Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
SassiVeeran
Staff
Staff

Created on ‎09-26-2024 07:56 AM Edited on ‎12-12-2024 06:38 AM By Moderator

Article Id 344694

Technical Tip: How to steer SD-WAN traffic using Blackhole routes

Description This article describes how to use Blackhole routes to control SD-WAN traffic failover.
Scope FortiGate.
Solution

Blackhole routes are primarily static routes configured with a higher Administrative Distance (AD) and are used to silently drop the traffic.

 

In this article, blackhole routes are used to influence SD-WAN traffic. The requirement is to forward traffic as follows:

 

From source subnet 10.0.0.0/24 to destination IP 8.8.8.8 via WAN1 interface only.

From source subnet 11.0.0.0/24 to destination IP 1.1.1.1 via WAN2 interface only.

 

Expected behavior:

Once the WAN2 interface goes down, the traffic route to destination IP 1.1.1.1 will be forwarded via WAN1.

 

Requirement:

Traffic should not failover from WAN2 to WAN1 or vice versa when one of the WAN links goes down. The traffic should be solely forwarded via the configured interface.

 

Solution:

  1. To route the traffic via a specific direction/interface, it is necessary to configure a blackhole route. If any of the WAN interfaces (WAN1 or WAN2) goes down, traffic will not be failover or load balance between WAN ports, and FortiGate will silently drop the packet due to the blackhole route.

  2. In order to achieve this setup, the following steps should be configured:
  • Create two SD-WAN zones - one zone for the WAN1 interface and another zone for the WAN2 interface.
  • Create two SD-WAN rules - one rule to route traffic to 1.1.1.1 via the WAN1 interface and the second rule to route traffic to 8.8.8.8 via WAN2 interface. Specify the source subnets in the SDWAN rule. In this example, source subnets are 10.0.0.0/24 and 11.0.0.0/24.
  • Create six static routes as follows:

(i) Two static routes pointing to destination 0.0.0.0/0 for two SD-WAN zones.
(ii) Two static routes pointing to 1.1.1.1/32 and 8.8.8.8/32 for two SD-WAN zones.
(iii) Two static blackhole routes pointing to 1.1.1.1/32 and 8.8.8.8/32 for two SD-WAN zones.

 

  • Finally, add the two SD-WAN zones to the firewall policy.

 

  1. Outcome:

  • When bringing down the WAN1 interface, traffic to 1.1.1.1 will not failover to the WAN2 interface.
  • When bringing down the WAN2 interface, traffic to 8.8.8.8 will not failover to the WAN1 interface.
424
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.