Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
anoushiravan
Staff
Staff

Created on ‎12-25-2022 10:35 PM Edited on ‎04-03-2024 01:00 AM By Community Manager

Article Id 240816

Technical Tip: How to avoid dropping the user traffic when the traffic is matching the SD-WAN rule

Description

This article describes how to avoid dropping the user traffic when the traffic matches the SD-WAN rule.

 

By default, the traffic matching the SD-WAN rule is blocked if there is no route in the routing table via an SD-WAN member.

To overcome this issue, some default settings in the SD-WAN rule need to be changed to avoid checking the routing-table when forwarding the user traffic which the traffic is matching the SD-WAN rule.
Scope FortiGate.
Solution
  • Configure interfaces that are going to be used as SD-WAN members:

 

FGT # show sys interface wan1
config system interface
    edit "wan1"
        set vdom "root"
        set ip 10.109.16.34 255.255.240.0
        set allowaccess ping https ssh http telnet fgfm
        set type physical
        set role wan
        set snmp-index 3
    next
end

 

FGT # show sys interface wan2
config system interface
    edit "wan2"
        set vdom "root"
        set mode pppoe
        set distance 11
        set allowaccess ping https ssh fgfm
        set type physical
        set role wan
        set snmp-index 4
        set username "pppoeinterface"
        set password ENC kF5jHCWMV355yP0Nj9v2djDXhAD7YlAsDs9LxRICPTy6Z0FIyqgBJptc0vSPNpvmPYWBUq3U76bZlC+70VGZ1rn02V+njqGDqU7o/viMsYC9N8rq5UUi5Ea7awWIbk1XO1tPNtlqEkdxKNDMOg92n0px3iZ9JVAtcdI5W53WEvoouh2zc4yfmjFlqvjm9sEIm25kTA==
    next
end

 

- Configure SD-WAN member and SD-WAN rule.

 

In the SD-WAN rule, specify the SD-WAN member for which the user traffic is supposed to be used for forwarding the user traffic.
Now 'set gateway enable' and 'set default enable' in the SD-WAN rule to avoid checking the routing table by FortiGate when the traffic is matching SD-WANrule:

 

FGT# show system sdwan
config system sdwan
    set status enable
    config zone
        edit "virtual-wan-link"
    next
end


config members
    edit 1
        set interface "wan2"
    next
   edit 2
       set interface "wan1"
       set gateway 10.109.31.254
   next
    end


config service
    edit 1
        set name "sdwan.rule"
        set dst "all"
        set src "all"
        set priority-members 2
        set gateway enable <-----
        set default enable <-----
    next
end
end

 

  • Configure the firewall policy:

 

FGT # show firewall policy
config firewall policy
    edit 1
        set name "INTERNET"
        set srcintf "internal1"
        set dstintf "virtual-wan-link"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end


Result:

 

As per SD-WAN rule, all user traffic is supposed to be forwarded via SD-WAN member 'wan1':

 

FGT # di sys sdwan service

Service(1): Address Mode(IPV4) flags=0x260
Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
Members(1):
1: Seq_num(2 wan1), alive, selected <-----
Src address(1):
0.0.0.0-255.255.255.255

Dst address(1):
0.0.0.0-255.255.255.255


  • There is no route to destination IP 4.2.2.2 via SD-WAN member 'wan1':

 

FGT # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

Routing table for VRF=0
S* 0.0.0.0/0 [11/0] via 10.109.251.254, ppp1  <<---- there is default route only via sdwan member wan2 
C 10.108.0.0/20 is directly connected, internal1
C 10.109.16.0/20 is directly connected, wan1
C 10.109.251.57/32 is directly connected, ppp1
C 10.109.251.254/32 is directly connected, ppp1
S 172.0.0.0/8 [1/0] via 10.109.31.254, wan1


Now, the user traffic matches SD-WAN rule ID 1 (sdwan_service_id=1) and is forwarded via the SD-WAN member 'wan1' which has index number 7:

 

FGT # di sys session list

session info: proto=1 proto_state=00 duration=7 expire=55 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty f00
statistic(bytes/packets/allow_err): org=240/4/1 reply=240/4/1 tuples=2
tx speed(Bps/kbps): 33/0 rx speed(Bps/kbps): 33/0
orgin->sink: org pre->post, reply pre->post dev=11->7/7->11 gwy=10.109.31.254/10.108.3.113 <----- wan1 gateway IP
hook=post dir=org act=snat 10.108.3.113:1->4.2.2.2:8(10.109.16.34:60417)
hook=pre dir=reply act=dnat 4.2.2.2:60417->10.109.16.34:0(10.108.3.113:1)
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0
serial=0001b174 tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=2 sdwan_service_id=1 <-----
rpdb_link_id=fd000001 rpdb_svc_id=0 ngfwid=n/a
total session 1

 

FGT # di ip address list
IP=10.109.16.34->10.109.16.34/255.255.240.0 index=7 devname=wan1 <-----
IP=10.108.0.34->10.108.0.34/255.255.240.0 index=11 devname=internal1
IP=10.109.251.57->10.109.251.254/255.255.255.255 index=31 devname=ppp1
1077
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.