FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 196731


This article explains the functionality of ‘set interface-select-method’ that was introduced to fix an issue faced with local self-originating traffic (DNS, FortiGuard, RADIUS, LDAP) on FortiGate on version 6.2.3 and earlier which would not match SD-WAN rules.
With FortiOS version 6.2.3 and earlier, the self-originating traffic was not using SD-WAN rules to push traffic to the correct Interface as defined in rules. 
Related document.

For version 6.2.4 and later.

Taking FortiGuard as an example here.

# config system fortiguard
    set interface-select-method {auto|sdwan|specify}

There is an option to configure the interface according to the following 3 options.

1) Auto: default and when used, it matches the implicit allow rule in SD-WAN rules.

# config system fortiguard
    set interface-select-method auto

As per the above config the selection method is configured as auto.
Check the settings of the implicit SD-WAN rule and traffic is forwarded according to that rule.

If the config is as follows.

# config system virtual-wan-link
    set status enable
    set load-balance-mode usage-based           <----- Spillover method.

The traffic is going to be forwarded to the first SD-WAN member and will keep forwarding the traffic until bandwidth reaches its limit.

Other methods are also listed here:
2) SD-WAN: used to match specific SD-WAN rules.

To match the traffic SD-WAN rules defined for certain traffic.

If traffic for fortiGuard goes via WAN1 interface and there is a SD-WAN rule present for it, the traffic will be matched against that rule.
# config system fortiguard
    set interface-select-method sdwan
3) Specify: Need to specify a specific interface.

This is straight forward to use a specific interface for specific traffic, just define this.
  # config system fortiguard
    set interface-select-method specify
    set interface wan1
This command cannot be enabled globally on FortiGate for all the locally-originating traffic.
Specify it individually for each traffic that is locally-originating.


  # config system dns
    set interface-select-method [auto|sdwan|...]
    set interface {string}
  # config system fortiguard
    set interface-select-method [auto|sdwan|...]
    set interface {string}
  # config user radius
    set interface-select-method [auto|sdwan|...]
    set interface {string}
From version 7.0, it is possible to select how specific local traffic will be routed out. 

First,  enable this option is Feature Visibility:
System -> Feature Visibility -> Local Out Routing.

Then, depends on the service, it is possible to change the setting in specific vdom or in Global. 
Network -> Local Out Routing.
Outgoing interface method is described at the beginning. 

Some services might not be visible in GUI. 
For example, if there is no LDAP server configured, no LDAP service will be visible in the tab and will appear only if LDAP server is configured. 

If there are multiple servers, option to change the behavior per server will appear. 
Related articles.