Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
acvaldez
Staff
Staff

Created on ‎08-21-2023 10:32 PM Edited on ‎11-10-2025 02:53 AM By Moderator

Article Id 269717

Technical Tip: SD-WAN rule manual Interface selection strategy behavior

Description

This article describes how the SD-WAN rule selects the interface to be used when employing the manual interface selection strategy.
Scope FortiGate.
Solution

On FortiGate, PORT 1 and PORT 2 will function as ISP providers, along with PORT 3, designated for LAN traffic.

 

PORT 1 - 10.47.2.32.

PORT2 - 10.47.18.32.

Test Machine IP – 10.119.3.61.

 

Here is the SD-WAN Rule setup.

 

SDWAN IMAGE 1.png

 

In the Manual strategy, FortiGate builds the oif (outgoing interface) list, which sorts the configured members based on the Interface Preference list configuration order.

Since PORT1 is ranked higher in interface preference than PORT2, the anticipated behavior is that the SD-WAN Rule, upon activation, will utilize PORT1 to route the traffic from 10.119.3.61 destined for the internet.

 

SDWAN IMAGE 2.png

 

Now, if it were in the PORT 2 position, above PORT 1 in the interface preference of the SD-WAN Rule, the expected behavior would involve PORT 2 being employed to perform NAT for the outgoing internet traffic.

 

SDWAN IMAGE 3.png

Here is the forward traffic log that would show that PORT 2 is used to translate the traffic going out.

 

SDWAN IMAGE 4.png

 

Now, if port 2 goes down, despite its higher position relative to PORT 1, PORT 1 will be utilized to perform NAT for outgoing traffic.

 

To test this, PORT 2 has been disabled.

 

SDWAN IMAGE 5.png

Here is the screenshot that would show PORT 1 IP is used for NAT traffic going out.

 

SDWAN IMAGE 6.png

Additional information:

To include zone preference in addition to interface preference, the scenario unfolds as follows: Interface preference will supersede zone preference. The same underlying logic applies to zone preference, where the topmost interface is chosen for NATting the traffic.

 

For example:

  • There are 3 interfaces: port1, port2, and port3.
    • Port2 is in Zone1.
    • Port1 and port3 belong to the default virtual-wan-link zone.
  • An SD-WAN rule is created with Interface preference set to port3 and port1, and Zone preference set to Zone1.

 

sdwan_article.png

 

The SD-WAN rule prefers the interfaces in the following order:

  1. port3.
  2. port1.
  3. port2.

 

FortiGate does not consider the performance of the member/s based on the SD-WAN Health Checks. However, if Health Checks are configured for the members included in the Manual strategy, the behavior when those Health Checks fail needs to be considered. Refer to the behavior in the following article: Technical Tip: SD-WAN Rule in Manual mode and Performance SLA.

 

Related documents: 

Fields for configuring WAN intelligence
Traffic selection behavior in SD-WAN when multiple zones and members are configured 
12139
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.