Technical Tip: SD-WAN Rule failover for internet traffic without updating static route using Manual Strategy

This article assumes redundant internet links are already configured for SD-WAN, similar to the article

Technical Tip: Configuring basic SD-WAN for Internet-facing links starting from default configuration.

One limitation of enabling 'update static route' on the Performance SLA (SD-WAN health check) is that the resulting failover behavior is 'all or nothing': that is, if the health check for wan1 fails, all non-health check traffic from remote destinations can no longer pass over wan1 until the health check recovers.

In the example topology below, the firewall 'BR-FGT' has a single primary IPsec tunnel 'HQ1-BR1' configured on wan1. If any wan1 health check has the default 'set update-static-route enable' configuration, the firewall will bring down the tunnel when the health check fails.

Forcing the HQ1-BR1 to come down based on the result of the health check can be undesirable if the failure is a false positive. To mitigate this, it is preferable to enhance the existing Performance SLA and implement a more granular failover based on both the Performance SLA and the SD-WAN rule.

Configuring granular SD-WAN failover for data traffic:

1. Go to Network -> SD-WAN -> SD-WAN Rule -> Select 'Create New'.
   
                               
2. Name the SD-WAN rule. Select Destination address 'all'.
   
   
   Note: In more complex routing environments, it can be desirable to configure the destination on general Internet Access SD-WAN rules to match all non-private IPv4 networks rather than 'all' IPv4 addresses. This is often done by configuring a destination address group containing all private addresses and setting 'set dst-negate enable', see the article Technical Tip: How to avoid specific traffic is matched by the wrong SD-WAN rule.
   
   
3. • Go to Outgoing Interfaces -> Interface selection strategy -> Select Manual. 
   • Go to Interface preference -> 'Select Entries' -> Select wan1.
   • Select wan2.Finish SD-WAN Rule configuration.
   
   The first selected interface is the preferred one. See Manual Strategy.
   
                                   
4. Select 'OK' to create and enable the SD-WAN rule.
5. Go to Network -> SD-WAN -> Performance SLAs.
   
   Create or edit a health check for wan1 as shown in Technical Tip: Configuring basic SD-WAN for Internet-facing links starting from default configuration. Disable 'Update static route'.
   
   
   Note that when multiple health checks are configured for an interface, each health check will generate probes and can succeed or fail individually. This can complicate failover logic. See the article Technical Tip: SD-WAN Rule in Manual mode and Performance SLA for more details.
   
   
6. Configure interface-select-method or local-out routing to use SD-WAN for any FortiGate services that should failover to wan2 when the wan1 health check fails.
   
   

CLI:

config system fortiguard

set interface-select-method sdwan

end

config system dns

set interface-select-method sdwan

end

config log fortiguard setting

set interface-select-method sdwan

end

Starting in FortiOS v7.6, it is possible to configure local-out routing for some services in the GUI, see Local out traffic.

Behavior when wan1 health check fails:

Although no SLA Target is configured on the SD-WAN Rule or Performance SLA, the health check still runs. If all servers on the health check fail to respond within the probe-timeout, wan1 is flagged as dead, and wan2 is selected in the outgoing SD-WAN rule. Traffic matching the SD-WAN rule will be forwarded using wan2.

• Other local-out traffic is sent using wan2 if 'set interface-select-method sdwan' is configured for the service.
• The HQ1-BR1 VPN tunnel stays up and available to send traffic unless the Dead Peer Detection (DPD) mechanism brings the tunnel down independently. Note, even if the tunnel remains up, traffic may or may not pass depending on the condition of ISP1.
• If DPD brings down the tunnel, this is another indication of an internet outage over ISP1 in addition to the health check failure. See the article Technical Tip: Explanation of the DPD effect on a dialup IPsec tunnel SA lifetime.

Related article:
Technical Tip: Understanding SLA Target Map