Using SD-WAN for Central-Management traffic to Fortimanager Cloud

Question

Hi, FortiGate - 7.4.9Fortimanager Cloud - v7.4.8 I am configuring a FortiGate to use SD-WAN for connectivity to FortiManager Cloud and FortiGuard (plus more services once I have a confirmed config), and am hoping to get some feedback on the best way to configure this. I have set the configured central-management to use sdwan (following this page) config system central-management set interface-select-method sdwan All seems ok, however the Fortigate doesn't want to connect using the best connection. The firewall is connected to an FTTC and a 4G router. The FTTC connection has lower latency and jitter, but the firewall always seems to want to connect to FortiManager Cloud using the 4G. Note the 4G interface is DHCP and the FTTC is using a fixed IP.The default route on the Fortigate is pointing to the sdwan-zone as the interface.Other SDWAN rules seem to work fine. Whether I just leave the SDWAN rules blank and use the default 'sd-wan' rule or use a generic 'Best_Internet' rule with 'All' as the source and destination and the FTTC given the interface preference, or use the rule with (Source - All, Destination - Internet Services: FortiCloud, FortiGuard),  the firewall always wants to use the 4G to connect to Fortimanager Cloud. If I disconnect the 4G it will move over to the FTTC. The link above doesn't detail anything more regarding any specific SDWAN rules that should be in place or whether you should set a source interface (and if so should this be a loopback etc - This link would suggest not to do this?). The guide shows the command 'set interface <interface>' which is not even an option on the FortiGate. There is the option 'fmg-source-ip' I suppose my question is what is the recommended config for using sdwan for the central management traffic, other than the 'set interface-select-method sdwan' command. Thanks in advance!

_panda_ · Accepted Answer

Hi,

So, I've just been overthinking it, and have tripped myself up. I realised what the issue was the FortiGate automatically giving WAN interfaces set to DHCP a Distance of 5. The static route (pointing to the sdwan-zone) had a manually configured distance of 20.

I changed the 4G interface settings to manual. Both routes immediately appeared in the routing table and the connection to FortiManager Cloud jumped over to the FTTC straight away.

I have put the specific Fortinet Services SDWAN rule back. Source 'All'. Destination Services 'Fortinet-DNS, Fortinet-FortiCloud, Fortinet-FortiGuard' which should be everything (?).

I haven't set any source interface or IP. The only one that would make sense would be a loopback but unless I can find an official guide by Fortinet on what other firewall rules or NAT would need to be in place, I'll leave this.

Thanks for coming back to me so soon. Much appreciated.

funkylicious · Answer

hi,can you confirm from, get router info routing-table all , that both routes/interfaces are installed in RIB?also, if i recall correctly local-out/locally generated traffic isn't subject to sdwan rules/performance SLA, just traffic going through the firewall.if you need a specific interface to use a service, i would encourage you to manually specify it.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded