Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fwilliams
Staff & Editor
Staff & Editor

Created on ‎11-14-2023 04:12 PM Edited on ‎06-02-2025 01:41 PM By Moderator

Article Id 284325

Technical Tip: Explaining the SD-WAN rule matching process

Description This article explains the SD-WAN rule matching process.
Scope FortiGate, SD-WAN.
Solution

SD-WAN rules steer traffic, but traffic must match the rule first. Matching traffic is confirmed through the process outlined in this article.

 

The article sometimes simply refers to SD-WAN rules as 'rules'. Note that SDWAN rules are 'policy routes', but regular policy routes have precedence over SD-WAN rules. This means the 'regular policy routes' are processed first, i.e., before any SD-WAN rule is processed.

 

The same command can be used to check both the 'regular policy route' and the SD-WAN rule. However, the ID of any 'regular policy route' is between 1-65535, while the ID of any SD-WAN rule is a ten-digit number like the one shown in the image below.

 

diagnose firewall proute list  <- Checks both regular and SD-WAN rules.

 sdwan1.JPG

 

SD-WAN rule matching process analysis:

For demonstration, this article will use a PacketA sent from the source address '10.10.10.10' to the destination address '192.168.1.10' for analysis.

The device is configured with the following SD-WAN rules and routing table (FIB):

 

The FortiGate received PacketA and checked the destination IP address for routing (if DNAT was required on PacketA, it would have been done before this stage. DNAT comes before routing lookup).

 

  1. Assume PacketA’s destination does not match the regular policy route.
    FortiOS' order of preference regarding routing lookup is as follows: PBR -> SD-WAN rule -> FIB.
  2. Configured SD-WAN rule(s) are checked from top to bottom (one after the other) until a match is found. If no match is found, FortiOS will use FIB (the implicit SD-WAN rule).
  3. If PacketA fulfils the 'source & destination' specified in one of the configured SD-WAN rules (in this case 10.10.10.10 & 192.168.1.10), the validation process follows to confirm the match.

 

The validation process is what means routes (which are expected to match a rule) do not match rules, despite how the source and destination are the same as configured in the SD-WAN rule. This is because of the additional condition(s) that have to be fulfilled or met.

 

Even if PacketA fulfilled the 'source & destination' specified in the SD-WAN rule, if the validation check failed, PacketA will be considered as 'no match' by the rule, and FortiOS will proceed to the next rule. If that rule is the last, it will use an implicit rule for the forwarding, which is the same as FIB.

 

The following are the criteria in the validation process:

  1. In this case, consider whether the best route to destination 192.168.1.10 is through an SD-WAN member.

If the answer is no, then the rule will be skipped.
Here, the best route to '192.168.1.10' is via port9, and port9 is not an SD-WAN member, so all SD-WAN rules with the destination '192.168.1.10' will not match (check the sdwan rule screenshot: no match).

In this case, the default route is available and capable of routing 192.168.1.10, but it is not the best route. 192.168.1.10/30 via 10.x.x.x, port9 is the best route.

To instruct FortiOS to skip this best route checking/validation (this is not recommended), use the following command:

 

config system sdwan

    config service  <----- SD-WAN rule.

        edit <xx>

            set default enable <----- Disable is the default setting.

end

 

  1. In this case, if ports that are SD-WAN members (and configured in the rule) did not have a valid route to '192.168.1.10', the rule will be considered as a 'no match' and skipped. The reason for this is that SD-WAN rules are policy routes, and policy routes require FIB validation for the gateway and the outgoing interface.

In this case, the first validation process has judged PacketA as no match. To change this second validation process or rule (valid route in FIB), use the following command:

 

config system sdwan

    config service

        edit xx

            set gateway enable <----- Disable is the default setting.

        end

 

See the following flowchart for an overview:

 

sdwan9.JPG

 

This flowchart shows the SD-WAN rule lookup process. SD-WAN rules are essentially policy routes. Like regular policy routes, SD-WAN rules are checked from top to bottom (first match). For each rule, FortiGate maintains an outgoing interface (oif) list.

 

The oif list sorts the configured members by preference based on the strategy in use.
The members who are placed first in the list have a higher preference for steering traffic. FortiGate starts the lookup process by comparing the packet against the rule matching criteria. If the packet does not match the criteria, FortiGate moves on to the next rule, and so on, until it finds a match. When there is a match, FortiGate proceeds as follows:

 

  1. If both default and gateway settings are disabled (default values*), FortiGate performs a FIM lookup
    for the packet destination IP (dstip). If the resolved interface for the FIB best-match is not an SD-WAN member.
    Then FortiGate moves on to the next rule. This behavior follows the key routing principle:
    By default, SD-WAN rules are skipped if the best route to the destination is not an SD-WAN member.

  2. If the resolved interface is an SD-WAN member, then FortiGate looks for one or more acceptable members in the oif list, starting from the first member in the list. An acceptable member is an alive member that has a route to the destination. This behavior follows the key routing principle: by default, SD-WAN rules are skipped if none of the configured members in the rule have a valid route to the destination.

 

If FortiGate finds an acceptable member, it forwards the packet to that member, then the firewall policy check occurs, 
and the rule lookup process ends. Otherwise, FortiGate moves on to the next rule.
If all rules are skipped, then FortiGate routes the packet using standard routing, hence the key routing principle:
The implicit SD-WAN rule equals standard FIB lookup

 

Note that when both default and gateway settings are enabled, FortiGate does not perform steps 1 and 2.
Instead, it selects the best member or members, depending on the rule mode in use in the OIF list.

 

If 'default' is enabled, the best route check for SD-WAN rules is skipped. If 'gateway' is enabled, the FIB lookup for SD-WAN rules is skipped.

 

Whenever possible, the default behavior should be preferred, with a configuration of a route to the destination (default or more specific).

 

Note

FIB stands for Forwarding Information Base. It can be listed by the following CLI commands:

 

get router info kernel
diagnose ip route list

 

PBR stands for Policy-Based Routing. It can be listed by below CLI:

 

diagnose firewall proute list

 

DNAT refers to Virtual IP. It can be configured by the following CLI:

 

config firewall vip 

 

Related article:

Technical Tip: Configuring SD-WAN
21922
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.