FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nithincs
Staff
Staff
Article Id 192239

Description

 

This article provides condition and working of SD-WAN rule with outgoing Interface selection strategy as manual.

 

Scope

 

FortiGate.

Solution


Manual is one of the outgoing Interface selection strategy used to send the traffic via specific WAN interface without depending or requirement of SLA target.

When we select outgoing Interface strategy as manual and place wan interface in the Interface preference of the rule, all the traffic matching the rule will go via first interface in the Interface preference.
This acts as plain policy route.


Note:

If the same WAN interface is called in SLA performace.
When there is only one performance SLA which includes the WAN interface.
If it fails, then the route will be inactive in routing table (0.0.0.0) due to performance SLA failure.

Route for the interface becomes inactive and RULE will not work till the performance SLA is recovered.

For Example:

WAN1 and WAN2 are members of SD-WAN.
Both are being added to performance SLA to monitor the connectivity.

All the LAN traffic should go via WAN1 and WAN2 should work as backup.

In 6.2 and below firmware, only one interface can be selected in Interface preference field of SD-WAN rule.
In 6.4,7.0,7.2,7.4 it is possible to select multiple interface in Interface preference field of SD-WAN rule.

In 6.4,7.0,7.2,7.4: (when SLA performance is up and running)

SDWAN members:

 

aegon-kvm59 # dia sys sdwan member
Member(1): interface: wan2, gateway: 10.40.63.254, priority: 0, weight: 0
Member(2): interface: wan1, gateway: 10.40.31.254, priority: 0, weight: 0

 

Both the members are up and working.

SD-WAN performance SLA:

 

aegon-kvm59 # dia sys sdwan health-check
Health Check(ping_test):
Seq(1 wan2): state(alive), packet-loss(0.000%) latency(0.304), jitter(0.076) sla_map=0x0
Seq(2 wan1): state(alive), packet-loss(0.000%) latency(0.370), jitter(0.111) sla_map=0x0

 

Health check is working fine.

SDWAN rule/service:

 

aegon-kvm59 # dia sys sdwan service

Service(1): Address Mode(IPV4) flags=0x200
  Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
  Members(2):
    1: Seq_num(2 wan1), alive, selected
    2: Seq_num(1 wan2), alive, selected
  Src address(1):
        0.0.0.0-255.255.255.255

  Dst address(1):
        0.0.0.0-255.255.255.255

Both the interface is alive and WAN1 has high priority

From the proute list, outgoing interface will be visible as WAN1 first and WAN2 as second.

 

aegon-kvm59 # dia firewall proute list
list route policy info(vf=root):

id=2131099649(0x7f060001) vwl_service=1(manual) vwl_mbr_seq=2 1 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0 dport=1-65535 oif=3(wan1) oif=4(wan2)
source(1): 0.0.0.0-255.255.255.255
destination(1): 0.0.0.0-255.255.255.255
hit_count=24 last_used=2021-02-27 07:20:46

 

With this SD-WAN setup and status, WAN1 will be the primary route to forward the traffic, and traffic will go via WAN2 only if the performance SLA for WAN1 fails.

 

aegon-kvm59 # dia sys sdwan health-check
Health Check(ping_test):
Seq(1 wan2): state(alive), packet-loss(0.000%) latency(0.319), jitter(0.127) sla_map=0x0
Seq(2 wan1): state(dead), packet-loss(100.000%) sla_map=0x0

Service(1): Address Mode(IPV4) flags=0x200
  Gen(2), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
  Members(2):
    1: Seq_num(1 wan2), alive, selected
    2: Seq_num(2 wan1), dead <-----
  Src address(1):
        0.0.0.0-255.255.255.255

  Dst address(1):
        0.0.0.0-255.255.255.255

aegon-kvm59 # dia firewall  proute list
list route policy info(vf=root):

id=2131034113(0x7f050001) vwl_service=1(manual) vwl_mbr_seq=1 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0 dport=1-65535 oif=4(wan2)
source(1): 0.0.0.0-255.255.255.255
destination(1): 0.0.0.0-255.255.255.255
hit_count=24 last_used=2021-02-27 07:20:46


Since the wan1 SLA monitor is down, now all the traffic will be forwarded via WAN2.