|
The Self-originating traffic to Forticlient EMS Cloud relies on routing table lookups to determine the egress interface that is used to initiate the connection.
Policy routes generated by SD-WAN rules do not apply to this traffic.
When using SDWAN there will be a default route configured pointing to the SDWAN interface.
Then on the routing table, there will be default routes to the members of the SDWAN
In case there is a specific interface for this traffic an SDWAN rule cannot be configured.
The solution is to configure static routes pointing to the interface where this traffic needs to be sent.
The cloud server is resolved to the following IPs: 3.67.24.12, 3.65.237.68, 3.66.180.106
-configure firewall address objects for each IP
# config firewall address
# edit "3.67.24.12/32"
# set allow-routing enable
# set subnet 3.67.24.12 255.255.255.255
# next
# edit "3.65.237.68/32"
# set allow-routing enable
# set subnet 3.65.237.68 255.255.255.255
# next
# edit "3.66.180.106/32"
# set allow-routing enable
# set subnet 3.66.180.106 255.255.255.255
# next
# end
-configure an address group that includes all the addresses objects
# config firewall addrgrp
# edit "Forticloud-EMS"
# set uuid f8b04a4c-8da3-51ec-f889-c6e3480e4432
# set member "3.65.237.68/32" "3.66.180.106/32" "3.67.24.12/32"
# set allow-routing enable
# next
# end
- configure a static route pointing to the desired interface
# config router static
# edit 0
# set device <interface>
# set dstaddr "Forticloud-EMS"
# next
#end
Documentation:
https://docs.fortinet.com/document/fortigate/6.4.6/administration-guide/848980/self-originating-traf...
|
