FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ydong01
Staff
Staff
Article Id 230623
Description

This article describes that if 'set default' and 'set gateway' are disabled in the SD-WAN service, it will do a FIB lookup based on the destination IP address.

If there is a FIB match, and the FIB interface is an SD-WAN member, it will not search for the next SD-WAN service even if this FIB is not the best match.

 

ydong01_2-1669179591500.png

 

 

Since 7.0.1, there is a Change in default behavior, 709056, the tie-break fib-best-match option is extended to consider only the best routes.

This works on manual, priority, and SLA SD-WAN service modes.

Scope FortiGate 7.0.1 and above.
Solution

Members/Route/FIB was the same in 3 examples:

 

Members:

 

ydong01_7-1669180106751.png

 

Route:

 

ydong01_8-1669180213518.png

 

FIB:

 

ydong01_4-1669179772394.png

 

1) Only 1 member in SD-WAN service, as has a default route, traffic will via the member and will not check further SD-WAN service which has a long match.

 

Service:

 

ydong01_0-1669179455218.png

 

 Policy route match:

 

ydong01_5-1669179835264.png

 

Packet capture:

 

ydong01_6-1669179880587.png

 

2) 2 members in SD-WAN service:

1st member has default route, 2nd member has special route long match, not enable tie-break fib-best-match, packet will via 1st member.

 

Service:

 

ydong01_9-1669180540192.png

 

Policy route match:


ydong01_10-1669180841936.png

 

Packet capture:

 

 ydong01_11-1669180919007.png

 

3) 2 members in SD-WAN service:

1st member has default route, 2nd member has special route long match, enable tie-break fib-best-match, packet will via 2nd member

 

Service:

 

ydong01_12-1669181102609.png

 

 Policy route match:

 

ydong01_13-1669181145302.png

 

Packet capture:

 

ydong01_14-1669181190930.png

 

Related document:

https://docs.fortinet.com/document/fortigate/7.0.1/fortios-release-notes/230510/changes-in-default-b...

Contributors