Description
This article explains the functionality of the set interface-select-method CLI option, which was introduced in FortiOS 6.2.4 to address issues with local self-originating traffic (DNS, FortiGuard, RADIUS, LDAP) not matching SD-WAN routing rules.
In FortiOS version 6.2.3 and earlier, self-originating traffic would not follow SD-WAN rules, nor could traffic be forced to use a specific interface. Instead, self-originating traffic would only follow the routes in the routing table. See the following section from the FortiOS v6.2.3 Cookbook for more information: Self-originating traffic.
Scope
FortiGate v6.2.4 and later.
Solution
As of v6.2.4, the interface-select-method CLI option was added to several config sections on the FortiGate that control self-originating traffic such as DNS, FortiGuard, RADIUS, LDAP, TACACS+, and Central Management (i.e. FortiManager/FortiGate Cloud). Note that this setting is configured on a per-traffic-type basis and
is not available as a global command (i.e. it cannot be set once and applied to all traffic, it must be set under each CLI section if necessary).
Consider the FortiGuard section as an example:
config system fortiguard
set interface-select-method {auto|sdwan|specify}
end
Under 'set interface-select-method', there are three options available:
- auto: default behavior where the FortiGate will select the best path to the associated destinations (in this case, FortiGuard server addresses) via the route table/Forward Information Base (FIB). Notably, this traffic will not match any explicit/user-defined SD-WAN rules, and instead, it will follow the implicit SD-WAN rule if the best-path is via an SD-WAN zone interface.
For example, if the implicit SD-WAN rule is configured with a set load-balance-mode usage-based (aka Spillover method) then this self-originated FortiGuard traffic will utilize the first SD-WAN member and will keep forwarding traffic until bandwidth reaches the spillover limit (see also: Implicit rule).
config system virtual-wan-link
set status enable
set load-balance-mode usage-based <----- Spillover method.
end
-
sdwan: Allows the self-originated traffic to follow user-defined SD-WAN rules.
For example, if a Manual SD-WAN rule exists to send FortiGuard traffic out via WAN2 and set interface-select-method sdwan is configured then the FortiGate will send traffic out via the WAN2 interface, rather than being potentially load-balanced via the implicit SD-WAN rule. -
specify: self-originating traffic will only ever attempt to be transmitted via the specified interface.
Important Note:
The FortiGate must have a route in the routing table/FIB for the destinations associated with this self-originating traffic (e.g. if DMZ is the specified interface to reach RADIUS server 10.0.0.1 then the FortiGate must have a valid route to 10.0.0.1 via the DMZ interface). If a route does not exist then the FortiGate will not be able to send traffic out to the destination. Any valid route will suffice, it does not need to be the most specific one.
After configuring 'set interface-select-method specify', the interface option is available for specifying a single outgoing interface to use for this set of traffic:
config system fortiguard
set interface-select-method specify
set interface "wan1"
end
The following are some of the original places in the CLI where 'interface-select-method' can be configured:
- DNS (config system dns).
- Per-VDOM DNS (config system vdom-dns).
- FortiGuard (config system fortiguard).
- LDAP (config user ldap).
- RADIUS (config user radius).
- FortiManager/FortiGate Cloud Central Management (config system central-management).
- FortiAnalyzer (config log fortianalyzer setting).
- FortiAnalyzer Cloud (config log fortianalyzer-cloud setting).
- TACACS+ (config user tacacs+).
- NTP (config system ntp).
- FSSO (config user fsso) **.
- Certificate (config vpn certificate setting).
- Security Fabric (config system csf)***.
- NTP (config system ntp).
- Syslog server (config log syslogd setting).
** Using interface-select-method sdwan with FSSO can be very useful when the Collector Agent is accessed over two or more redundant IPsec tunnels. To facilitate this, make sure the IPsec tunnels are members of SD-WAN, then pair set interface-select-method sdwan with set source-ip <address> (if the IPsec tunnels do not have addresses, or if traffic must be sourced from a LAN address).
*** The Security Fabric section (added in FortiOS v7.2.8, v7.4.4, and v7.6.0) modifies the CLI option to upstream-interface-select-method, though the usage remains the same as other sections:
Depending on the firmware version, there may be other configuration sections supporting interface-select beyond those given above. For a list of supported configuration sections on a given FortiOS version, search the appropriate FortiOS CLI reference document using the string 'interface-select-method' as a search term.
Security Fabric:
'upstream-interface-select-method' was added along with the source-ip option so that administrators could set a loopback address as the source IP address while accommodating redundant routing scenarios.
config system csf
set source-ip <IPv4 Address>
set upstream-interface-select-method {auto | sdwan | specify}
set upstream-interface <port>
end
To specify interface-select-method for the NTP server.
- To enable interface-select-method, the NTP server type must be set to custom even if the default FortiGuard NTP server is used:
config system ntpserver
set ntpsync enable
set type custom
config ntpserver
edit 1
set server "ntp1.fortiguard.com"
set interface-select-method <auto | sdwan | specify>
next
end
end
Configuring interface-select-method via the GUI (v7.0 and later):
v7.0 added the Local Out Routing page, which allows administrators to set source IPs and outgoing interfaces from the GUI, rather than having to do so from the CLI only. See also: Summarize source IP usage on the Local Out Routing page.
This feature must first be enabled under System -> Feature Visibility -> Local Out Routing. Then, depending on the service, it is possible to change the setting in a specific VDOM or the Global VDOM under Network -> Local Out Routing.
The GUI will only show options that have already been configured: for example, if an LDAP server has not been configured, there will not be any LDAP-related entries on the Local Out Routing page. If there are multiple entries configured for a given section (e.g. multiple LDAP server entries), the interface selection behavior is configured individually for each entry.
Note:
In cases where local-out traffic has multiple possible egress interfaces available, different interfaces may require a different source IP for local-out traffic. In v7.4.0 and later, 'set preferred-source <IP>' can be configured in routing or SD-WAN member configuration to specify a different source IP depending on which interface is currently selected to send the local-out traffic. Refer to the article Technical Tip: Configuring preferred-source in source IP for local-out traffic, for example, the configuration.
Related documents:
Defining a preferred source IP for local-out egress interfaces on SD-WAN members
