| Description |
This article describes a change in behavior of the 'set tie-break fib-best-match' option that has been extended to consider only the best routes.
In SD-WAN service rules, if the 'set default' and 'set gateway' options are disabled, a FIB lookup will occur based on the destination IP address. If there is a FIB match, and the interface is an SD-WAN member, the next SD-WAN service rule will not be checked, even if this FIB match is not the best.
Since v7.0.1, there has been a change in default behavior. The 'set tie-break fib-best-match' option is extended to consider only the best routes.
This works on manual, priority, and SLA SD-WAN service modes. |
| Scope | FortiGate 7.0.1 and above. |
| Solution |
SD-WAN members, the routing table and FIB are the same in all 3 examples:
Members:
Route:
FIB:
One member is in the SD-WAN service rule: Only SD-WAN member 1 is in the SD-WAN service rule and has a default route. Traffic will egress SD-WAN member 1. The next SD-WAN service rule will not be checked even though it has which has SD-WAN member 2, which has the best match in the FIB with the longest prefix 8.8.8.8/32.
Service:
Policy route match:
Packet capture:
Two members are in the SD-WAN service, without 'set tie-break fib-best-match' configured: SD-WAN member 1 has a default route, and SD-WAN member 2 has the most specific match in the FIB with the longest prefix, 8.8.8.8/32. Packets will egress SD-WAN member 1, as it has a valid route (default route) and is configured as the priority member.
Service:
Policy route match:
Packet capture:
Two members are in the SD-WAN service, with 'set tie-break fib-best-match' configured: SD-WAN member 1 is configured as the priority member and has a default route. SD-WAN member 2 has the most specific match in the FIB with the longest prefix 8.8.8.8/32. By configuring 'set tie-break fib-best-match', packets will egress SD-WAN member 2.
Service:
Policy route match:
Packet capture:
Related document: |
