Technical Tip: How to use SD-WAN rule input-device-negate

syao · ‎10-10-2024

Description

This article describes how to use the SD-WAN rule input-device negate feature so that the SD-WAN rule would only take effect if the incoming traffic hits the specific interface not listed in the input-device.

Scope

FortiGate v6.4, v7.0, v7.2, v7.4, v7.6

Solution

In the following diagram, FortiGate will route the traffic of Guest network traffic coming from its port4. FortiGate will not route the Guest network traffic out of port1 instead it will route it out of port2.

Create an SD-WAN rule for Corporate and another rule for general traffic:

config sys sdwan

config service

edit 1

set name "Corporate_INET"
set input-device "port4"
set input-device-negate enable
set dst "all"
set src "all"
set priority-members 1
next

edit 2

set name "ALL_INET"
set dst "all"
set src "all"
set priority-members 2

Make sure that there is a firewall policy allowing the traffic referencing the SD-WAN zone:

config firewall policy
edit 0
set name "Allow_INTERNET_Guest"
set srcintf "port4"
set dstintf "virtual-wan-link"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
next