Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pjawalekar
Staff
Staff

Created on ‎12-26-2022 11:35 PM

Article Id 241077

Technical Tip: If two ISDB are present in the SD-WAN rule destination ISDB with highest singularity will be selected

Description

This article describes that from version 6.2, the IP address might be part of different ISDB objects.

The traffic is matched based on the 3-tuple (protocol, port, IP).

This also introduces the 'singularity' value that means the highest weight, i.e. which ISDB object will be matched based on the 3-tuple.

 

- Below is the SD-WAN rule configured with two ISDB destination objects:  

 

1.png

 

- ISDB object that will be matched can be checked with the following command:

 

chameleon-kvm14 # diagnose internet-service info root 6 443 40.101.76.130
Internet Service: 327880(Microsoft-Office365.Published) country(40 Austria) region(2028 Vienna) city(25332 Vienna)

 

- The singularity value is displayed in the output of particular ISDB object, it is possible to verify the same with get command as below:

 

chameleon-kvm14 # config firewall internet-service 327880

chameleon-kvm14 (327880) # get
id : 327880
name : Microsoft-Office365.Published
icon-id : 502
direction : both
database : isdb
ip-range-number : 7278
extra-ip-range-number: 7278
ip-number : 2570488
singularity : 17
obsolete : 0

 

chameleon-kvm14 # config firewall internet-service 327791

chameleon-kvm14 (327791) # get
id : 327791
name : Microsoft-Outlook
icon-id : 511
direction : both
database : isdb
ip-range-number : 7404
extra-ip-range-number: 0
ip-number : 1654227
singularity : 15
obsolete : 0


- The below session list output shows that the ISDB object 327880 with higher singularity value is match:

 

# diagnose sys session filter src 10.100.13.195
# diagnose sys session list

session info: proto=6 proto_state=01 duration=1 expire=3598 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty f00
statistic(bytes/packets/allow_err): org=1915/8/1 reply=18094/16/1 tuples=2
tx speed(Bps/kbps): 1075/8 rx speed(Bps/kbps): 10165/81
orgin->sink: org pre->post, reply pre->post dev=4->3/3->4 gwy=10.5.31.254/10.100.13.195
hook=post dir=org act=snat 10.100.13.195:54752->40.126.32.139:443(10.5.21.14:54752)
hook=pre dir=reply act=dnat 40.126.32.139:443->10.5.21.14:54752(10.100.13.195:54752)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=3 auth_info=0 chk_client_info=0 vd=0
serial=3bc414c0 tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=1 sdwan_service_id=1
rpdb_link_id=ff000001 rpdb_svc_id=327880 ngfwid=n/a
npu_state=0x040000
total session 31
Scope FortiGate 6.2 and above,
Solution If two ISDB are present in the SD-WAN rule destination, the ISDB object with the highest singularity value will be selected.

 

128
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.