Technical Tip: Explaining the SD-WAN rule matching process

SD-WAN rules steers traffic, but traffic must match the rule first. Matching traffic is confirmed through the process outlined in this article.

The article sometimes simply refers to SD-WAN rules as 'rules'.

Note that SDWAN rules are 'policy routes', but regular policy routes have precedence over SD-WAN rules.

This means the 'regular policy routes' are processed first, i.e. before any SD-WAN rule is processed.

The same command can be used to check both the 'regular policy route' and SD-WAN rule.

However, the ID of any 'regular policy route' is between 1-65535, while the ID of any SD-WAN rule is a ten-digit number like the one shown in the image below.

diagnose firewall proute list  <- Checks both regular and SD-WAN rules.

SDWAN rule matching process analysis:

For the purposes of demonstration, this article will use a PacketA sent from the source address '10.10.10.10' to the destination address '200.200.200.200' for analysis.

The device is configured with the following SD-WAN rules and routing table (FIB):

The FortiGate received PacketA and checked the destination IP address for routing (if DNAT was required on PacketA, it would have been done before this stage. DNAT comes before routing lookup).

1. Assume PacketA’s destination does not match the regular policy route.
   FortiOS' order of preference regarding routing lookup is as follows:

                                                                                 PBR -> SDWAN rule -> FIB

2. Configured SD-WAN rule(s) are checked from top to bottom (one after the other) until a match is found. If no match found, FortiOS will use FIB (the implicit SD-WAN rule).
3. If PacketA fulfils the 'source & destination' specified in one of the configured SD-WAN rules (in this case 10.10.10.10 & 200.200.200.200), the validation process follows to confirm the match.

The validation process is what means routes (which are expected to match a rule) do not match rules, despite how the source and destination are the same as configured in the SD-WAN rule. This is because of the additional condition(s) which have to be fulfilled or met.

Even if PacketA fulfilled the 'source & destination' specified in the SWDAN rule: if the validation check failed, PacketA will be considered as 'no match' by the rule, and FortiOS will proceed to the next rule. If that rule is the last, it will use an implicit rule for the forwarding, which is the same as FIB.

The following are the criteria in the validation process:

1. In this case, consider whether the best route to destination 200.200.200.200 is through an SD-WAN member.
   If the answer is no, then the rule will be skipped.
   Here, the best route to '200.200.200.200' is via port9, and port9 is not an SD-WAN member, so all SD-WAN rules with the destination '200.200.200.200' will not match (check the sdwan rule screenshot: no match).
   
   In this case, default route is available and capable of routing 200.200.200.200, but it is not the best route. 200.200.200.200/30 via 10.x.x.x, port9 is the best route.
   
   To instruct FortiOS to skip this best route checking/validation (this is not recommended), use the following command:

config system sdwan

config service <- SD-WAN rule.

edit <xx>

set default enable <- Disable is the default setting.

end

2. In this case, if ports that are SD-WAN members (and configured in the rule) did not have a valid route to '200.200.200.200', the rule will be considered as a 'no match' and skipped. The reason for this is because SDWAN rules are policy routes, and policy routes require FIB validation for gateway and outgoing interface.
   
   Note that in this case, the first validation process has judged PacketA as no match.
   
   To change this second validation process or rule (valid route in FIB), use the following command:

config system sdwan

config service

edit xx

set gateway enable <- Disable is the default setting.

end

See the following flowchart for an overview: