FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how management traffic flows when there are multiple routes active along with multiple interfaces for the destination.
Scope
FortiGate.
Solution
In many cases route will be active with multiple interfaces; however, traffic will not be routed to a specific interface even though a policy route or SDWAN rule is configured for management traffic.
For management traffic, traffic will not match to Policy route, SD-WAN rule, or Policies configured. Based on the available kernel routes, it will route the traffic to a specific interface.
Example:
192.168.1.0/24 network route is available for multiple tunnels i.e. spoke 1, spoke 2, and spoke 3. There is FortiManager IP(192.168.1.4), where the requirement is that FortiManager traffic should be routed to the spoke 3 tunnel.
As routes are active for tunnel spoke 1, spoke 2, and spoke 3, traffic will randomly route the traffic to spoke 1, spoke 2, spoke 3 tunnel, even though there is a policy route configured to spoke 3.
To resolve this, create a static route with destination 192.168.1.4/32 and with tunnel interface spoke 3, so always the traffic will always be routed to tunnel interface spoke 3 for FortiManager IP when the route is active.
