Skip to main content
pacionet
pacionet
New Member
December 5, 2025
Solved

Fortigate 1100E - SDWAN and policy route issue

  • December 5, 2025
  • 1 reply
  • 674 views

Hi,

on Fortigate 1100e (7.4.9) we set up an SDWAN like this

 

SDWAN.jpg

 

We would OpenNMS pinging a public ip (8.8.8.8) through the line of ROUTER1 and another public IP (8.8.4.4) through the line of ROUTER2. So we set up these policy routes:

 

SOURCE         DESTINATION      GATEWAY

OPENNMS      8.8.8.8                  ROUTER1

OPENNMS      8.8.4.4                  ROUTER2

 

In static routes we have:

0.0.0.0/0      SDWAN

 

In SDWAN policy we have the default (selected members by source IP)

 

When both interfaces WAN1 and WAN2 are up all works, but:

  • If we disable WAN2 interface both ping works
  • If we disable WAN1 interface both ping not works

when both interface are up, traceroute show that the routes are correct  (the ping towards 8.8.8.8 choose WAN1 , while the pings toward 8.8.4.4 choose WAN2)

 

Any ideas?

 

Thanks

 

Best answer by pacionet

Sorry 

I found the problem.

I used a wrong NAT on firewall Policy

We need 2 policy:

OpenNMS -> 8.8.8.8 -> NAT WAN1

OpenNMS -> 8.8.4.4 -> NAT WAN2

 

Thanks !

 

1 reply

funkylicious
SuperUser
funkylicious
SuperUser
December 5, 2025

hi,

do you do NAT on the FGT or on the routers ?

diagnose firewall proute list - shows correctly what you have configured / can you post it ?

"jack of all trades, master of none"
    pacionet
    pacionetAuthor
    New Member
    December 5, 2025

    NAT is on the FGT

    Policy routes (gateway are masked):

     

    id=1(0x01) dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 port=src(0->0):dst(0->0) iif=16(port4)
    path(1): oif=66(WAN1) gwy=X.Y.W.Z path_last_used=2025-12-05 09:22:33
    source wildcard(1): 10.93.233.229/255.255.255.255
    destination wildcard(1): 8.8.8.8/255.255.255.255
    hit_count=14065 rule_last_used=2025-12-05 09:22:33

     

    id=2(0x02) dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 port=src(0->0):dst(0->0) iif=16(port4)
    path(1): oif=87(WAN2) gwy=A.B.C.D path_last_used=2025-12-05 09:21:54
    source wildcard(1): 10.93.233.229/255.255.255.255
    destination wildcard(1): 8.8.4.4/255.255.255.255
    hit_count=3925 rule_last_used=2025-12-05 09:21:54

     

    Both policy work when both interface are up, but If we deactivated WAN1, both pings not work

    funkylicious
    SuperUser
    funkylicious
    SuperUser
    December 5, 2025

    do you have auxiliary-session enabled? if not, try enabling it and see if it solves the issue.

     

    config system settings     set auxiliary-session enable end 
    "jack of all trades, master of none"
      Terms & ConditionsAccessibility statement