FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes the behavior of the SD-WANrules configured in manual mode when the performance sla for the interface is failing.
If all health-check are indicating that an interface is dead, even if it is used in the manual mode, this SD-WAN rule will be void.
# config system sdwan set status enable config zone edit "virtual-wan-link" next end
# config members edit 1 set interface "port9" set gateway 10.109.31.254 next end
# config health-check edit "sla" set server "18.104.22.168" set update-static-route disable set members 1 next end
# config service edit 1 set name "rule" set dst "22.214.171.124/32" set priority-members 1 next end end
When the SLA is failing the interface is marked as dead.
FortiGate-1000D # di sys sdwan health-check Health Check(sla): Seq(1 port9): state(dead), packet-loss(45.000%) sla_map=0x0
The rule is disabled:
FortiGate-1000D # diagnose sys sdwan service
Service(1): Address Mode(IPV4) flags=0x200 Gen(2), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual) Service disabled caused by no outgoing path. <----- Members(1): 1: Seq_num(1 port9), dead Dst address(1): 126.96.36.199-188.8.131.52
To avoid this behavior in case the configured SLA is used in different rule and to have the manual rule to be matched, it is possible to configure a SLA which will monitor different server and will still be up.
This behaviour can cause issues when there are multiple rules and in some of them SLA is configured.
But it is also necessary to have rules in manual mode which needs to be always matched.Example: in order to tag the traffic.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.