- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNDR
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiScan
- FortiSandbox
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- Customer Service
- Community Groups
- Article Ideas
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Technical Tip: Working of SD-WAN rule with outgoin...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Description
This article provides condition and working of SD-WAN rule with outgoing Interface selection strategy as manual.
Solution
Manual is one of the outgoing Interface selection strategy used to send the traffic via specific WAN interface without depending or requirement of SLA target.
When we select outgoing Interface strategy as manual and place wan interface in the Interface preference of the rule, all the traffic matching the rule will go via first interface in the Interface preference.
This acts as plain policy route.
Note:
If the same WAN interface is called in SLA performace.
When there is only one performance SLA which includes the WAN interface.
If it fails, then the route will be inactive in routing table (0.0.0.0) due to performance SLA failure.
Route for the interface becomes inactive and RULE will not work till the performance SLA is recovered.
For Example:
WAN1 and WAN2 are members of SD-WAN.
Both are being added to performance SLA to monitor the connectivity.
All the LAN traffic should go via WAN1 and WAN2 should work as backup.
In 6.2 and below firmware, only one interface can be selected in Interface preference field of SD-WAN rule.
In 6.4, it is possible to select multiple interface in Interface preference field of SD-WAN rule.
In 6.4: (when SLA performance is up and running)
SDWAN members:
SDWAN performance SLA:
SDWAN rule/service:
From the proute list, outgoing interface will be visible as WAN1 first and WAN2 as second.
Since wan1 SLA monitor is down, now all the traffic will be forwarded via WAN2.
This article provides condition and working of SD-WAN rule with outgoing Interface selection strategy as manual.
Solution
Manual is one of the outgoing Interface selection strategy used to send the traffic via specific WAN interface without depending or requirement of SLA target.
When we select outgoing Interface strategy as manual and place wan interface in the Interface preference of the rule, all the traffic matching the rule will go via first interface in the Interface preference.
This acts as plain policy route.
Note:
If the same WAN interface is called in SLA performace.
When there is only one performance SLA which includes the WAN interface.
If it fails, then the route will be inactive in routing table (0.0.0.0) due to performance SLA failure.
Route for the interface becomes inactive and RULE will not work till the performance SLA is recovered.
For Example:
WAN1 and WAN2 are members of SD-WAN.
Both are being added to performance SLA to monitor the connectivity.
All the LAN traffic should go via WAN1 and WAN2 should work as backup.
In 6.2 and below firmware, only one interface can be selected in Interface preference field of SD-WAN rule.
In 6.4, it is possible to select multiple interface in Interface preference field of SD-WAN rule.
In 6.4: (when SLA performance is up and running)
SDWAN members:
aegon-kvm59 # dia sys sdwan memberBoth the members are up and working.
Member(1): interface: wan2, gateway: 10.40.63.254, priority: 0, weight: 0
Member(2): interface: wan1, gateway: 10.40.31.254, priority: 0, weight: 0
SDWAN performance SLA:
aegon-kvm59 # dia sys sdwan health-checkHealth check is working fine.
Health Check(ping_test):
Seq(1 wan2): state(alive), packet-loss(0.000%) latency(0.304), jitter(0.076) sla_map=0x0
Seq(2 wan1): state(alive), packet-loss(0.000%) latency(0.370), jitter(0.111) sla_map=0x0
SDWAN rule/service:
aegon-kvm59 # dia sys sdwan serviceBoth the interface is alive and WAN1 has high priority
Service(1): Address Mode(IPV4) flags=0x200
Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
Members(2):
1: Seq_num(2 wan1), alive, selected
2: Seq_num(1 wan2), alive, selected
Src address(1):
0.0.0.0-255.255.255.255
Dst address(1):
0.0.0.0-255.255.255.255
From the proute list, outgoing interface will be visible as WAN1 first and WAN2 as second.
aegon-kvm59 # dia firewall proute listWith this SD-WAN setup and status, WAN1 will be primary route to forward the traffic and traffic will go via WAN2 only if performance SLA for WAN1 fails.
list route policy info(vf=root):
id=2131099649(0x7f060001) vwl_service=1(manual) vwl_mbr_seq=2 1 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0 dport=1-65535 oif=3(wan1) oif=4(wan2)
source(1): 0.0.0.0-255.255.255.255
destination(1): 0.0.0.0-255.255.255.255
hit_count=24 last_used=2021-02-27 07:20:46
aegon-kvm59 # dia sys sdwan health-check
Health Check(ping_test):
Seq(1 wan2): state(alive), packet-loss(0.000%) latency(0.319), jitter(0.127) sla_map=0x0
Seq(2 wan1): state(dead), packet-loss(100.000%) sla_map=0x0
Service(1): Address Mode(IPV4) flags=0x200
Gen(2), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
Members(2):
1: Seq_num(1 wan2), alive, selected
2: Seq_num(2 wan1), dead <-----
Src address(1):
0.0.0.0-255.255.255.255
Dst address(1):
0.0.0.0-255.255.255.255
aegon-kvm59 # dia firewall proute list
list route policy info(vf=root):
id=2131034113(0x7f050001) vwl_service=1(manual) vwl_mbr_seq=1 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0 dport=1-65535 oif=4(wan2)
source(1): 0.0.0.0-255.255.255.255
destination(1): 0.0.0.0-255.255.255.255
hit_count=24 last_used=2021-02-27 07:20:46
Since wan1 SLA monitor is down, now all the traffic will be forwarded via WAN2.
Labels:
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2023 Fortinet, Inc. All Rights Reserved.