FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppardeshi
Staff
Staff
Article Id 215157

Description

 

This article describes the behaviour of interface-select-method for SDNS traffic when using FortiGuard Anycast servers.

 

Scope

 

FortiGate 

 

Solution

 

Upgrading to 7.0.2 and above.

 

Self-originated or local-out traffic from FortiGate can be manipulated to go out of different WAN interfaces using the interface select method.

 

This behaviour is however different for SDNS traffic when using FortiGuard Anycast Servers.

 

SDNS servers are used to send DNS rating queries when using DNS Filter Security Profile in the firewall policies.

The SDNS traffic when FortiGuard servers are set to Anycast does not follow the SDWAN Rule as shown in the lab below:

 

ppardeshi_0-1655745660491.png

 

According to the topology above, we have WAN1 and WAN2 that are part of the SDWAN Zone. There is a default route pointing towards this SD-WAN Zone.

The traffic coming in from LAN (port3) to the Internet will be load-balanced (i.e. will use either WAN1 or WAN2) according to the Load-Balancing algorithm defined in the Implicit SD-WAN Rule.

 

There is a SDWAN Rule (FortiGuard_ISDB) which forces the traffic to leave out the WAN1 interface for all Fortinet ISDBs.

The interface-select-method under # config system fortiguard, is set to SD-WAN. 

 

SD-WAN Rule:

 

ppardeshi_2-1655747599897.png

 

FortiGuard Configuration:

 

# config system fortiguard

set fortiguard-anycast enable
set interface-select-method sdwan

end

 

SDNS server when using FortiGuard Anycast servers:

 

FortiGate # diagnose test application dnsproxy 3
worker idx: 0
vdom: root, index=0, is master, vdom dns is enabled, mip-169.254.0.1 dns_log=1 tls=0 cert=Fortinet_Factory
dns64 is disabled
dns-server:208.91.112.53:53 tz=0 tls=0 req=4 to=0 res=4 rt=3 ready=1 timer=0 probe=0 failure=0 last_failed=0
dns-server:208.91.112.52:53 tz=0 tls=0 req=1 to=0 res=1 rt=2 ready=1 timer=0 probe=0 failure=0 last_failed=0
sdns-server:173.243.140.53:853 tz=-420 tls=2 req=0 to=0 res=0 rt=12 ready=1 timer=0 probe=0 failure=0 last_failed=0

Interface selecting method: sdwan
Specified interface:
FortiGuard interface selecting method: sdwan
FortiGuard specified interface:
DNS_CACHE: hash-size=2048, ttl=1800, min-ttl=60, max-num=5000
DNS FD: udp_s=10 udp_c=23:24 ha_c=28 unix_s=11, unix_nb_s=29, unix_nc_s=12
v6_udp_s=9, v6_udp_c=26:27, snmp=30, redir=19, v6_redir=20
DNS FD: tcp_s=13, tcp_s6=14, redir=31 v6_redir=32
FGD_DNS_SERVICE_LICENSE:
server=173.243.140.53:853, expiry=2023-02-19, expired=0, type=2
FGD_CATEGORY_VERSION:8
SERVER_LDB: gid=c587, tz=-420, error_allow=0
FGD_REDIR_V4:208.91.112.55 FGD_REDIR_V6:[2620:101:9000:53::55]

 

Packet captures show the traffic leaving out of WAN2 (port2), but as per the configured SDWAN rule, the SDNS Rating traffic should go via WAN1 (port1):

 

FortiGate # diagnose sniffer packet any 'host 173.243.140.53' 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[host 173.243.140.53]
2022-06-20 10:57:40.487497 port2 out 192.168.0.105.1864 -> 173.243.140.53.853: syn 4150567368
2022-06-20 10:57:40.512357 port2 in 173.243.140.53.853 -> 192.168.0.105.1864: syn 9935185 ack 4150567369
2022-06-20 10:57:40.512405 port2 out 192.168.0.105.1864 -> 173.243.140.53.853: ack 9935186
2022-06-20 10:57:40.512648 port2 out 192.168.0.105.1864 -> 173.243.140.53.853: psh 4150567369 ack 9935186
2022-06-20 10:57:40.536883 port2 in 173.243.140.53.853 -> 192.168.0.105.1864: ack 4150567784
2022-06-20 10:57:40.537541 port2 in 173.243.140.53.853 -> 192.168.0.105.1864: 9935186 ack 4150567784
2022-06-20 10:57:40.537556 port2 out 192.168.0.105.1864 -> 173.243.140.53.853: ack 9936606
2022-06-20 10:57:40.537578 port2 in 173.243.140.53.853 -> 192.168.0.105.1864: 9936606 ack 4150567784
2022-06-20 10:57:40.537582 port2 out 192.168.0.105.1864 -> 173.243.140.53.853: ack 9938026
2022-06-20 10:57:40.537722 port2 in 173.243.140.53.853 -> 192.168.0.105.1864: psh 9938026 ack 4150567784
2022-06-20 10:57:40.537730 port2 out 192.168.0.105.1864 -> 173.243.140.53.853: ack 9939282
2022-06-20 10:57:40.562034 port2 in 173.243.140.53.853 -> 192.168.0.105.1864: psh 9939282 ack 4150567784

