Networking Sdwan Fortinet Sdwan 7 6

The headline SD-WAN feature in 7.6. ADVPN 2.0 now supports multiple shortcuts per spoke-pair:

Before 7.6 (ADVPN 2.0 in 7.4):

• Single optimal shortcut per spoke-pair
• SD-WAN selected the best single path between spokes
• If shortcut degraded, traffic fell back to hub path or alternative single shortcut

In 7.6:

• Multiple simultaneous shortcuts between the same spoke-pair
• One shortcut per underlay transport combination (e.g., MPLS-to-MPLS, INET-to-INET, MPLS-to-INET)
• SD-WAN maximize-bandwidth strategy distributes traffic across all healthy shortcuts
• Aggregate throughput between spokes uses all available WAN bandwidth

Configuration:

# Hub: enable multi-shortcut support
config vpn ipsec phase1-interface
  edit "HUB_OVERLAY_MPLS"
    set type dynamic
    set auto-discovery-sender enable
    set auto-discovery-forwarder enable
    set advpn-sla-failure-node "VOICE-SLA"
  next
end

# Spoke: SD-WAN rule for overlay using maximize-bandwidth
config system sdwan
  config service
    edit 5
      set name "SPOKE-TO-SPOKE-BULK"
      set mode maximize-bandwidth
      set health-check "OVERLAY-SLA"
      set dst "REMOTE-SPOKE-SUBNETS"
      set priority-zone "OVERLAY"
    next
  end
end

Dynamic Shortcut Lifecycle

Shortcuts in 7.6 are tightly coupled with SD-WAN health check state:

• Shortcuts are established when traffic demand is detected AND underlay health is acceptable
• Shortcuts are proactively torn down when health check metrics indicate the underlay transport is degraded beyond recovery
• Reduces stale shortcuts that consume IKE SA resources

SD-WAN Maximize-Bandwidth Across Shortcuts

The maximize-bandwidth strategy in 7.6 is enhanced for shortcut scenarios:

• Distributes sessions proportionally across multiple shortcuts based on weight/volume-ratio
• Works with ADVPN 2.0 shortcuts the same way it works with hub-spoke overlays
• Provides true aggregate bandwidth between spoke sites

Additional 7.6 Improvements

• Improved health check accuracy at sub-100ms probe intervals
• FortiManager 7.6 template enhancements for ADVPN 2.0 configuration
• Enhanced SD-WAN Monitor GUI with shortcut visualization
• Performance improvements for high-tunnel-count deployments

ADVPN 2.0 Upgrade Path from 7.4 to 7.6

Pre-Upgrade Considerations

1. Hub and spoke alignment: All FortiGates in the ADVPN topology should be upgraded to 7.6 for multi-shortcut support. Mixed 7.4/7.6 deployments will work but 7.4 spokes cannot use multi-shortcut.
2. Hub first: Upgrade hub FortiGates before spokes to ensure backward compatibility
3. FortiManager alignment: Upgrade FortiManager to 7.6 before managed FortiGates
4. Existing shortcuts: During upgrade, existing ADVPN 2.0 shortcuts will be re-established. Brief disruption during FortiGate reboot.

Post-Upgrade Configuration

After upgrading to 7.6, enable multi-shortcut features:

1. Verify all hub phase1 interfaces have auto-discovery-sender enable and auto-discovery-forwarder enable
2. Verify all spoke phase1 interfaces have auto-discovery-receiver enable
3. Add SD-WAN rules with maximize-bandwidth strategy for spoke-to-spoke traffic that should leverage multi-shortcut
4. Monitor shortcut establishment: diagnose vpn ike gateway list -- expect multiple shortcuts per spoke-pair

Validation

# Verify multiple shortcuts between spokes
diagnose vpn ike gateway list
# Look for multiple entries per remote spoke (one per underlay combination)

# Verify SD-WAN is distributing across shortcuts
diagnose sys sdwan service
# Check session distribution for maximize-bandwidth rules

# Health check status across shortcuts
diagnose sys sdwan health-check
# All shortcut members should show health status

Key Differences: 7.6 vs 7.4

Key Differences: 7.6 vs 7.2 (Classic ADVPN)

Version Boundaries

Features NOT in 7.6 (future roadmap):

• This is the latest stable release; all current features are included

Features available in 7.6 from earlier releases:

• All 7.4 features (ADVPN 2.0 single-shortcut, passive health checks, five steering strategies)
• All 7.2 features (classic ADVPN, SD-WAN zones, ISDB steering, basic health checks)

Common Pitfalls

1. Mixed version ADVPN 2.0 topology -- Multi-shortcut only works when both spokes are on 7.6. A 7.6 spoke connecting to a 7.4 spoke falls back to single-shortcut behavior. Plan coordinated upgrades.

2. Maximize-bandwidth for voice over shortcuts -- Do not use maximize-bandwidth for voice traffic between spokes. Voice needs consistent single-path delivery. Use best-quality with latency metric for voice shortcuts.

3. Excessive shortcut count -- With multi-shortcut, a spoke with 3 WAN links connecting to another spoke with 3 WAN links creates up to 9 shortcuts. Monitor IKE SA table size on devices with many spoke-to-spoke relationships.

4. FortiManager template mismatch -- Ensure FortiManager is on 7.6 before pushing ADVPN 2.0 multi-shortcut templates. Older FortiManager versions do not support 7.6-specific ADVPN parameters.

5. Health check probe load -- Multi-shortcut means more active shortcuts to monitor. Each shortcut running health checks at 100ms intervals adds up. Size probe intervals appropriately for the number of shortcuts expected.

Reference Files

• ../references/architecture.md -- ADVPN internals, overlay creation, health check mechanics
• ../references/best-practices.md -- Rule design, ADVPN 2.0 deployment guide, operational monitoring