Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pkungatti_FTNT
Staff
Staff

Created on ‎10-29-2019 02:55 AM Edited on ‎06-06-2022 01:20 PM By Anonymous

Article Id 198076

Technical Note: Routing Change and Session Fail-over with SD-WAN

Description
This article explains the Routing Change and Session Fail-over with SD-WAN

Solution
Let us consider the three Interfaces port 1, 2 and 3 are configured over an SD-WAN interface and participating in a Performance SLA.


 
 
If the Failure Threshold was crossed for port3 (5 consecutive probes remained unanswered), the SLA state of port3 switched to dead for health-check SLA_ISPs.
# FGT-1 # diag sys virtual-wan-link health-check SLA_ISPs
Health Check(SLA_ISPs):
Seq(1): state( alive ), packet-loss(0.000%) latency(50. 871), jitter(1.862) sla_map=0x0           <----- Port 1
Seq(2): state( alive ), packet-loss(0.000%) latency(80. 789), jitter(0.534) sla_map=0x0           <----- Port 2
Seq(3): state( dead ), packet-loss(5.000%) sla_marOx0                                             <----- Port 3
If update-static-route is enabled, all static routes over port3 via next-hop 203.0.113.2 are removed from the routing table.
# FGT-1 # get router info routing-table database
(...)
5              *>. 0.0.0.0/0 [1/0] via 192.2.0.2, portl
               *>                   [1/0] via 198.51.100.2, port2
                                      [1/0] via 203.0.113.2, port3 inactive
- After a routing change, sessions are re-validated and may fail over to another SD-WAN member
 
Example of routing change:
1) The order of oif interfaces in the policy-route changes
2) An SD-WAN member switches to dead state
3) Dynamic route update

- After removal of the static routes, existing sessions over port3 must be re-validated against the firewall policies.
The following constraints apply for re-validation of NAT sessions:

- NAT sessions are only re-checked against firewall policies if this setting is explicitly enabled:
# config system global
set snat-route-change enable
end
- NAT sessions are only re-checked against firewall policies performing NAT with the same “NAT-IP”
 
- For e.g., session fail over between Internet accesses is possible only if the same “public IP-range” is used to NAT traffic via all ISPs (BGP/dynamic routing peering needed)


Note: Here, Configuring the IP-Pool over the policy and having route via Dynamic peer is very important.

Labels:
22062
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.