Description
This article provides condition and working of SD-WAN rule with outgoing Interface selection strategy as manual.
Scope
FortiGate.
Solution
Manual is one of the outgoing Interface selection strategy used to send the traffic via specific WAN interface without depending or requirement of SLA target.
When we select outgoing Interface strategy as manual and place wan interface in the Interface preference of the rule, all the traffic matching the rule will go via first interface in the Interface preference.
This acts as plain policy route.
Note:
If the same WAN interface is called in SLA performace.
When there is only one performance SLA which includes the WAN interface.
If it fails, then the route will be inactive in routing table (0.0.0.0) due to performance SLA failure.
Route for the interface becomes inactive and RULE will not work till the performance SLA is recovered.
For Example:
WAN1 and WAN2 are members of SD-WAN.
Both are being added to performance SLA to monitor the connectivity.
All the LAN traffic should go via WAN1 and WAN2 should work as backup.
In 6.2 and below firmware, only one interface can be selected in Interface preference field of SD-WAN rule.
In 6.4,7.0,7.2,7.4 it is possible to select multiple interface in Interface preference field of SD-WAN rule.
In 6.4,7.0,7.2,7.4: (when SLA performance is up and running)
SDWAN members:
aegon-kvm59 # dia sys sdwan member
Member(1): interface: wan2, gateway: 10.40.63.254, priority: 0, weight: 0
Member(2): interface: wan1, gateway: 10.40.31.254, priority: 0, weight: 0
Both the members are up and working.
SD-WAN performance SLA:
aegon-kvm59 # dia sys sdwan health-check
Health Check(ping_test):
Seq(1 wan2): state(alive), packet-loss(0.000%) latency(0.304), jitter(0.076) sla_map=0x0
Seq(2 wan1): state(alive), packet-loss(0.000%) latency(0.370), jitter(0.111) sla_map=0x0
Health check is working fine.
SDWAN rule/service:
aegon-kvm59 # dia sys sdwan service
Service(1): Address Mode(IPV4) flags=0x200
Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
Members(2):
1: Seq_num(2 wan1), alive, selected
2: Seq_num(1 wan2), alive, selected
Src address(1):
0.0.0.0-255.255.255.255
Dst address(1):
0.0.0.0-255.255.255.255
Both the interface is alive and WAN1 has high priority
From the proute list, outgoing interface will be visible as WAN1 first and WAN2 as second.
aegon-kvm59 # dia firewall proute list
list route policy info(vf=root):
id=2131099649(0x7f060001) vwl_service=1(manual) vwl_mbr_seq=2 1 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0 dport=1-65535 oif=3(wan1) oif=4(wan2)
source(1): 0.0.0.0-255.255.255.255
destination(1): 0.0.0.0-255.255.255.255
hit_count=24 last_used=2021-02-27 07:20:46
With this SD-WAN setup and status, WAN1 will be the primary route to forward the traffic, and traffic will go via WAN2 only if the performance SLA for WAN1 fails.
aegon-kvm59 # dia sys sdwan health-check
Health Check(ping_test):
Seq(1 wan2): state(alive), packet-loss(0.000%) latency(0.319), jitter(0.127) sla_map=0x0
Seq(2 wan1): state(dead), packet-loss(100.000%) sla_map=0x0
Service(1): Address Mode(IPV4) flags=0x200
Gen(2), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
Members(2):
1: Seq_num(1 wan2), alive, selected
2: Seq_num(2 wan1), dead <-----
Src address(1):
0.0.0.0-255.255.255.255
Dst address(1):
0.0.0.0-255.255.255.255
aegon-kvm59 # dia firewall proute list
list route policy info(vf=root):
id=2131034113(0x7f050001) vwl_service=1(manual) vwl_mbr_seq=1 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0 dport=1-65535 oif=4(wan2)
source(1): 0.0.0.0-255.255.255.255
destination(1): 0.0.0.0-255.255.255.255
hit_count=24 last_used=2021-02-27 07:20:46
Since the wan1 SLA monitor is down, now all the traffic will be forwarded via WAN2.
