Hi, we are having issues with DHCP Relay configured on FortiGate Firewall wish SD-WAN interface. We need to apply SD-WAN rules for DHCP relay traffic which is originated from Firewall using LAN interface IP but since 6.2.2, self-originating traffic does not match SD-WAN rules according to this document:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD47380
Is there any way to force the FortiGate to apply SD-WAN rules for self-originating traffic? Thanks.
EDIT: Just to clarify, the issues we are having related to DHCP Relay are about DHCP request being sent through a different interface than we need (we are trying to force this traffic to go out through an interface with worse cost in SD-WAN virtual link) but the rule is not being applied for this traffic. So the issue is not really related to DHCP relay but SD-WAN rules not being applied to local traffic.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Did you set the relay ip under the interface from cli?
config sys interface
edit port1
# interface that you are relaying from
set dhcp-relay ip x.x.x.x
end
Ken Felix
PCNSE
NSE
StrongSwan
Hi, I did it from GUI but the result is the same:
config system interface edit "port1" set vdom "root" set dhcp-relay-service enable set ip 10.10.10.1 255.255.255.0 set type physical set alias "LAN" set snmp-index 1 set dhcp-relay-ip "10.10.20.4"
The thing is that I need that the traffic originated from 10.10.10.1 to 10.10.20.4 match a SD-WAN rule I have created for this traffic but this does not work. I think it is due to this change:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD47380
Thanks for answer.
Self originating traffic should never match a SDWAN rule from my understanding. Why would you want that?
Ken Felix
PCNSE
NSE
StrongSwan
Hi amorales,
I solved a similar problem when implementing SD-WAN last year in version 6.2.3 - self originated traffic from FGT (DNS, FortiGuard, etc.) I received a statement from the TAC:
Hello,
we finally find it. Now it works properly.
We deleted default route to sd-wan and add subnets according to RFC 1918
All manuals and KB state that the default route is set to the SD-WAN interface - but in this case this is probably not entirely true.
So instead of one default route to SD-WAN, I have set up two with the same distance and added static routes to LAN subnets at branches:
Jirka
Hi, thank you very much for the help.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.