Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lboaventura1990
Staff
Staff

Created on ‎08-08-2024 01:34 PM

Article Id 331678

Technical Tip: SD-WAN rule to decide the best link to use for FortiGuard and the System DNS servers

Description This article describes how to create a configuration for FortiGate to decide what is the best (based on SLA targets) SD-WAN member to be used by FortiGuard and Default DNS Systems.
Scope FortiGate.
Solution
  • Configure the system DNS to use 'interface-select-method sdwan'.


config system dns

    set primary 96.45.45.45

    set secondary 96.45.46.46

    set interface-select-method sdwan

end

  • Edit the SLA performance object Default_DNS, adding the SD-WAN members.

image_1.png
Note: the option 'Update Static Route' is optional, for more information about this option, check the documentation: 

Technical Note: Routing Change and Session Fail-over with SD-WAN

 

  • Create the SD-WAN rule using the Fortinet ISDBs as a destination.
  • In Outgoing Interfaces select the 'Best Quality' option, select the SD-WAN member used on the SLA performance object.
  • In Zone preference, select the zone's SD-WAN members.
  • In the Quality criteria option, select the Latency.

    image_2.png
    image_3.png

FortiGate # diagnose sys sdwan service 1

Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla
Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(latency), link-cost-threshold(10), heath-check(Default_DNS)
Members(2):
1: Seq_num(1 wan-a), alive, latency: 132.625, selected
2: Seq_num(3 wan-b), alive, latency: 123.146, selected
Internet Service(3): Fortinet-DNS(1245187,0,0,0) Fortinet-FortiGuard(1245324,0,0,0) Fortinet-FortiGuard.Secure.DNS(1245454,0,0,0)
Src address(1):
0.0.0.0-255.255.255.255

When the values of the SD-WAN health check exceed the predefined values, the SD-WAN will send the packets to the best link.

FortiGate # diagnose sys sdwan health-check
Health Check(Default_DNS):
Seq(1 wan-a): state(alive), packet-loss(0.000%) latency(334.956), jitter(4.992), bandwidth-up(9999999), bandwidth-dw(9999997), bandwidth-bi(19999996) sla_map=0x0
Seq(3 wan-b:( state(alive), packet-loss(0.000%) latency(124.233), jitter(3.675), bandwidth-up(9999999), bandwidth-dw(9999997), bandwidth-bi(19999996) sla_map=0x1

FortiGate # diagnose firewall proute list
list route policy info(vf=root):

id=2134048769(0x7f330001) vwl_service=1(FortiGuard_DNS) vwl_mbr_seq=3 1 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0(any) dport=1-65535 path(2) oif=12(wan-b) oif=11(wan-a)
source(1): 0.0.0.0-255.255.255.255
destination wildcard(1): 0.0.0.0/0.0.0.0
internet service(3): Fortinet-DNS(1245187,0,0,0) Fortinet-FortiGuard(1245324,0,0,0) Fortinet-FortiGuard.Secure.DNS(1245454,0,0,0)
hit_count=132 last_used=2024-08-08 14:56:33

 

FortiGate # diagnose ip address list | grep index=12
IP=100.77.1.14->100.77.1.14/255.255.255.252 index=12 devname=wan-b
813
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.