Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mgoswami
Staff
Staff

Created on ‎08-20-2023 10:58 PM Edited on ‎05-06-2025 06:04 AM By Community Manager

Article Id 269454

Technical Tip: Interface Stickiness for SD-WAN

Description

This article explains how to force sessions to keep using the outgoing interface and gateway after a route change. 

The reevaluation of a dirty session following a route change may result in a failover to another SD-WAN member.

If the SD-WAN members are connected to different devices, it can cause an interruption of TCP sessions.
Scope FortiGate v7.0.
Solution

                                                             PIC for Preserve session.PNG

 

To avoid a route change, when the current route is still available, but no longer the best route, it is possible to enable the preserve session route under interface-level. It will force the session to stay on the same SD-WAN member, provided the route in use by the session is still in the FIB.

CLI Syntax:

 

config system interface
    edit port1
        set preserve-session-route enable 

end

 

However, if the route is removed from the FIB, FortiGate must flag the session as dirty, flush its gateway
information, and reevaluate the session.

 

preserve-session-route enable <----- It is using its preserve route on a particular ISP.

 

If there are changes to the network, it keeps the routes on the same WAN interface for that session.

 

In the above topology, if FortiGate establishes the session via Port1, but due to SLA changes, the best route is
now via Port2, the behavior is as follows:

 

  1. With preserve-session-route disabled, FortiGate reevaluates the session and redirects the traffic through port2.
    Hub2 drops any already established TCP sessions.
  2. With preserve-session-route enabled, FortiGate does not reevaluate the session, and the session remains established through port1 and hub1. Active TCP sessions do not change. FortiGate routes new sessions through Port2.

 

session info: proto=1 proto_state=00 duration=6 expire=53 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
state=may_dirty route_preserve
statistic(bytes/packets/allow_err): org=84/1/1 reply=84/1/1 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=6->5/5->6 gwy=20.0.0.2/0.0.0.0
sdwan_mbr_seq=2 sdwan_service_id=1

diag netlink interface list | grep index=5
if=port3 family=00 type=1 index=5 mtu=1500 link=0 master=0

 

diag sys sdwan member | grep (2)
Member(2): interface: port3, flags=0x0 , gateway: 20.0.0.2, priority: 1 1024, weight: 0

 

The above logs show the details of an ICMP session established through an interface (Port3) that has the setting
preserve-session-route enabled.

Note that only relevant lines of the session are displayed.

 

The same behavior: 'outgoing interface not changed after a routing change', will be faced in case of source NAT applied to the traffic, as explained in this KB article: Troubleshooting Tip: Routing Changes and SNAT (snat-route-change) 
13097
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.