 

The above behaviour does not appear when we disable Anycast and use FortiGuard Unicast servers under the FortiGuard setting, as seen below:

 

FortiGuard Configuration when Anycast-disabled:

 

# config system fortiguard

set fortiguard-anycast disable
set protocol udp
set port 8888
set update-server-location usa
set sdns-server-ip "208.91.112.220"
set interface-select-method sdwan

end

 

SDNS server when using FortiGuard Unicast servers:

 

FortiGate # diagnose test application dnsproxy 3
worker idx: 0
vdom: root, index=0, is master, vdom dns is enabled, mip-169.254.0.1 dns_log=1 tls=0 cert=Fortinet_Factory
dns64 is disabled
dns-server:208.91.112.53:53 tz=0 tls=0 req=5 to=0 res=5 rt=1 ready=1 timer=0 probe=0 failure=0 last_failed=0
dns-server:208.91.112.52:53 tz=0 tls=0 req=3 to=0 res=3 rt=1 ready=1 timer=0 probe=0 failure=0 last_failed=0
sdns-server:208.91.112.220:53 tz=-540 tls=0 req=0 to=0 res=0 rt=1 ready=1 timer=0 probe=0 failure=0 last_failed=0
sdns-server:83.231.212.53:53 tz=60 tls=0 req=0 to=0 res=0 rt=10 ready=1 timer=0 probe=0 failure=0 last_failed=0
sdns-server:210.7.96.53:53 tz=540 tls=0 req=0 to=0 res=0 rt=9 ready=1 timer=0 probe=0 failure=0 last_failed=0
sdns-server:173.243.138.221:53 tz=-480 tls=0 req=0 to=0 res=0 rt=1 ready=1 timer=0 probe=0 failure=0 last_failed=0
sdns-server:194.69.172.53:53 tz=0 tls=0 req=0 to=0 res=0 rt=9 ready=1 timer=0 probe=0 failure=0 last_failed=0
sdns-server:208.184.237.71:53 tz=-480 tls=0 req=0 to=0 res=0 rt=1 ready=1 timer=0 probe=0 failure=0 last_failed=0
sdns-server:154.52.12.53:53 tz=480 tls=0 req=0 to=0 res=0 rt=11 ready=1 timer=0 probe=0 failure=0 last_failed=0
sdns-server:154.52.26.53:53 tz=-300 tls=0 req=0 to=0 res=0 rt=4 ready=1 timer=0 probe=0 failure=0 last_failed=0
sdns-server:149.5.232.53:53 tz=60 tls=0 req=0 to=0 res=0 rt=10 ready=1 timer=0 probe=0 failure=0 last_failed=0
sdns-server:140.174.22.53:53 tz=-300 tls=0 req=0 to=0 res=0 rt=4 ready=1 timer=0 probe=0 failure=0 last_failed=0
Interface selecting method: sdwan
Specified interface:
FortiGuard interface selecting method: sdwan
FortiGuard specified interface:
DNS_CACHE: hash-size=2048, ttl=1800, min-ttl=60, max-num=5000
DNS FD: udp_s=10 udp_c=23:24 ha_c=28 unix_s=11, unix_nb_s=29, unix_nc_s=12
v6_udp_s=9, v6_udp_c=26:27, snmp=30, redir=19, v6_redir=20
DNS FD: tcp_s=13, tcp_s6=14, redir=31 v6_redir=32
FGD_DNS_SERVICE_LICENSE:
server=208.91.112.220:53, expiry=2023-02-19, expired=0, type=2
server=83.231.212.53:53, expiry=2023-02-19, expired=0, type=2
server=210.7.96.53:53, expiry=2023-02-19, expired=0, type=2
server=173.243.138.221:53, expiry=2023-02-19, expired=0, type=2
server=194.69.172.53:53, expiry=2023-02-19, expired=0, type=2
server=208.184.237.71:53, expiry=2023-02-19, expired=0, type=2
server=154.52.12.53:53, expiry=2023-02-19, expired=0, type=2
server=154.52.26.53:53, expiry=2023-02-19, expired=0, type=2
server=149.5.232.53:53, expiry=2023-02-19, expired=0, type=2
server=140.174.22.53:53, expiry=2023-02-19, expired=0, type=2
FGD_CATEGORY_VERSION:8
SERVER_LDB: gid=c587, tz=-420, error_allow=0
FGD_REDIR_V4:208.91.112.55 FGD_REDIR_V6:[2620:101:9000:53::55]

 

Packet captures show the traffic leaving out of WAN1 (port1) now, following the correct SD-WAN Rule and honouring the interface-select-method SD-WAN, setting.

