Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
DanielMathis
New Contributor

Manual SD-WAN rule without switching to secondary line

I've got a customer who has a phone system which uses WAN2 and only works on this port. So I set a rule manually selecting WAN2. In case of a failure it switches to WAN1, on which the system doesn't work and it doesn't automatically switch back, even if WAN2 is back on.

 

Is there a way that it doesn't switch to WAN1? And if not, why doesn't it switch back to WAN2?

5 REPLIES 5
sw2090
Honored Contributor

you might configure the sdwan rules so that the  rules doen't match traffc coming from your phone system. Then make sure only there us a rule for wan2 that matches traffic from phone system and only has wan2 as interface. Then only this traffic can hit this rule and it cannot do failover because all other ones don't match.

You have to do this way because there always is the explicite sdwan rule that matches all traffic that ain't matched by any other rule (just like explicit deny in policies does).

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
DanielMathis

so now I made an address group with an exception for the phone system and set the "all" SD-WAN rule to that group as source. now the phone system isn't in any other roule as source than the one with the manual WAN port. Is that the way it should work?

sw2090
Honored Contributor

as long as that is the first rule that matches the phone system it should work.

sd-wan rules are handled like policies: top down - first match wins the traffic :)

 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
aionescu
Staff
Staff

Hi Daniel,

 

To provide you the best answer, we would need more information about the actual topology.

As starting point, can you check if the following KB matches your setup?

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuration-to-avoid-routing-issues-afte...

DanielMathis
New Contributor

It works now with the phone system exluded from the "all" rule. Thank you very much!

Labels
Top Kudoed Authors