Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pacionet
New Contributor II

Created on ‎12-04-2025 11:54 PM

Fortigate 1100E - SDWAN and policy route issue

Hi,

on Fortigate 1100e (7.4.9) we set up an SDWAN like this

 

SDWAN.jpg

 

We would OpenNMS pinging a public ip (8.8.8.8) through the line of ROUTER1 and another public IP (8.8.4.4) through the line of ROUTER2. So we set up these policy routes:

 

SOURCE         DESTINATION      GATEWAY

OPENNMS      8.8.8.8                  ROUTER1

OPENNMS      8.8.4.4                  ROUTER2

 

In static routes we have:

0.0.0.0/0      SDWAN

 

In SDWAN policy we have the default (selected members by source IP)

 

When both interfaces WAN1 and WAN2 are up all works, but:

  • If we disable WAN2 interface both ping works
  • If we disable WAN1 interface both ping not works

when both interface are up, traceroute show that the routes are correct  (the ping towards 8.8.8.8 choose WAN1 , while the pings toward 8.8.4.4 choose WAN2)

 

Any ideas?

 

Thanks

 

Labels:
275
0 Kudos
1 Solution
pacionet
New Contributor II
In response to pacionet

Created on ‎12-10-2025 05:18 AM

Sorry 

I found the problem.

I used a wrong NAT on firewall Policy

We need 2 policy:

OpenNMS -> 8.8.8.8 -> NAT WAN1

OpenNMS -> 8.8.4.4 -> NAT WAN2

 

Thanks !

 

View solution in original post

147
0 Kudos
7 REPLIES 7
funkylicious
SuperUser
SuperUser

Created on ‎12-05-2025 12:03 AM

hi,

do you do NAT on the FGT or on the routers ?

diagnose firewall proute list - shows correctly what you have configured / can you post it ?

"jack of all trades, master of none"
"jack of all trades, master of none"
270
pacionet
New Contributor II
In response to funkylicious

Created on ‎12-05-2025 12:30 AM Edited on ‎12-05-2025 12:32 AM

NAT is on the FGT

Policy routes (gateway are masked):

 

id=1(0x01) dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 port=src(0->0):dst(0->0) iif=16(port4)
path(1): oif=66(WAN1) gwy=X.Y.W.Z path_last_used=2025-12-05 09:22:33
source wildcard(1): 10.93.233.229/255.255.255.255
destination wildcard(1): 8.8.8.8/255.255.255.255
hit_count=14065 rule_last_used=2025-12-05 09:22:33

 

id=2(0x02) dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 port=src(0->0):dst(0->0) iif=16(port4)
path(1): oif=87(WAN2) gwy=A.B.C.D path_last_used=2025-12-05 09:21:54
source wildcard(1): 10.93.233.229/255.255.255.255
destination wildcard(1): 8.8.4.4/255.255.255.255
hit_count=3925 rule_last_used=2025-12-05 09:21:54

 

Both policy work when both interface are up, but If we deactivated WAN1, both pings not work

266
0 Kudos
funkylicious
SuperUser
SuperUser
In response to pacionet

Created on ‎12-05-2025 12:35 AM Edited on ‎12-05-2025 12:35 AM

do you have auxiliary-session enabled? if not, try enabling it and see if it solves the issue.

 

config system settings
    set auxiliary-session enable
end 
"jack of all trades, master of none"
"jack of all trades, master of none"
262
pacionet
New Contributor II
In response to funkylicious

Created on ‎12-10-2025 04:34 AM

I tried the setting you suggested

set auxiliary-session enable

 but it doesn't work.

If we disabled one interface of the SDWAN, all others client using SDWAN works, except the ping from OpenNMS.

Maybe the problem is having policy routes AND SDWAN together?

173
0 Kudos
funkylicious
SuperUser
SuperUser
In response to pacionet

Created on ‎12-10-2025 04:46 AM Edited on ‎12-10-2025 04:50 AM

policy routes take precedence over SD-WAN rules.

L.E. i would disable the policy routes and create sd-wan rules for NMS with the selection of manual outgoing interfaces and do another test like that.

"jack of all trades, master of none"
"jack of all trades, master of none"
161
0 Kudos
pacionet
New Contributor II
In response to funkylicious

Created on ‎12-10-2025 04:51 AM Edited on ‎12-10-2025 05:08 AM

Ok but we have only the implicit SDWAN rule and 2 policy routes

 

SOURCE         DESTINATION      GATEWAY

OPENNMS      8.8.8.8                  ROUTER1

OPENNMS      8.8.4.4                  ROUTER2

 

The policy routes seems working when both interface are active, but if we disable WAN1, the policy routes toward "ROUTER2" not working (the policy is matched but we see 0 bytes of response in firewall logs)

 

@funkylicious wrote:

policy routes take precedence over SD-WAN rules.

L.E. i would disable the policy routes and create sd-wan rules for NMS with the selection of manual outgoing interfaces and do another test like that.

Yes, we did it exactly: tried to delete policy routes and set 2 SDWAN Rules like these:

 

SOURCE: OpenNMS Destination: 8.8.8.8 Criteria: Forced member WAN1

SOURCE: OpenNMS Destination: 8.8.4.4 Criteria: Forced member WAN2

 

but we still got the same problem ( with set auxiliary session enable and disable)

 

158
0 Kudos
pacionet
New Contributor II
In response to pacionet

Created on ‎12-10-2025 05:18 AM

Sorry 

I found the problem.

I used a wrong NAT on firewall Policy

We need 2 policy:

OpenNMS -> 8.8.8.8 -> NAT WAN1

OpenNMS -> 8.8.4.4 -> NAT WAN2

 

Thanks !

 

148
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.