Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aionescu
Staff
Staff

Created on ‎11-29-2022 09:18 PM Edited on ‎11-30-2022 12:41 AM By Moderator

Article Id 231373

Technical Tip: Considerations regarding dynamic tunnels configured as SD-WAN interface members

Description This article explains the change in behavior regarding dial-up tunnel interfaces configured as SD-WAN interface members.
Scope FortiGate FortiOS 7.0.8, 7.2.1.
Solution

The following configuration is assumed:

 

- SD-WAN zone has as a member, a dynamic IPsec tunnel configured with 'set net device disable'.

- Health-check configure to monitor the reachability of a server over the tunnel.

- Static route over the tunnel and 'set update-static-route enable'

If the monitored server is not reachable anymore, over that particular tunnel, it is seen that the static route is not removed. 

 

This is expected behavior for dynamic tunnels configured with 

'set net-device disable'.

 

The workaround would be to configure the tunnel with 'set net-device enable'.

 

This is not recommended and, as of FortiOS 7.0.8 and 7.2.1, a check has been introduced and it is not possible anymore to add an IPsec tunnel configured with 'set net-device enable' as a member of an SD-WAN zone.
390
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.