FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmanea
Staff
Staff

Description

This article explains the functionality of ‘set interface-select-method’ that was introduced to fix an issue faced with local self-originating traffic (DNS, FortiGuard, RADIUS, LDAP) on FortiGate on version 6.2.3 and earlier which would not match SD-WAN rules.
 
With FortiOS version 6.2.3 and earlier, the self-originating traffic was not using SD-WAN rules to push traffic to the correct Interface as defined in rules. 
 
Related document.


Scope
For version 6.2.4 and later.

Solution
Taking FortiGuard as an example here.

# config system fortiguard
    set interface-select-method {auto|sdwan|specify}

There is an option to configure the interface according to the following 3 options.

1) Auto: default and when used, it matches the implicit allow rule in SD-WAN rules.

# config system fortiguard
    set interface-select-method auto
end

As per the above config the selection method is configured as auto.
Check the settings of the implicit SD-WAN rule and traffic is forwarded according to that rule.

If the config is as follows.

# config system virtual-wan-link
    set status enable
    set load-balance-mode usage-based           <----- Spillover method.
end

The traffic is going to be forwarded to the first SD-WAN member and will keep forwarding the traffic until bandwidth reaches its limit.

Other methods are also listed here: 

https://docs.fortinet.com/document/fortigate/6.2.4/cookbook/216765/implicit-rule
2) SD-WAN: used to match specific SD-WAN rules.

To match the traffic SD-WAN rules defined for certain traffic.

If traffic for fortiGuard goes via WAN1 interface and there is a SD-WAN rule present for it, the traffic will be matched against that rule.
# config system fortiguard
    set interface-select-method sdwan
end
3) Specify: Need to specify a specific interface.

This is straight forward to use a specific interface for specific traffic, just define this.
  # config system fortiguard
    set interface-select-method specify
    set interface wan1
  end
Note.
This command cannot be enabled globally on FortiGate for all the locally-originating traffic.
Specify it individually for each traffic that is locally-originating.

Example.

DNS.
  # config system dns
    set interface-select-method [auto|sdwan|...]
    set interface {string}
  end
FortiGuard.
  # config system fortiguard
    set interface-select-method [auto|sdwan|...]
    set interface {string}
  end
RADIUS.
  # config user radius
    set interface-select-method [auto|sdwan|...]
    set interface {string}
  end
From version 7.0, it is possible to select how specific local traffic will be routed out. 

First,  enable this option is Feature Visibility:
System -> Feature Visibility -> Local Out Routing.

Then, depends on the service, it is possible to change the setting in specific vdom or in Global. 
Network -> Local Out Routing.
 
 
Outgoing interface method is described at the beginning. 

Some services might not be visible in GUI. 
For example, if there is no LDAP server configured, no LDAP service will be visible in the tab and will appear only if LDAP server is configured. 

If there are multiple servers, option to change the behavior per server will appear. 
Related articles.
https://docs.fortinet.com/document/fortigate/6.2.4/cookbook/216765/implicit-rule
https://docs.fortinet.com/document/fortigate/6.2.4/cli-reference/110620/system-fortiguard
Contributors