Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vbandha
Staff
Staff

Created on ‎09-27-2023 01:53 AM Edited on ‎12-28-2023 07:04 AM By Moderator

Article Id 276147

Technical Tip: How to find the SD-WAN rule and SD-WAN member used for a particular session

Description This article describes how to find the SD-WAN rule and member used in a particular session on FortiGate.
Scope FortiGate.
Solution

To find the SD-WAN rule that is used in a particular session, it is recommended to apply a filter to match the session in the session list.
See Troubleshooting Tip: FortiGate session table information for more information about different ways to apply a session filter.

 

In this example, the filter used is by Source IP 192.168.7.2. Enter the following commands to find the matching session:


diag sys session filter src 192.168.7.2
diag sys session list

 

The output will display all of the sessions with source IP 192.168.7.2. In the current example, the following output appears:

 

session info: proto=6 proto_state=01 duration=61 expire=3538 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty
statistic(bytes/packets/allow_err): org=314/4/1 reply=1586/3/1 tuples=2
tx speed(Bps/kbps): 5/0 rx speed(Bps/kbps): 25/0
orgin->sink: org pre->post, reply pre->post dev=4->9/9->4 gwy=10.9.15.254/192.168.7.2
hook=post dir=org act=snat 192.168.7.2:49790->192.229.211.108:80(10.9.11.249:49790)
hook=pre dir=reply act=dnat 192.229.211.108:80->10.9.11.249:49790(192.168.7.2:49790)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=7 pol_uuid_idx=14769 auth_info=0 chk_client_info=0 vd=0
serial=0014581f tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=4 sdwan_service_id=3
rpdb_link_id=ff000003 ngfwid=n/a
npu_state=0x000100
no_ofld_reason: npu-flag-off

 

The useful information in the output for the SD-WAN rule and the member is sdwan_mbr_seq=4 sdwan_service_id=3.

 

This means that SD-WAN member #4 and SD-WAN service ID #3 were used for traffic.


The SD-WAN Service ID is the SD-WAN rule number. In this example, it is possible to find the Service ID in the 'ID' section of SD-WAN Rules as shown below:

 

1.png

 

config system sdwan

    config service
        edit 3
            set name Internet
            set dst "all"
            set src "all"
            set priority-members 1
        next
    end
end

 

To find the member, run the following command:

 

config sys sdwan
config members
show


The following output will be seen:

 

2.JPG


In the above output, port 7 has a member sequence of 4.

 

Another useful command to check which SD-WAN rule will be matched for specific traffic is as follows:

 

diagnose ip proute match <destination ip> <source ip> <incoming interface> <proto> <destination port number>

 

For example:

 

diagnose ip proute match 8.8.8.8 192.168.1.111 internal1 6 443
dst=8.8.8.8 src=192.168.1.111 smac=00:00:00:00:00:00 iif=8 protocol=6 dport=443
id=7f000002 type=SDWAN
seq-num=2 oif=5(wan1)

 

Checking the SD-WAN Rules hierarchy in the GUI will reveal which rule was matched [ID number 2]:

 

Photo_SDWAN.JPG
1688
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.