Description
This article explores the need for using the same WAN/public IP when accessing certain websites and their services.
Some websites employ authentication methods like SAML, which can be sensitive to public IP changes during the authentication or revalidation process. Popular services like Google often utilize multiple servers with different IP addresses for different web pages and authentication mechanisms.
While using SD-WAN with the 'Load Balancing Algorithm' set as Source IP should mitigate any issues, other load balancing algorithms may cause problems with authentication
Scope
FortiGate, SD-WAN.
Solution
When using the 'Source-Destination' load balancing algorithm, it is important to note that the IP address of the second website might be different from the first website. In such cases, if the connection is routed to a different WAN interface with a different public IP (e.g., 'wan2'), it can result in the invalidation of the authentication process, as the authentication token is associated with a specific public IP.
If it is preferable to do not to use the 'Source IP' load balancing algorithm, it is possible to use an SD-WAN rule to ensure that the service traffic only goes through a specific link. This can be achieved by adding the destination IPs or A records for the service, or by using one of the predefined Internet Services.
Here is an example rule that can be implemented to address this issue:
Related documents:
