Accend Networks San Francisco Bay Area Full Service IT Consulting Company

Adding IPSec VPN as a Software SD-WAN Member on FortiGate (Pre-7.0) with Performance SLA for Health Checks

Introduction

Welcome! In this tutorial, we’ll walk through how to add an IPSec VPN tunnel as a Software SD-WAN member on a FortiGate firewall (pre-7.0 firmware), and how to configure a Performance SLA for tunnel health checks.

About the Author

I’m Paula Wong, CEO and Founder of Accend Networks, a full-service IT solutions provider specializing in cybersecurity, networking, and cloud services – from power to protection.

Certifications:

C|EH Master, CCIE #13062, PCNSE, C-10/C-7 #1086962, Oracle OCI, AWS Certified Cloud Practitioner

With over 30 years of industry experience, including hands-on roles in Fortune 500 environments, I help clients streamline secure and scalable network infrastructure.

Step 1: Remove Active References to the IPSec Tunnel

Before you can use an existing VPN tunnel as an SD-WAN member, you must remove any active configuration references to it.

  • In this example, we’re using a VPN tunnel named Iperf
  • If your tunnel shows “4” in the references column, click that number to see where it’s in use.
  • Remove those references so the tunnel can be added to an SD-WAN zone.

Step 2: Create an SD-WAN Zone and Add the VPN Tunnel

Once the tunnel is cleared of active bindings:

  • Go to Network > SD-WAN Zones
  • Create a new SD-WAN zone (e.g., IPSec_Zone)
  • Add the Iperf tunnel (or your tunnel name) as a member

Step 3: Configure Performance SLA for Health Checks

Now we configure a Performance SLA to monitor the health of the IPSec tunnel.

  • Go to Network > Performance SLA

  • Add a new SLA and point the server IP to the remote end of the VPN tunnel

  • Protocol options can include Ping, HTTP, DNS, or custom probes

Note: The WAN link field is optional, but specifying it can improve traffic steering.

Step 4: Create an SD-WAN Rule

Finally, create a rule to define how traffic uses the tunnel based on SLA:

  • Set source and destination

  • Define SLA targets (e.g., latency, jitter, packet loss)

  • Apply load balancing logic (e.g., use WAN1 as primary, WAN2 as backup)

When the SLA thresholds are violated, FortiGate will dynamically reroute traffic based on your configuration.

Summary

That’s it! You’ve now:

  1. Cleared references from an existing IPSec tunnel
  2. Added it as a member to your SD-WAN zone
  3. Configured a Performance SLA for health monitoring

Created traffic rules for dynamic failover and load balancing

Contact

Need help with FortiGate SD-WAN, IPSec, or Performance SLA design?

Reach out:

Amazon Cloud Computing Amazon Cloud Drive Amazon Cloud Services AWS AWS Cloud AWS Cloud Computing AWS Cloud Security AWS Cloud Services AWS EC2 AWS EC2 Instance Connect AWS Hardware Security Module AWS Network Firewall AWS Security AWS X Ray Cisco Cisco CUCM Cisco DNA Cisco DNA Spaces Cisco Jabber Cisco Secure Workload Cisco Security Cisco Spaces Cisco Tetration cisco umbrella Cisco Umbrella Monitoring cisco umbrella policies Cisco Webex Cisco Webex Audio Cisco Webex Content Sharing Cisco Webex Hybrid Solutions Cisco Webex Meetings Cloud Calling Cloud Security cybersecurity threats dns security FMC Fortigate Fortinet FTD PKI S3 S3 Glacier Security Webex ZTNA

Written By :

Paula Wong, Senior Network Security Engineer, CCIE Security and Routing & Switching, Certified Ethical Hacker - Master

Facebook Linkedin Youtube

SHARE :

Facebook-f Twitter Google Linkedin-in Envelope
0 0 votes
Article Rating
Subscribe
Notify of
guest

2 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Cappadocia tours from Istanbul
Cappadocia tours from Istanbul
1 day ago

Cappadocia tours from Istanbul William G. ★★☆☆☆ Souvenir shops stops felt pushy. Reduced tour time at actual sites. Minimize commercial breaks! https://www.youtube.com/watch?v=jEoM2gjBe9A

0
Reply
검증사이트
검증사이트
16 days ago

먹튀검증업체 토토가드

0
Reply