Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Serxhio
Staff
Staff

Created on ‎11-26-2024 02:09 AM Edited on ‎04-22-2025 11:05 PM By Community Manager

Article Id 359879

Technical Tip: Blackhole route to match in SD-WAN

Description This article describes cases of how a blackhole route should match while traffic is steered via SD-WAN.
Scope FortiGate, SD-WAN.
Solution

Consider the scenario:

SD-WAN service rules are created for the overlay and underlay (with overlay rule in higher order).

 

1.png

 

2.png

 

Interesting traffic from the local subnet to the remote subnet (10.248.17.0/24).

 

3.png

 

The following SD-WAN Rule lookup process occurs:

  1. With 'default' and 'gateway' settings disabled. SD-WAN rules are skipped if the best route to the destination is not an SD-WAN member.
  2. SD-WAN rules are skipped if none of the configured members in the rule have a valid route to the destination, or is marked as down in the SLA Health Check.

 

When the overlay is down, the FIB best match for the remote subnet is the blackhole route, and therefore traffic should be dropped.

 

In some cases, the traffic does not match the black hole: Be careful of the settings.

 

  1. Health Check for the overlays may go down first (before the tunnels itself) and update-static-route is set to disable, the following would occur:
    The overlay’s static routes would not be removed from the FIB. The best FIB match would be via an overlay (SD-WAN member/s), and FortiGate enters the SD-WAN Rule lookup process.
    Service Rule 1 is skipped, as members are marked as down. Continue with the next rule. Traffic matches SD-WAN rule 2, as the underlay members are marked as up and have a valid route to the destination.

  2. If the 'default' setting is enabled under SD-WAN for service rule 2 (underlay) the rule will not be skipped even though the underlay members are not the best match to the traffic. As they also have a valid route to the destination, traffic to the remote subnet will be routed via the underlay.

 

To force the traffic to match the blackhole route, create an address group that negates interested subnets.

 

config firewall addrgrp

    edit "ALL"

        set member "all"

        set exclude enable

        set exclude-member "remote" (-> stands for remote subnet 10.248.17.0/24)

    next

end

 

  • Use this address group as a destination in the SD-WAN underlay rule.
  • Traffic destined for the 'remote' subnet will match the Implicit SD-WAN rule and be forwarded per the FIB.
  • The desired result with the blackhole route will be achieved.

Or create a 'stop policy route' for a remote subnet or IP address to force the traffic to match static and Blackhole routes.


policy route.png
2009
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.