Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ydong01
Staff
Staff

Created on ‎11-22-2022 10:11 PM Edited on ‎12-19-2025 06:18 AM By Community Manager

Article Id 230623

Technical Tip: SD-WAN route selection for fib-best-match option

Description

This article describes a change in the behavior of the 'set tie-break fib-best-match' option that has been extended to consider only the best routes.

 

In SD-WAN service rules, if the 'set default' and 'set gateway' options are disabled, a FIB lookup will occur based on the destination IP address. If there is an FIB match, and the interface is an SD-WAN member, the next SD-WAN service rule will not be checked, even if this FIB match is not the best.

 

ydong01_2-1669179591500.png

 

Since v7.0.1, there has been a change in default behavior.  The 'set tie-break fib-best-match' option is extended to consider only the best routes.

 

This works on Manual Mode (manual), Best quality strategy (priority), and Lowest cost (SLA) strategy SD-WAN service modes.
Scope FortiGate v7.0.1 and above.
Solution

SD-WAN members, the routing table and FIB are the same in all 3 examples:

 

Members:

 

ydong01_7-1669180106751.png

 

Route:

 

ydong01_8-1669180213518.png

 

FIB:

 

ydong01_4-1669179772394.png

 

One member is in the SD-WAN service rule:

In the example below, two SD-WAN service rules have been configured. Service Rule ID 4 is associated with a single SD-WAN member (Member 1) and uses the tie-break method 'fib-best-match'. Service Rule ID 5 is associated with SD-WAN Member 2 and its gateway, with default settings enabled.

 

Member 1 (Port 1) has a default route, while Member 2 (Port 2) is configured with a specific destination subnet of 8.8.8.8/32, using the longest-prefix match.

 

When a user attempts to access the destination IP 8.8.8.8, the firewall validates the SD-WAN rules using a top-down approach. According to this approach, SD-WAN Service Rule ID 4 is selected. This rule has only one member and at least one valid route to the destination, namely the default route (0.0.0.0/0). Consequently, the longest-prefix match criterion is not applicable in this scenario. If no valid route exists via SD-WAN Member 1 (Port 1), the system then proceeds to evaluate the next SD-WAN rule.

 

Service:

 

ydong01_0-1669179455218.png

 

Policy route match:

 

ydong01_5-1669179835264.png

 

Packet capture:

 

ydong01_6-1669179880587.png

 

Two members are in the SD-WAN service, without 'set tie-break fib-best-match' configured:

SD-WAN member 1 has a default route, and SD-WAN member 2 has the most specific match in the FIB with the longest prefix, 8.8.8.8/32.  Packets will egress SD-WAN member 1, as it has a valid route (default route) and is configured as the priority member.

 

Service:

 

ydong01_9-1669180540192.png

 

Policy route match:


ydong01_10-1669180841936.png

 

Packet capture:

 

 ydong01_11-1669180919007.png

 

Two members are in the SD-WAN service, with 'set tie-break fib-best-match' configured:

SD-WAN member 1 is configured as the priority member and has a default route. SD-WAN member 2 has the most specific match in the FIB with the longest prefix 8.8.8.8/32.  By configuring 'set tie-break fib-best-match', packets will egress SD-WAN member 2.

 

Service:

 

ydong01_12-1669181102609.png

 

Policy route match:

 

ydong01_13-1669181145302.png

 

Packet capture:

 

ydong01_14-1669181190930.png

 

Related document:

Changes in default behavior
Labels:
6255
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.