 

FortiGate # diagnose sniffer packet any 'host 208.91.112.220 or host 83.231.212.53 or host 210.7.96.53 or host 173.243.138.221 or host 194.69.172.53 or host 208.184.237.71 or host 154.52.12.53 or host 154.52.26.53 or host 149.5.232.53 or host 140.174.22.53' 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[host 208.91.112.220 or host 83.231.212.53 or host 210.7.96.53 or host 173.243.138.221 or host 194.69.172.53 or host 208.184.237.71 or host 154.52.12.53 or host 154.52.26.53 or host 149.5.232.53 or host 140.174.22.53]
2022-06-20 11:10:46.195952 port1 out 192.168.241.132.3407 -> 173.243.138.221.53: udp 133
2022-06-20 11:10:46.199899 port1 in 173.243.138.221.53 -> 192.168.241.132.3407: udp 106
2022-06-20 11:10:50.404059 port1 out 192.168.241.132.3407 -> 208.184.237.71.53: udp 125
2022-06-20 11:10:50.433916 port1 in 208.184.237.71.53 -> 192.168.241.132.3407: udp 98
2022-06-20 11:10:50.577205 port1 out 192.168.241.132.3407 -> 173.243.138.221.53: udp 139
2022-06-20 11:10:50.581158 port1 in 173.243.138.221.53 -> 192.168.241.132.3407: udp 112
2022-06-20 11:10:50.709597 port1 out 192.168.241.132.3407 -> 208.184.237.71.53: udp 132
2022-06-20 11:10:50.739109 port1 out 192.168.241.132.3407 -> 173.243.138.221.53: udp 132
2022-06-20 11:10:50.739970 port1 in 208.184.237.71.53 -> 192.168.241.132.3407: udp 105
2022-06-20 11:10:50.742863 port1 in 173.243.138.221.53 -> 192.168.241.132.3407: udp 105
2022-06-20 11:10:51.396866 port1 out 192.168.241.132.3407 -> 208.184.237.71.53: udp 140
2022-06-20 11:10:51.425867 port1 out 192.168.241.132.3407 -> 173.243.138.221.53: udp 140
2022-06-20 11:10:51.425961 port1 in 208.184.237.71.53 -> 192.168.241.132.3407: udp 113
2022-06-20 11:10:51.428706 port1 in 173.243.138.221.53 -> 192.168.241.132.3407: udp 113
2022-06-20 11:10:51.534901 port1 out 192.168.241.132.3407 -> 208.184.237.71.53: udp 130

 

Thus, when the FortiGuard is set to use Anycast Servers, SDWAN rules are not followed by SDNS servers. And when the FortiGuard setting is set to not use Anycast Servers (unicast FortiGuard servers), SDWAN rules are followed and honoured.

 

This behaviour is fixed in FortiOS firmware 7.0.2 and above, where when the FortiGuard is set to use Anycast servers, the traffic follows the SD-WAN Rule as it should. 

 

Below are the test results on FortiOS firmware 7.0.2, where the issue is fixed.

For the test, the firewall policy was changed from Flow-based Inspection to Proxy-Based Inspection on 7.0.2 because of a feature change starting in 7.0, where the IPS engine handles the DNS filter in flow mode policies and queries the FortiGuard web filter server for FortiGuard categories.

In proxy mode, the DNS proxy daemon handles the DNS filter and queries the FortiGuard SDNS server for FortiGuard categories. 

 

The document explaining the feature change: 

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/739623/dns-filter-handled-by-ips-eng...

