Technical Tip: Use SD-WAN for local out traffic or Management traffic (DNS, NTP, sflow,netflow, LDAP, Radius etc)

Mrinmoy · ‎08-29-2023

Description

This article discusses that Local-out traffic is defined as the traffic initiated by FortiGate, usually for management purposes.

For example, when it is necessary to ping a device from FortiGate, that is local-out traffic. When FortiGate connects to FortiGuard to
download the latest definitions, that is also local-out traffic.

Scope

FortiGate v6.4 or Later.

Solution

interface-select-method is available on multiple features:

config system dns | ntp | sflow | netflow

config system central-management

config system fortiguard

config user radius | ldap | fsso

config log fortianalyzer setting

config log syslogd setting

Note:
For central-management, the local traffic is checked against SD-WAN logic only upon session creation. It is by design not to terminate the FortiManager-FortiGate tunnel if there is a change in SD-WAN SLA or logic.

Example:

***DNS***

FGT # config system dns
FGT (dns) # set interface-select-method sdwan
FGT (dns) # end
FGT #

To enable SD-WAN for ping and traceroute:

execute ping-options use-sdwan yes

execute traceroute-options use-sdwan yes

For example, 10.20.99.2 is the Firewall interface's IP address, traffic from it will be considered local-out traffic and by default, it does not follow the SD-WAN rule. If the 'use-sdwan' option is enabled, it will follow the SD-WAN rule:

Technical Tip: Use SD-WAN for local out traffic or Management traffic (DNS, NTP, sflow,netflow, LDAP, Radius etc)

You are leaving our website