Description

This article describes how to make sure SD-WAN rules are pushed correctly in the kernel.

Scope

FortiGate with SD-WAN configured.

Solution

At times, even though SD-WAN rules are configured correctly, the traffic bypasses them same and a route lookup is done based on routing table entries.
In such cases, SD-WAN rules can be checked in the kernel by running the command below:

diagnose firewall proute list

Example 1:

config system virtual-wan-link
FG500D_A (virtual-wan-link) # sh
config system virtual-wan-link
    set status enable
    set load-balance-mode usage-based
        config members
            edit 2
                set interface "port12"
            next
            edit 1
                set interface "port13"
                set gateway 10.100.1.1
                set spillover-threshold 300
                set ingress-spillover-threshold 300
            next
            edit 3
                set interface "to_FG_B_root"
                set gateway 172.16.209.2
            next
        end
        config health-check
            edit "ping"
                set server "10.100.2.22"
                set threshold-warning-latency 2
                set threshold-alert-latency 5
                set members 2 1
            next
            edit "aaa"
                set server "172.16.209.2"
                set members 3
            next
        end
        config service
            edit 1
                set name "af"
                set member 3
                set dst "10.100.20.0"
                set src "all"
            next
        end
end

In this case, the traffic would not hit the SD-WAN rules as the gateway is not updated in the kernel.

diagnose firewall proute list
list route policy info(vf=root):

id=4279042049 vwl_service=1(af) flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=32   --> No gateway
source(1): 0.0.0.0-255.255.255.255
destination(1): 10.100.20.0-10.100.20.255

To update the same, enable below :

show system virtual-wan-link

config system virtual-wan-link
    set status enable
    set load-balance-mode usage-based
        config members
            edit 2
                set interface "port12"
            next
            edit 1
                set interface "port13"
                set gateway 10.100.1.1
                set spillover-threshold 300
                set ingress-spillover-threshold 300
            next
            edit 3
                set interface "to_FG_B_root"
                set gateway 172.16.209.2
            next
        end
        config health-check
            edit "ping"
                set server "10.100.2.22"
                set threshold-warning-latency 2
                set threshold-alert-latency 5
                set members 2 1
            next
            edit "aaa"
                set server "172.16.209.2"
                set members 3
            next
        end
        config service
            edit 1
                set name "af"
                set member 3
                set dst "10.100.20.0"
                set src "all"
                set gateway enable
            next
        end
end

Post this, the kernel will reflect the gateway correctly, and SD-WAN rules will be triggered:

diagnose firewall proute list
list route policy info(vf=root):

id=4278976513 vwl_service=1(af) flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=32 gwy=172.16.209.2
source(1): 0.0.0.0-255.255.255.255
destination(1): 10.100.20.0-10.100.20.255

Note:
Before v6.4.1, the commands used for configuration and troubleshooting were different. From v6.4.1, the word 'virtual-wan-link' in the commands has been replaced with 'sdwan'. For example, in FortiOS v6.2, the command to enter SD-WAN configuration was 'config system virtual-wan-link', from v6.4.1 it is 'config system sdwan'.