|
When SD-WAN Rules are configured with load balancing and Application Control is enabled in the firewall policy with the category action set to 'Allow', access to certain websites can become slow or inaccessible.
This issue typically occurs when SD-WAN Rules utilize load balancing with multiple WAN interfaces.
Sample config:
config system sdwan
.
config service
edit 2
set name "Test"
set load-balance enable
set dst "all"
set src "all"
set priority-members 4 1
next
end
end
config firewall policy
edit 1
set name "Test"
set srcintf "port4"
set dstintf "virtual-wan-link"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set application-list "Corp_Users"
set logtraffic all
set nat enable
next
end
In the debug flow outputs, it is observed that the traffic initially exits through port7, but after some time, it is redirected through port1.
This unexpected change in routing is due to the SD-WAN load-balancing configuration within the SD-WAN rule, which causes the existing session to be dropped:
id=65308 trace_id=276 func=print_pkt_detail line=5879 msg="vd-root:0 received a packet(proto=6, 10.80.3.234:54541->216.58.200.14:443) tun_id=0.0.0.0 from mgmt. flag [S], seq 2624144258, ack 0, win 64240"
id=65308 trace_id=276 func=init_ip_session_common line=6063 msg="allocate a new session-001e91a0"
id=65308 trace_id=276 func=iprope_dnat_check line=5474 msg="in-[mgmt], out-[]"
id=65308 trace_id=276 func=rpdb_srv_match_input line=1158 msg="Match policy routing id=2131492936: to 216.58.200.14 via ifindex-15"
id=65308 trace_id=276 func=vf_ip_route_input_common line=2612 msg="find a route: flag=04000000 gw-10.47.31.254 via port7"
id=65308 trace_id=276 func=__iprope_fwd_check line=807 msg="in-[mgmt], out-[port7], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0"
id=65308 trace_id=276 func=get_new_addr line=1265 msg="find SNAT: IP-10.47.16.49(from IPPOOL), port-54541"
id=65308 trace_id=276 func=iprope_reverse_dnat_check line=1344 msg="in-[mgmt], out-[port7], skb_flags-02000000, vid-0"
id=65308 trace_id=276 func=iprope_reverse_dnat_tree_check line=926 msg="len=0"
id=65308 trace_id=276 func=fw_forward_handler line=987 msg="Allowed by Policy-6: SNAT"
.
.
id=65308 trace_id=286 func=print_pkt_detail line=5879 msg="vd-root:0 received a packet(proto=6, 10.80.3.234:54541->216.58.200.14:443) tun_id=0.0.0.0 from mgmt. flag [.], seq 2624144447, ack 4210438876, win 1025"
id=65308 trace_id=286 func=resolve_ip_tuple_fast line=5967 msg="Find an existing session, id-001e91a0, original direction"
id=65308 trace_id=286 func=rpdb_srv_match_input line=1158 msg="Match policy routing id=2131492936: to 216.58.200.14 via ifindex-9"
id=65308 trace_id=286 func=vf_ip_route_input_common line=2612 msg="find a route: flag=04000000 gw-10.47.15.254 via port1"
id=65308 trace_id=286 func=__iprope_fwd_check line=807 msg="in-[mgmt], out-[port1], skb_flags-02000000, vid-0, app_id: 31077, url_cat_id: 0"
id=65308 trace_id=286 func=get_new_addr line=1265 msg="find SNAT: IP-10.47.0.49(from IPPOOL), port-54541"
id=65308 trace_id=286 func=iprope_reverse_dnat_check line=1344 msg="in-[mgmt], out-[port1], skb_flags-02000000, vid-0"
id=65308 trace_id=286 func=iprope_reverse_dnat_tree_check line=926 msg="len=0"
id=65308 trace_id=286 func=fw_strict_dirty_session_check line=296 msg="SNAT IP 10.47.16.49 != 10.47.0.49, drop"
This issue has been resolved in FortiOS v7.4.8 and v7.6.1 (both versions available on the Fortinet Support Portal).
Workaround:
- Modify the category Action from 'Allow' to 'Monitor'.
Or:
- Disable Application Control in the firewall policy.
Or:
- Configure SD-WAN Rule with a single WAN interface.
|
