FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article explains that when DHCP relay is configured on an interface, FortiGate can use any interface to forward its traffic.
With DHCP relay configured on an interface, FortiGate will forward the traffic based on routing table even if there is a specific SD-WAN rule configured.
As an example, dhcp-relay is configured on the VLAN interface:
# config system interface edit "vlan-60" set vdom "root" set dhcp-relay-service enable set ip 10.10.60.254 255.255.255.0 set allowaccess ping set device-identification enable set dhcp-relay-interface-select-method auto set dhcp-relay-ip "172.16.10.1" "172.16.10.2 " set interface "port1" set vlanid 60 next
Since the traffic has to be relayed when it reaches FortiGate, it is considered as locally originated traffic. Locally originated traffic would not match any SD-WAN rule.
Solution By default 'set dhcp-relay-interface-select-method auto' is configured that means that traffic would be following the best interface available.
The following options are available to route the traffic for DHCP relay:
1) Auto - Set the outgoing interface automatically (default). 2) SD-WAN - Set the interface by SD-WAN or policy routing rules. 3) Specify - Set the interface manually.
In order to make sure that traffic matches the SD-WAN rule, following changes need to be made to the configuration on the interface where dhcp-relay is configured.
# config system interface edit "vlan-60" set dhcp-relay-interface-select-method sdwan end
