FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
athirat
Staff
Staff
Description
This article describes on how to make sure SD-WAN rules are pushed correctly in kernel.

Scope
FG-92D & FWF-92D

Solution
At times, even though SD-WAN rules are configured correctly, the traffic bypasses the same and a route lookup is done based on routing table entries.
In such cases, SD-WAN rules can be checked in kernel by running the below command :
#diagnose firewall proute list
Example 1 :
#FG500D_A # config system virtual-wan-link

FG500D_A (virtual-wan-link) # sh
config system virtual-wan-link
    set status enable
    set load-balance-mode usage-based
    config members
        edit 2
            set interface "port12"
        next
        edit 1
            set interface "port13"
            set gateway 10.100.1.1
            set spillover-threshold 300
            set ingress-spillover-threshold 300
        next
        edit 3
            set interface "to_FG_B_root"
            set gateway 172.16.209.2
        next
    end
    config health-check
        edit "ping"
            set server "10.100.2.22"
            set threshold-warning-latency 2
            set threshold-alert-latency 5
            set members 2 1
        next
        edit "aaa"
            set server "172.16.209.2"
            set members 3
        next
    end
    config service
        edit 1
            set name "af"
            set member 3
            set dst "10.100.20.0"
            set src "all"
        next
    end
end
In this case, the traffic would not hit the SD-WAN rules as gateway is not updated in kernel.

FG500D_A # diagnose firewall proute list
list route policy info(vf=root):

id=4279042049 vwl_service=1(af) flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=32   --> No gateway
source(1): 0.0.0.0-255.255.255.255
destination(1): 10.100.20.0-10.100.20.255
To update the same, enable below :
#FG500D_A # config system virtual-wan-link

FG500D_A (virtual-wan-link) # sh
config system virtual-wan-link
    set status enable
    set load-balance-mode usage-based
    config members
        edit 2
            set interface "port12"
        next
        edit 1
            set interface "port13"
            set gateway 10.100.1.1
            set spillover-threshold 300
            set ingress-spillover-threshold 300
        next
        edit 3
            set interface "to_FG_B_root"
            set gateway 172.16.209.2
        next
    end
    config health-check
        edit "ping"
            set server "10.100.2.22"
            set threshold-warning-latency 2
            set threshold-alert-latency 5
            set members 2 1
        next
        edit "aaa"
            set server "172.16.209.2"
            set members 3
        next
    end
    config service
        edit 1
            set name "af"
            set member 3
            set dst "10.100.20.0"
            set src "all"
            set gateway enable   --
        next
    end
end
Post this the kernel will reflect the gateway correctly and SD-WAN rules would be triggered :
FG500D_A # diagnose firewall proute list
list route policy info(vf=root):

id=4278976513 vwl_service=1(af) flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=32 gwy=172.16.209.2
source(1): 0.0.0.0-255.255.255.255
destination(1): 10.100.20.0-10.100.20.255

Contributors