| Description | This article provides information about local out traffic like sending backup to the TFTP server from a specific source address. |
| Scope | FortiGate. |
| Solution |
By default, if the FortiGate has to send any self-generated traffic, it would choose an interface with a lower index or sometimes it would be a random interface. In this scenario, the user wants the traffic to the TFTP server via a specific source IP address. The user was using tunnel interface IP as a source to send traffic to the TFTP server. specify the source in the SD-WAN rule as the tunnel interface IP is not working.:
Sniffer traffic:
Taif-FW01 # diagnose sniffer packet any "host 172.17.40.95 and port 22" 4 0 l
In the working scenario, the traffic was going out via a specified source (tunnel interface):
Taif-FW01 # diag sniffer packet any "host 172.17.40.95 and port 22" 4 0 l
==============================================================================================
The SD-WAN rule was set as below:
The tunnel interface is part of the VPN zone and the source is specified as tunnel interface IP.
If a default route is used for the VPN zone the traffic will be sent out via a random WAN link (from top to bottom SD-WAN rule match). In this case, if the VPN zone has a default route, the SD-WAN rule should contain the source as all to send the traffic out via the tunnel interface, or if it is necessary to send out traffic via a tunnel interface (or any specific source), it should not have default route with VPN zone :
As defined above, instead of a default route, if a specific route is defined with a VPN zone despite of whatever source in the SD-WAN rule (specific or all), it would always go out via tunnel interface IP.
Note: In 7.4.x new feature was added to mention a specific source IP in the SD-WAN rule or static route: |
