Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
athirat
Staff
Staff

Created on ‎09-11-2019 01:17 AM

Article Id 190191

Technical Tip: How to push gateway correctly in SD-Wan rules.

Description
This article describes on how to make sure SD-WAN rules are pushed correctly in kernel.

Scope
FG-92D & FWF-92D

Solution
At times, even though SD-WAN rules are configured correctly, the traffic bypasses the same and a route lookup is done based on routing table entries.
In such cases, SD-WAN rules can be checked in kernel by running the below command :
#diagnose firewall proute list
Example 1 :
#FG500D_A # config system virtual-wan-link

FG500D_A (virtual-wan-link) # sh
config system virtual-wan-link
    set status enable
    set load-balance-mode usage-based
    config members
        edit 2
            set interface "port12"
        next
        edit 1
            set interface "port13"
            set gateway 10.100.1.1
            set spillover-threshold 300
            set ingress-spillover-threshold 300
        next
        edit 3
            set interface "to_FG_B_root"
            set gateway 172.16.209.2
        next
    end
    config health-check
        edit "ping"
            set server "10.100.2.22"
            set threshold-warning-latency 2
            set threshold-alert-latency 5
            set members 2 1
        next
        edit "aaa"
            set server "172.16.209.2"
            set members 3
        next
    end
    config service
        edit 1
            set name "af"
            set member 3
            set dst "10.100.20.0"
            set src "all"
        next
    end
end
In this case, the traffic would not hit the SD-WAN rules as gateway is not updated in kernel.

FG500D_A # diagnose firewall proute list
list route policy info(vf=root):

id=4279042049 vwl_service=1(af) flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=32   --> No gateway
source(1): 0.0.0.0-255.255.255.255
destination(1): 10.100.20.0-10.100.20.255
To update the same, enable below :
#FG500D_A # config system virtual-wan-link

FG500D_A (virtual-wan-link) # sh
config system virtual-wan-link
    set status enable
    set load-balance-mode usage-based
    config members
        edit 2
            set interface "port12"
        next
        edit 1
            set interface "port13"
            set gateway 10.100.1.1
            set spillover-threshold 300
            set ingress-spillover-threshold 300
        next
        edit 3
            set interface "to_FG_B_root"
            set gateway 172.16.209.2
        next
    end
    config health-check
        edit "ping"
            set server "10.100.2.22"
            set threshold-warning-latency 2
            set threshold-alert-latency 5
            set members 2 1
        next
        edit "aaa"
            set server "172.16.209.2"
            set members 3
        next
    end
    config service
        edit 1
            set name "af"
            set member 3
            set dst "10.100.20.0"
            set src "all"
            set gateway enable   --
        next
    end
end
Post this the kernel will reflect the gateway correctly and SD-WAN rules would be triggered :
FG500D_A # diagnose firewall proute list
list route policy info(vf=root):

id=4278976513 vwl_service=1(af) flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=32 gwy=172.16.209.2
source(1): 0.0.0.0-255.255.255.255
destination(1): 10.100.20.0-10.100.20.255

Labels:
5108
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.