Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

New Contributor III

Did you know that PBR or SD-WAN rules cannot be applied to logs from Fortigate to FAZ or Forticloud? Me neither

Coming from many different platforms, I thought this is straight forward.

We have the need to steer some traffic that the Fortigate creates (logs, flows, god knows what) over different links.


As in our latest designs, we send logs to forticloud and FAZ.

PS: (Hope that more people will support me in my Enhancement request to send logs to Forticloud via https and not oftp which is blocked in some cases, that drive us crazy)


So FAZ must go over LAN7, forticloud over wan2, whereas we are forced to have all internet on wan1.


Easy right. Apply some PBR to make sure LAN7 FAZ traffic stays on LAN7.


Wait why would you do that?


Ah, we don‘t really know the IPs Fortigate is using to send the logs to forticloud, there is no internet service for forticloud logs, not sure if fortiguard internet service would cover. Fortinet is a bit light on describing what their solutions do. ;)

So rather than loosing out, we do the LAN7 pbr and then we do the TCP/514 to any to wan2.


Wrong. Does not work.


Ok, so I thought I‘m clever, there is this new feature of SD-WAN (Does anyone of you know what SD-WAN exactly means for Fortinet? I still don‘t understand what Citrix means with SD-WAN nor the other vendors that use the term.) But it sounds like the future.

Rebuilding the dual wan setup using SD-WAN. Getting a first surprise, there is no 100%, 0% SD-WAN, what??? Simple failover does not exist, you have to or it will (choose) do 99% to 1% or so.

Next SD-WAN Rules.

Here it is interesting to note that after configuring the SD-WAN Rules I thought I succeeded and thought that SD-WAN really only affects traffic that is destined to the wan interfaces. My FAZ traffic was happily going out LAN7. I really was relieved, SD-WAN is only about WAN, right? Oh boy have I been wrong.

That was actually the 1% or the SD-WAN that for some reason kicked in at one point. ;))


Ok, conclusion (10 hours into the config), support confirmed:


PBR and SD-WAN do not apply to traffic originating from Fortigate!!!


Am I the only one that thinks there is something wrong?


There is a workaround for this exact specified issue, i.e. FAZ and Forticloud logs over different interfaces, but I have not had the guts to test it.


There is a 2nd workaround that I got forwarded and it includes creating a worker VDOM, I definitively did not try that one out, as it would make things extremely complex and it would cost us double, (FMG licenses) And we are thinking of around 100+ devices to do like that.


Hey there, if you think it should be a good idea to have simple proven solutions then please go vote for „implement PBR and SD-WAN Rules for Fortigate originated traffic“

Second, if you also would like to better understand some of their service definitions, ask for more detailed documentation and maybe we also get an internet service definition of Forticloud Logging.