Skip to main content
stepco
stepco
New Member
March 7, 2022
Question

SD wan failover

  • March 7, 2022
  • 6 replies
  • 7695 views

Hi,

 

Is it possible to disable the sd wan failover for some specific traffic/policies.

 

Example

LANX -> WAN1 to google.be server

LAXY -> WAN2 to google.be server

 

If WAN1 goes down then LANX maybe NOT failover to WAN2 for the traffic to google.be

Other traffic from LANX may failover to WAN2 (this is working)

 

Reason

There ERP application is only identifying  the client based on IP adres and not on DNS name....

 

Running v6.4.6 on a Fortigate 60F

 

Kind Regards

Stephan

6 replies

naibaho
naibaho
Visitor III
March 8, 2022

Hi stepco

You can create rule to force LANX  to google.be in SD-WAN Rule and manually select Outgoing interface to WAN1, and LANY to google.be manually select Outgoing interface to WAN2

naibaho_0-1646711417315.png

 

hope this help you

 

stepco
stepcoAuthor
New Member
March 8, 2022

Hi Naibaho,

This is common sense but  the Fortigate is will disable the rule if the WAN1 is down...

:)

akristof
Staff
akristof
Staff
March 8, 2022

Hi,

 

Thank you for your question. It is a bit more complex. Yes, you can create manual SDWAN rule that will send all traffic from LANX to WAN1. However, if you have health-check for WAN1 and even if you disable update-static-route and this health-check will fail, it will disable the SDWAN rule. So you would need to make sure that at least one health-check over WAN1 is working or no health-check for wan1.

FortiGab
FortiGab
Explorer
October 19, 2022
Hello akristof,
in case of WAN1 interface failover to WAN2, it is possible to stick connectivity on the WAN2 without switching back to WAN1 when it is come back?
 
 
stepco
stepcoAuthor
New Member
March 8, 2022

Hi Akristof,

Thanks for you reply. But then there we be no failover for the other internet traffic.
We used Cyberoam in the past and there you could force a firewall rule to only use WAN1 and do not failover for that firewall rule.

In the docs of Fortiguard I have found if you disable SDwan that you can set deny rules.

But then you lose the use of SDwan...

 

Any other ideas?

 

kind regards

Stephan

Debbie_FTNT
Staff & Editor
Debbie_FTNT
Staff & Editor
March 8, 2022

Hey stepco,

you could try policy routing maybe, and force all traffic to a specific destination via interface a/b? That should supersede SD-WAN routing to my knowledge, but I'm not sure how SD-WAN related health-checks would impact policy routing.

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/34912/policy-routing

Debbie_FTNT_0-1646744808955.png

stepco
stepcoAuthor
New Member
March 8, 2022

Hi Debbie,

I tried the routing policy but the SD wan logic is taking over :)

Policy route:

1 policy: "Forward Traffic" to WAN1
2 policy: "Stop Policy Routing"

 

Regards

Stephan

 

vponmuniraj
Staff
vponmuniraj
Staff
March 8, 2022

Hi Stephan,

 

This should be possible if you have separate zones for your wan interfaces.

1. Add a manual SDWAN rule from lanx to google.be, member -> WAN1
2. Place a policy to 'deny' traffic over wan2 from lanx to google.be

 

So in case there is a failover (manual rule would not be hit, traffic hits the implicit rule to be forwarded to wan2), traffic would be denied by the policy.

 

Similar rule and policy can be used for traffic from lany to google.be through wan2.

 

Regards,
Vignesh.

    stepco
    stepcoAuthor
    New Member
    March 8, 2022

    Hi Vponmunirai,

     

    You can only select the SDwan interfaces in the Policies.  :(

     

    Regards

    Stephan

    vponmuniraj
    Staff
    vponmuniraj
    Staff
    March 8, 2022

    Hi Stephan,

     

    Yes. If you have a separate zone for each interface, FOS 6.4+ allows you to use the zones in the policies. 

     

    Note this might add more admin task, as you would need to add the new zone to existing policies. 

     

    But I cannot think of another way for achieving this requirement. 

     

    Regards,

    Terms & ConditionsAccessibility statement