FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nalexiou
Staff
Staff
Description This article explains how to resolve connectivity issues of the Fabric connector to Forticlient EMS Cloud when SDWAN is used.
This solution applies in FortiOs v6.4.4-v6.4.8
Scope FortiOs v6.4.4-6.4.8
Solution

The Self-originating traffic to Forticlient EMS Cloud relies on routing table lookups to determine the egress interface that is used to initiate the connection.


Policy routes generated by SD-WAN rules do not apply to this traffic.


When using SDWAN there will be a default route configured pointing to the SDWAN interface.


Then on the routing table, there will be default routes to the members of the SDWAN
In case there is a specific interface for this traffic an SDWAN rule cannot be configured.


The solution is to configure static routes pointing to the interface where this traffic needs to be sent.

 

The cloud server is resolved to the following IPs: 3.67.24.12, 3.65.237.68, 3.66.180.106

 

-configure firewall address objects for each IP

 

# config firewall address

# edit "3.67.24.12/32"

# set allow-routing enable
# set subnet 3.67.24.12 255.255.255.255

# next
# edit "3.65.237.68/32"

# set allow-routing enable
# set subnet 3.65.237.68 255.255.255.255

# next
# edit "3.66.180.106/32"

# set allow-routing enable
# set subnet 3.66.180.106 255.255.255.255

# next

# end

 

-configure an address group that includes all the addresses objects


# config firewall addrgrp

# edit "Forticloud-EMS"

# set uuid f8b04a4c-8da3-51ec-f889-c6e3480e4432
# set member "3.65.237.68/32" "3.66.180.106/32" "3.67.24.12/32"
# set allow-routing enable

# next

# end

 

- configure a static route pointing to the desired interface


# config router static

# edit 0

# set device <interface>
# set dstaddr "Forticloud-EMS"

# next

#end

 

Documentation:
https://docs.fortinet.com/document/fortigate/6.4.6/administration-guide/848980/self-originating-traf...

Contributors