Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Mrinmoy
Staff
Staff

Created on ‎08-29-2023 11:11 PM Edited on ‎10-08-2025 02:13 AM By Community Manager

Article Id 271015

Technical Tip: Use SD-WAN for local out traffic or Management traffic (DNS, NTP, sflow,netflow, LDAP, Radius etc)

Description

This article discusses that Local-out traffic is defined as the traffic initiated by FortiGate, usually for management purposes.

 

For example, when it is necessary to ping a device from FortiGate, that is local-out traffic. When FortiGate connects to FortiGuard to download the latest definitions, that is also local-out traffic.
Scope FortiGate v6.4 or later.
Solution
  • Traffic that originates from the FortiGate destined to external servers can be routed via SD-WAN rules as well
  • By default, local out traffic is forwarded based on the routing table lookup
  • Interface-select-method is available on multiple features:

 

config system dns | ntp | sflow | netflow

config system central-management

config system fortiguard

config user radius | ldap | fsso

config log fortianalyzer setting

config log syslogd setting

 

Note:
For central management, the local traffic is checked against SD-WAN logic only upon session creation. It is by design not to terminate the FortiManager-FortiGate tunnel if there is a change in SD-WAN SLA or logic. 

 

Example:

 

***DNS***

config system dns
set interface-select-method sdwan
end

 

*** Central Management (fgfm tunnel) ***

config system central-management

set interface-select-method {auto |sdwan | specify}

set interface <interface>

end

 

*** NTP ***

config system ntp

config ntpserver

edit <id>

set interface-select-method {auto | sdwan | specify}

set interface <interface>

next

end

end


***DHCP Proxy, Relay***
config system settings
set dhcp-proxy-interface-select-method {auto | sdwan | specify}
set dhcp-proxy-interface <interface>
end


config system interface
edit <interface>
set dhcp-relay-interface-select-method {auto | sdwan | specify}
set dhcp-relay-interface <interface>

 

*** Authentication (TACACs+, RADIUS,LDAP) ***

config log tacacs+accounting
setting set interface-select-method {auto | sdwan | specify}
set source-ip <IP address>

 

*** Logging (syslog, sflow, netflow) ***

config system {netflow | sflow | vdom-netflow | vdom-sflow}
set interface-select-method {auto | sdwan | specify}
set interface <interface>

 

    ***FortiGuard, FortiSandbox***

config system fortiguard | fortisandbox
set interface-select-method sdwan
end

 

To enable SD-WAN for ping and traceroute:

 

execute ping-options use-sdwan yes

execute traceroute-options use-sdwan yes

 

For example, 10.20.99.2 is the Firewall interface's IP address, traffic from it will be considered local-out traffic and by default, it does not follow the SD-WAN rule. If the 'use-sdwan' option is enabled, it will follow the SD-WAN rule:

 

2.png

 

1.PNG
4794
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.