In the Fortinet SD-WAN implementation, the same type of traffic could be matched by different SD-WAN rules at different times, without configuration changes in the middle.

2 possible reasons for this behavior:

• Members down.
• Members UP with Performance SLAs checks down.

Some types of traffic must be checked only against a specific set of rules, this article is explains how to achieve this goal.

For example, consider assume a Fortinet SD-WAN deployed with:

• Spokes with DIA (Directly Internet Access). 
• VPN IPSec tunnels between Spokes and Hubs with BGP over them, used for Private (Corporate) traffic.
• HTTP/HTTPS Internet Web traffic sent to an inspection/proxy infrastructure.
• The rest of internet traffic sent with default routes to the ISPs routers.

With a set of SD-WAN rules like this:

config system sdwan

  config service

    edit 1

        set name "Traffic_to_Hubs"

        set mode sla

        set dst "RFC1918"

        config sla

            edit "To_Hub_1"

                set id 1

            next

        end

        set priority-zone "Overlay"

    next

    edit 4

        set name "Web_traffic_to_SSE_POPs"

        set mode sla

        set src "all"

        set internet-service enable

        set internet-service-app-ctrl 15893 40568

        config sla

            edit "TO_SSE_POP_1"

                set id 1

            next

            edit "TO_SSE_POP_2"

                set id 1

            next

        end

        set priority-zone "GRE_Zone"

    next

    edit 3

        set name "Traffic_to_Internet_DIA"

        set mode sla

        set dst "all"

        set priority-zone "Underlay"

    next

end

If the Performance SLA checks failure over all SD-WAN members of the SD-WAN zone called 'Overlay' (VPN IPsec tunnels) due to Underlays degradation or Hubs unavailability, Private Web traffic could be matched by rule ID 4 and sent to the SSE (Security Service Edge) provider infrastructure.

To avoid this, it is necessary for private traffic to:

• Interrupt the SD-WAN rule matching process. See 

  Technical Tip: Explaining the SD-WAN rule matching process

  .
• Eventually also prevent it from being matched by a default route.

To obtain it, add 2 configurations:

• Add  'stop SD-WAN matching process' like this:

config system sdwan

  config service

    edit 2

        set name "No_Corp_traffic_to_Internet"

        set dst "RFC1918"

        set dst-negate enable

        set priority-zone "Overlay"

    next

end

• Move it via the GUI (dragging it) or via the CLI (see Technical Tip: How to Change the Order of SD-WAN Service Rules Using CLI) until it is above number 4.
• Additionally, add black hole routes (see

  Technical Tip: Use of Black hole route in site to site IPsec VPN scenarios

  ) or 'backup' static routes pointing to the VPN interfaces, both with distance 255 for the 3 RFC1918 subnets: 10.0.0.0/8, 172.16.0.0./12 and 192.168.16.0/24, depending on which behavior FortiGate should have in the described scenario. In either case, this will avoid the default route matching for private traffic.

Important notes:

Black hole or 'backup' static routes are not visible in the routing table until BGP is UP. It is necessary to view the routing database with the following command to see them:

get router info routing-table database

After any SD-WAN configuration changes like the one described above, it is still possible to observe traffic matched by the wrong SD-WAN rules, for different reasons such as:

• Existing sessions never expire: to resolve this scenario, perform a session clean. See 

  Technical Tip: Using filters to clear sessions on a FortiGate in the CLI.

• Configure a Preserve Route or Source NAT. See Technical Tip: Interface Stickiness for SD-WAN.