unavailable,
it will stop using it will be removed from routing table. So we have to use Link Health Monitor.

ECMP Description
source-ip-based Traffic is divided equally between the interfaces. Sessions that start
at the same source IP address use the same path. This is the default
selection.
weight-based The workload is distributed based on the number of sessions that are
connected through the interface. The weight that you assign to each
interface is used to calculate the percentage of the total sessions
allowed to connect through an interface, and the sessions are
distributed to the interfaces accordingly.
usage-based The interface is used until the traffic bandwidth exceeds the ingress
and egress thresholds that you set for that interface. Additional
traffic is then sent through the next interface member.
source-dest-ip-based Traffic is divided equally between the interfaces. Sessions that start
at the same source IP address and go to the same destination IP
address use the same path.

1 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , WhatsApp: 00966564303717

By default, we have created multiple static routing records for multiple Internet connections.
We have multiple paths for the same destination, which use a different interface and different
gateway. FortiGate must decide which Next Hop to use when routing.

When it creates a routing table, and there are multiple records for the same destination, it
compares the Administrative Distance (AD) value and selects the value with the lowest distance
to insert into the table. If they have the same AD, both records are inserted into the table.
When making a routing decision, FortiGate then looks at the priority value and uses the path
with the lower value. Only records whose interface is up being installed in the routing table.

If there are multiple routes for the same destination and they have the same Distance and
Priority, then we are talking about Equal Cost Multi Path (ECMP) routes. In this case, FortiGate
automatically uses ECMP Load Balancing.

If we want to use two paths to the Internet, we must also have a Firewall Policy twice or use
Multiple Interface Policies and assign both interfaces, because we define outgoing interfaces
there. In any situation where two-line balancing or failover is used, a policy must be found to
allow communication.

Primary and Backup Path:

If we have two Internet connections, we can actively use one and have the other as a backup.
We can do this simply by configuring default routes with different Administrative Distances or
Priorities. Then the path with the lower value is preferred and only if it is unavailable, the
second one is used. You can use the Link Health Monitor to let FortiGate know that the route is
unavailable.

2 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , WhatsApp: 00966564303717

Link Health Monitor (Interface Status Detection):
If there is an interface at the bottom through which a static route is created, then this entry is
removed from the routing table. If any of the Internet connections is unavailable, we want this
path to be removed from the routing table. The next available path is then used automatically.
In practice, there is usually no problem in the connection to the FortiGate interface, but further
along the way where the gateway at the ISP is not available. Link Health Monitor can check the
availability of the gateway or any server on the Internet using the ping function at regular
intervals. If the destination is not available (defined number of tests), it considers the line
unavailable and removes the path from the routing table. If the path is available again, it
returns the record.

Policy Routing:
If we have two lines to the Internet and we want to determine which traffic should use which
line, then Policy Routing can help us. Classic routing searches for a path only by destination
address. With Policy Routing, we can make decisions based on the source interface, source
address, destination address, protocol, or service. To do this, specify the gateway address (Next
Hop) and possibly the interface. We can create rules so that one internal network uses one line
to the Internet and the rest the other. Or a certain type of traffic (Office 365 or SMTP
communication) used a dedicated line.

SD-WAN:
The comprehensive Multi-Connection WAN solution is called SD-WAN. It can be said that it
replaces everything. SD-WAN is a virtual interface that consists of a group of member interfaces
(minimum one, maximum 255) that can be connected to different types of lines. Configuration
is simplified because we set one group of routes and FW policies. Where we use the SD-WAN
interface, it automatically applies to all interfaces that are members of the SD-WAN. We can
use various load balancing algorithms to route traffic to individual lines. For example, according
to bandwidth usage or the number of sessions. We can create only one SD-WAN interface
within VDOM. We can create a maximum of 4000 SD-WAN rules and line health monitors.
Interfaces that we want to include in the SD-WAN must not be used in most configurations
otherwise they cannot be included.

3 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , WhatsApp: 00966564303717