| Description | This article describes how to troubleshoot when some websites categorized in the Government or Banking categories do not load when Load Balancing is configured in SD-WAN. |
| Scope | FortiGate, SD-WAN. |
| Solution |
Websites in the Government and Banking categories generally require the source IP address as a security measure. To ensure an existing session is not hijacked, these websites require the source IP address to remain unchanged.
When using Load Balancers like SD-WAN, the session might have several IPs, and therefore, the connection from these websites would not be honored or even terminated.
To mitigate this, the Load Balance Strategy with Load Balance Hash Mode/Algorithm should be used with either 'source-ip-based' or 'source-dest-ip-based'.
Refer to this screenshot below for more information on Load Balance Algorithms:
To isolate if the issue is due to Load Balancing, a Policy Route can be created for one user to test the traffic. Once created, if the website loads without issues, then it means the load-balancing algorithm caused the problem.
Steps to configure SD-WAN Rule using Load Balancing with appropriate Algorithm/Hash-mode:
For firmware versions before v7.4.1:
config system sdwan config service edit 1 <----- The SD-WAN Rule ID that was created above. set hash-mode 'source-ip-based' or 'source-dest-ip-based' end end
For firmware version 7.4.1 and later:
config system sdwan config service edit 1 <----- The SD-WAN Rule ID that was created with the Load Balance strategy. set hash-mode 'source-ip-based' or 'source-dest-ip-based' end end
By following the steps above, all Government and Banking websites sensitive to IP change will load without errors.
Note: If the default Implicit SD-WAN rule is used for all Internet traffic, then choose 'Source IP' or 'Source-Destination IP' as the load-balancing algorithm, as from the image below:
|
