FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes a scenario where SD-WAN is configured on the FortiGate, but traffic is still routing through the WAN-1 interface despite the expected redirection to the WAN-2 connection.
Although, the interface-select-method is set to sdwan and SD-WAN rules are in place to force traffic to the WAN-2 connection, the local traffic (DNS, FortiGuard, Radius, and LDAP) continues to pass through the WAN -2 interface.
Scope
FortiGate v7.x.x.
Solution
FGT (WAN1:21.23.12.2; WAN2: 2.56.3.4) ------------ Internet
To resolve this kind of issue, follow these steps:
Verify the routing table for active routes:
get router info routing-table all
get router info routing-table database.
Check the sniffer output.
For Example: DNS traffic is still going out from WAN1 but WAN2 has the active route.
set source-ip 21.23.12.2 (must be unset or 0.0.0.0)(WAN-1 IP)
set interface-select-method sdwan
end
Note:
In some environments, FortiGate has set source-IP in local services such as DNS, FortiGuard, LDAP, and so on before SD-WAN implementation in the network environment. Ensure that it must be unset or set to 0.0.0.0
If it did not change, the local traffic is passing to the different interface raise a ticket with the TAC support with the above information.
