Skip to main content
fortimaster
fortimaster
Explorer III
April 19, 2022
Solved

SDWAN and other default routes.

  • April 19, 2022
  • 4 replies
  • 8982 views
Hi. I have fortigate 600E with 6.2.10 firmware. I have 3 DR (3 ISP internet connections) which the traffic from my servers goes to the internet. To determine which of the 3 lines the source from my server traffic leaves, I use policy routes. Now I would like to configure a SDWAN with 2 different internet lines, for other pourpuses, in addition to the 3 that I already have. When trying to create the new default route I read this message "You cannot have duplicated routes on SD-WAN and non SD-WAN interfaces." 
I have read about it and it seemed to me that what is usually done is to put all the lines in the SDWAN (the new and the 3 that it had) creating the default route to the SDWAN. Finally, create a DR that goes to the SDWAN (eliminating the current 3) and with SDWAN rules control what goes out through each line. I would like to know if it is correct. On the other hand, I would like to know if this would generate any problem in the servers that go out through the 3 DR that I have, for example, when there is traffic coming from the internet to a VIP associated with one of the servers. Will they know how to route the return traffic correctly as there is only one default route? Any recommendation?
Thanks ¡¡¡
Best answer by aahmadzada

Hello,

That should work without any problems.
The SDWAN rules are acting very similar to the policy routes but in a bit different way.

So adding all of these 5 lines to the SDWAN, configuring a default router ver SDWAN interface, and setting up appropriate SDWAN rules will make things work.


When it comes to the VIP, it will work as well.
The default route for all 5 SDWAN members will be in the routing table, so the traffic coming from a specific wan interface, hitting a VIP, and then returning as a reply from the server will leave the Fortigate using the same ingress wan interface.

 

Ahmad

4 replies

aahmadzada
Staff
aahmadzadaAnswer
Staff
April 20, 2022

Hello,

That should work without any problems.
The SDWAN rules are acting very similar to the policy routes but in a bit different way.

So adding all of these 5 lines to the SDWAN, configuring a default router ver SDWAN interface, and setting up appropriate SDWAN rules will make things work.


When it comes to the VIP, it will work as well.
The default route for all 5 SDWAN members will be in the routing table, so the traffic coming from a specific wan interface, hitting a VIP, and then returning as a reply from the server will leave the Fortigate using the same ingress wan interface.

 

Ahmad

    fortimaster
    fortimasterAuthor
    Explorer III
    April 20, 2022
    Thank you very much for the reply¡¡ Therefore, I understand that even if it does not have several default routes defined in the routing table, and having only one to the SDWAN, it will be enough for the firewall to know how to route traffic coming from the internet to a VIP through the same interface through which it enters.  On the other hand, I seemed to read that there were problems with fortiguard in some cases and this scenario, when a line failed. I understand that this is already resolved in 6.2.10
    aahmadzada
    Staff
    aahmadzada
    Staff
    April 20, 2022

    Connection to fortiguard as any other self-originated traffic with the SDWAN can be handled by determining the way how FortiOS selects the default route for the self-originated traffic.
    Please check this one:
    https://docs.fortinet.com/document/fortigate/6.2.10/cookbook/848980/self-originating-traffic

     

    Ahmad

    fortimaster
    fortimasterAuthor
    Explorer III
    April 20, 2022

    Perfect aahmadzada ¡¡¡ I go to configure it ¡

    fortimaster
    fortimasterAuthor
    Explorer III
    May 3, 2022
    Some last doubts before the changes:
    The rules that I have associated with an interface, of traffic that comes from the internet to my intranet, with a VIP, do I have to change them with a SDWAN destination or can I keep the current interface? I understand that the rules that I must change are the exit rules. I will have to redo all the exit rules of the different interfaces that connect to my ISPs for the SDWAN and put the IP pools and others in them.
    The summary is if I can continue to use those interfaces individually for some things like IPSEC tunnels, ingress rules and so on or will I have to adjust everything to and from the sdwan interface and I will have to do SDWAN rules for each matter. I think it would be enough to change the exit rules pointing to the sdwan.

     

    Terms & ConditionsAccessibility statement