 

FortiGate # get system status
Version: FortiGate-VM64-KVM v7.0.2,build0234,211019 (GA)
Virus-DB: 90.03431(2022-06-20 09:20)
Extended DB: 90.03431(2022-06-20 09:19)
Extreme DB: 1.00000(2018-04-09 18:07)
AV AI/ML Model: 0.00000(2001-01-01 00:00)
IPS-DB: 6.00741(2015-12-01 02:30)
IPS-ETDB: 21.00338(2022-06-14 00:30)
APP-DB: 21.00338(2022-06-14 00:30)
INDUSTRIAL-DB: 21.00338(2022-06-14 00:30)
IPS Malicious URL Database: 4.00386(2022-06-19 22:09)
Serial-Number: FGVM08TM123456
License Status: Valid
License Expiration Date: 2023-02-18
VM Resources: 1 CPU/8 allowed, 2007 MB RAM
Log hard disk: Not available
Hostname: FortiGate
Private Encryption: Disable
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Branch point: 0234
Release Version Information: GA
FortiOS x86-64: Yes
System time: Mon Jun 20 11:21:36 2022
Last reboot reason: warm reboot

 

FortiGuard Configuration when Anycast enabled:

 

# config system fortiguard

set update-server-location usa
set interface-select-method sdwan

end

 

SDNS server when using FortiGuard Anycast servers:

 

FortiGate # diagnose test application dnsproxy 3
worker idx: 0
vdom: root, index=0, is primary, vdom dns is enabled, pip-169.254.0.1 dns_log=1 cert=Fortinet_Factory
dns64 is disabled
DNS servers:
208.91.112.53:53 vrf=0 tz=0 encrypt=none req=6 to=0 res=6 rt=1 ready=1 timer=0 probe=0 failure=0 last_failed=0
208.91.112.52:53 vrf=0 tz=0 encrypt=none req=1 to=0 res=1 rt=6 ready=1 timer=0 probe=0 failure=0 last_failed=0
SDNS servers:
173.243.140.53:853 vrf=0 tz=-420 encrypt=dot req=0 to=0 res=0 rt=14 ready=1 timer=0 probe=0 failure=0 last_failed=0
ALT servers:
Interface selecting method: sdwan
Specified interface:
FortiGuard interface selecting method: sdwan
FortiGuard specified interface:
DNS_CACHE: hash-size=2048, ttl=1800, min-ttl=60, max-num=5000
DNS FD: udp_s=10 udp_c=21:22 ha_c=26 unix_s=11, unix_nb_s=27, unix_nc_s=12
v6_udp_s=9, v6_udp_c=24:25, snmp=28, redir=17, v6_redir=18
DNS FD: tcp_s=13, tcp_s6=14, redir=30 v6_redir=31
DNS UNIX FD: dnsproxy_un=32
FGD_DNS_SERVICE_LICENSE:
server=173.243.140.53:853, expiry=2023-02-19, expired=0, type=2
FGD_CATEGORY_VERSION:9
SERVER_LDB: gid=56b8, tz=-420, error_allow=0
FGD_REDIR_V4:208.91.112.55 FGD_REDIR_V6:[2620:101:9000:53::55]

 

Packet captures show the traffic leaving out of WAN1 (port1), following the correct SD-WAN Rule and honouring the interface-select-method SD-WAN, setting.

 

FortiGate # diagnose sniffer packet any 'host 173.243.140.53' 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[host 173.243.140.53]
2022-06-20 13:36:43.369510 port1 out 192.168.241.132.12875 -> 173.243.140.53.853: syn 3190359246
2022-06-20 13:36:43.395577 port1 in 173.243.140.53.853 -> 192.168.241.132.12875: syn 129455987 ack 3190359247
2022-06-20 13:36:43.395600 port1 out 192.168.241.132.12875 -> 173.243.140.53.853: ack 129455988
2022-06-20 13:36:43.395737 port1 out 192.168.241.132.12875 -> 173.243.140.53.853: psh 3190359247 ack 129455988
2022-06-20 13:36:43.395943 port1 in 173.243.140.53.853 -> 192.168.241.132.12875: ack 3190359662
2022-06-20 13:36:43.422221 port1 in 173.243.140.53.853 -> 192.168.241.132.12875: 129455988 ack 3190359662
2022-06-20 13:36:43.422241 port1 out 192.168.241.132.12875 -> 173.243.140.53.853: ack 129457448
2022-06-20 13:36:43.422258 port1 in 173.243.140.53.853 -> 192.168.241.132.12875: 129457448 ack 3190359662
2022-06-20 13:36:43.422262 port1 out 192.168.241.132.12875 -> 173.243.140.53.853: ack 129458908
2022-06-20 13:36:43.422263 port1 in 173.243.140.53.853 -> 192.168.241.132.12875: psh 129458908 ack 3190359662
2022-06-20 13:36:43.422266 port1 out 192.168.241.132.12875 -> 173.243.140.53.853: ack 129460084
2022-06-20 13:36:43.499822 port1 in 173.243.140.53.853 -> 192.168.241.132.12875: psh 129460084 ack 3190359662
2022-06-20 13:36:43.499848 port1 out 192.168.241.132.12875 -> 173.243.140.53.853: ack 129461243

 

More details on how to configure it for different services are given in the following KB article:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Functionality-of-set-interface-select-meth...

Contributors