Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kltam
Staff
Staff

Created on ‎09-27-2019 02:55 AM Edited on ‎08-20-2024 08:55 AM By Moderator

Article Id 198515

Technical Tip: How to configure source IP for Secure SD-WAN Performance SLA

Description

 

This article describes how to configure a source IP address for the Secure SDWAN Performance SLA feature.
For regular SD-WAN members that have an IP address configured, such as WAN interfaces, FortiOS will perform Performance SLA checking by using the interface’s IP address.


However, in secure SD-WAN, some VPN interfaces do not have an IP address configured or there is an IP address configured but the IP address is not allowed in the IPsec Phase2 selector, then the FortiOS will encounter an issue when performing SD-WAN Performance SLA checking for these VPN interfaces.

 

Scope

 

FortiGate.

Solution

 

By default, the VPN interface created in FortiOS does not have any IP address.
Besides, if the VPN interface is added to Secure SD-WAN members, then configured with Performance SLA to check the VPN tunnel status, the Performance SLA entry status is ‘down’ for the VPN interface, as below:

 

 
Another example is for specific cases where the FortiGate is connected to a PPPoE provider which leases a private IP for interconnection on the PPPoE interface, and then routes the contracted Public IP through the assigned Private IP.
In these situations, an IP Pool is created for user traffic to NAT to the contracted public IP, and connectivity is established. However, self-generated traffic like the performance SLA probes are not checked for policies or central NAT, meaning the source IP will be the private IP, and this traffic will just be dropped at the ISP.
 
Therefore, set a source IP address for the VPN interface to allow FortiOS perform Performance SLA checking and validate the result, with CLI commands below:
 
Option 1:

 

config system sdwan
config members
    edit <ID>  <- VPN Interface member ID.
        set source <IP address> <- Interface IP which allowed in IPSec Phase2 and Policy.
end
 
Option 2:

 

config system sdwan
config health-check
    edit <name>  <- Health Check name.
        set source <IP address> <- source-IP to be used for the health check.
end
 
Option 2 is available starting with Forti OS version 7.2.0 as included here.
 
Result:
 
 
For the PPPoE scenario described above, you will have to first configure a loopback interface with the contracted public IP, because FortiOS does not allow to set a source IP that does not match any interface in the configuration.
 

Note:

Before v6.4.1, instead of 'config system sdwan', 'config system virtual-wan-link' was used.

 

config system virtual-wan-link
config members
    edit <ID>  <- VPN Interface member ID.
        set source <IP address> <- Interface IP which allowed in IPsec Phase2 and Policy.
end

23424
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.