Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
msolanki
Staff
Staff

Created on ‎11-24-2022 10:29 AM

Technical Tip: Traffic selection behavior in SD-WAN when multiple zones and members are configured

Description This article describes the behavior of traffic selection when multiple zones and members are configured in the rules of an SD-WAN.
Scope FortiGate.
Solution

From FortiOS 7.0.1 onward, SD-WAN functionality supports multiple SD-WAN zones. In previous versions, only SD-WAN member configuration could be used to prioritize traffic flow.

 

SD-WAN zone priority allows the user to match zones to specific rules. For example, if the user has rule 1 and rule 2, and has zone A and zone B, the user can match traffic from zone A to rule 1 and traffic from zone B to rule 2.

 

This article explains the behavior in different scenarios with multiple zones and member priorities.

 

1) A single zone is configured in a rule

 

For example, set priority-zone "A".

 

Traffic will match this zone and obey the priority order of zone members in a top-down flow.

 

Service(2): Address Mode(IPV4) flags=0x200 use-shortcut-sla

  Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(latency), link-cost-threshold(10), heath-check(doodle)

  Members(3):

    1: Seq_num(1 port1), alive, latency: 17.554, selected

    2: Seq_num(3 port2), alive, latency: 17.477, selected

    3: Seq_num(4 port4), alive, latency: 17.925, selected

  Internet Service(1): Microsoft-Skype_Teams(327781,0,0,0)

  Src address(1):

 

2) Multiple zones are configured in rules, but no members

 

For example, set priority-zone "A""B".

 

Traffic will match and prioritize the zone configured on top/configured first (zone A in this example), followed by its members, then the next zone (zone B), then its members, and so on.

 

3) Multiple zones and multiple members configured in rules

 

For example, set priority-zone "A""B" and set priority-members 4 3 1.

 

In this case, traffic only follows member order (top to bottom) priority and bypasses the zone priority.

 

# edit 1

set name "rule1"

set mode priority

set src "all"

set internet-service enable

set internet-service-name "Microsoft-Skype_Teams"

set health-check "doodle"

set priority-members 4 3 1

set priority-zone "A" "B"

 

Service(2): Address Mode(IPV4) flags=0x200 use-shortcut-sla

  Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(latency), link-cost-threshold(10), heath-check(doodle)

  Members(3):

    1: Seq_num(4 port4), alive, latency: 17.951, selected  >>>>>port is part of zone "B"

    2: Seq_num(3 port2), alive, latency: 17.484, selected

    3: Seq_num(1 port1), alive, latency: 17.525, selected

  Internet Service(1): Microsoft-Skype_Teams(327781,0

 

 
214
0 Kudos
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.