#diagnose firewall proute listExample 1 :
#FG500D_A # config system virtual-wan-linkIn this case, the traffic would not hit the SD-WAN rules as gateway is not updated in kernel.
FG500D_A (virtual-wan-link) # sh
config system virtual-wan-link
set status enable
set load-balance-mode usage-based
config members
edit 2
set interface "port12"
next
edit 1
set interface "port13"
set gateway 10.100.1.1
set spillover-threshold 300
set ingress-spillover-threshold 300
next
edit 3
set interface "to_FG_B_root"
set gateway 172.16.209.2
next
end
config health-check
edit "ping"
set server "10.100.2.22"
set threshold-warning-latency 2
set threshold-alert-latency 5
set members 2 1
next
edit "aaa"
set server "172.16.209.2"
set members 3
next
end
config service
edit 1
set name "af"
set member 3
set dst "10.100.20.0"
set src "all"
next
end
end
FG500D_A # diagnose firewall proute listTo update the same, enable below :
list route policy info(vf=root):
id=4279042049 vwl_service=1(af) flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=32 --> No gateway
source(1): 0.0.0.0-255.255.255.255
destination(1): 10.100.20.0-10.100.20.255
#FG500D_A # config system virtual-wan-linkPost this the kernel will reflect the gateway correctly and SD-WAN rules would be triggered :
FG500D_A (virtual-wan-link) # sh
config system virtual-wan-link
set status enable
set load-balance-mode usage-based
config members
edit 2
set interface "port12"
next
edit 1
set interface "port13"
set gateway 10.100.1.1
set spillover-threshold 300
set ingress-spillover-threshold 300
next
edit 3
set interface "to_FG_B_root"
set gateway 172.16.209.2
next
end
config health-check
edit "ping"
set server "10.100.2.22"
set threshold-warning-latency 2
set threshold-alert-latency 5
set members 2 1
next
edit "aaa"
set server "172.16.209.2"
set members 3
next
end
config service
edit 1
set name "af"
set member 3
set dst "10.100.20.0"
set src "all"
set gateway enable --
next
end
end
FG500D_A # diagnose firewall proute list
list route policy info(vf=root):
id=4278976513 vwl_service=1(af) flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=32 gwy=172.16.209.2
source(1): 0.0.0.0-255.255.255.255
destination(1): 10.100.20.0-10.100.20.255
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.