Hi, I have Fortigate 60F and two ISP added to SD-WAN:
WAN1
WAN2
I would like always to route traffic from Interface "3" (Subnet 192.168.0.0/24) to ISP "WAN2" and never failover to ISP "WAN1". If "WAN2" is down then clients on Interface "3" will be offline (that is OK). When other interfaces can use WAN2 as primary ISP and failover to WAN1 ISP.
If I will create below SD-WAN RULE then won't Interface "3" (192.168.0.0/24) failover to WAN1 in case of WAN2 is offline?
Solved! Go to Solution.
Created on 09-03-2023 01:29 PM Edited on 09-07-2023 12:03 AM
For the time being found three options how to block traffic originated from subnet 192.168.0.0 (port3) to be routed via WAN1 port even if WAN2 is physically down (cable unplugged):
1) Found on this resource absolutely the same issue what I have:
https://www.reddit.com/r/fortinet/comments/p7j1zl/restrict_certain_subnetinterface_from_using/
On port3 (subnet 192.168.0.0), I created secondray IP 100.64.0.1/24
Created two policy routes. First routing policy is to route always traffic from 192.168.0.0/24 subnet (port3) via WAN2 (Starlink):
Second policy to route traffic from port3 to port3 with gateway as this port's secondary IP which is 100.64.0.1. Once WAN2 link is down (cable unplugged for example) then first routing policy is skipped and below is taking care of 192.168.0.0 traffic since will match:
2) Another option, is two remove SD-WAN zone and make WAN1 and WAN2 as the separate interfaces.
Configure failover between WAN1 and WAN2 using link-monitor as per below resource:
Configure Policy to block traffic from 192.168.0.0 to WAN1
Not sure how practical is first approach but it is working without removing SD-WAN zone. Was tested and found working.
2nd option was tested as well.
3) Under SD-WAN create two new zones:
WAN1 ZONE
WAN2 ZONE
Add WAN1 and WAN2 interfaces to respective zone.
Create two SD-WAN rules:
- Rule1: Source Address specify subnet what you want to route via WAN2 only. Manual mode -> Interface Preference: WAN2
- Rule2: Source Address specify all remaining subnets what can access WAN2 and WAN1. Manual mode -> Interface Preference: WAN2, WAN1 (order of interfaces is important)
Go to Routes -> Static Routes -> Add both new SD-WAN zones to Static Route Device fields
Configure SLA under SD-WAN
Configure Policy Firewall:
Top rule Block subnet 192.168.0.0/24 from accessing WAN1 (WAN1 ZONE as destination interface)
Second rule allow 192.168.0.0/24 subnet to access WAN2 interface (WAN2 ZONE as destination interface)
This is achievable using a Policy Route - they trump SDWAN - this is a great reference material for route lookups with proute/sdwan/traditional FIB
Created on 08-30-2023 11:19 AM Edited on 09-03-2023 01:46 PM
As per documentation in order to Policy Route work we need to provide at least two parameters:
-Outbound interface
-Gateway
On WAN2 interface we have Starlink aerial. When it is offline it has Gateway 192.168.100.1 and when is online 65.181.7.1 in current region, but I assume this gateway will change based on location.
If this GW 65.181.7.1 would be permanent then I can create two policy routes one for 192.168.100.1 gateway and another one for 65.181.7.1 and that would be enough.
But in my case once Gateway changes it will break above policy routes and Fortigate will start looking to Routing Table which will have below route via WAN1:
S* 0.0.0.0/0 [1/0] via x.x.x.x, wan1, [10/0]
I tried to provide 0.0.0.0 Gateway but Fortigate is ignoring such Policy Route and look directly to Routing table.
I can't apply Policy with restriction for traffic originated from Interface "3" to use "WAN1" connection because both WANs are in SD-WAN.
What option do I have here? If I exclude WAN1 and WAN2 from SD-WAN then will I be able to achive below via Static Routes and Policies?:
- default route for all internal interfaces via WAN2 (Starlink)
- in case WAN2 is down, failover to WAN1 for all internal interfaces except "3"
- policy restriction for traffic originated from interface "3" to "WAN1"
Hi,
Manual selection Rule, with the only one preferred interface and no other criteria and interfaces, should do the trick.
More on that: https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/723448/manual-strategy
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
tried this and it still looking to Routing table and use WAN1 interface when WAN2 is down.
Hi Vurdalag,
There should be a policy route to route traffic through WAN2 and another policy route to stop policy routing for that source subnet.
Regards,
Vimala
Hi,
that won't work for my case. "Stop Policy Routing" only tells if there is a traffic match then exit from Policy Route and look at Routing Table.
So in my case if WAN2 is down then routing table will have default route via WAN1 interface.
If I configure "Stop Policy Routing" for traffic from interface "B" to WAN1 then it won't restrict from forwarding traffic via WAN1. Instead, it will stop looking at Policy Routing and will switch to Routing Table where will be default route via WAN1 and pass this traffic further.
Created on 08-31-2023 03:51 PM Edited on 08-31-2023 03:54 PM
FortiOS always looks up policy routes first before looks up routing table. Even if route doesn't exist or interface is down, it follows what policy routes instruct.
Only way to stop one policy route pushes traffic toward the direction is to have another policy route(s), more specific one, overrides it. That's what @kvimaladevi is saying.
<edit>In other words, once you start using policy routes, any redirection based on routing table changes won't work any more.
</edit>
Toshi
Created on 09-02-2023 04:28 PM Edited on 09-02-2023 11:57 PM
Hello,
Made numerous tests.
1) When both links are UP with connectivity -OK, then routing table is below:
2) Configured two Route Policies. First to redirected traffic from Subnet_B via WAN2 only, and second policy to stop Policy Routing for traffic originated from Subnet_B. I made very specific rules for the 192.168.0.101 PC which resides in Subnet_B:
This is Stop Policy Routing:
As you can see traffic is hitting policies:
Running tracert and continious ping from 192.168.0.101 IP on Port3, traffic is forwarding via WAN2 (Nex hop 65.181.6.1):
Now I simulate connectivity lost on WAN2 (interface itself is UP, LAN cable connected). As you see traffic do not route anymore via WAN2 and also do not failover to WAN1. Once WAN2 connectivity restore, then traffic continue to route via WAN2. So at this step Policy Routing rule is wokring as expected:
Here I did another test. Before test, traffic is routing via WAN2 interface. Both WAN2 and WAN1 are UP with connectivity OK, so both routes in routing table. Now I unplug cable physically from WAN2 interface. Pinging stopped for a few pings and then resumed pinging. Traffic failvored to WAN1. Policy Routing rules are still in place and are intact.
I connected WAN2 cable back but traffic was still routed via WAN1 interface:
As per Fortigate manual for policy routes at minimum are required outgoing interface and gateway. Assume that after cable disconnection Fortgiate skip Policy route for this specific intereface.
This approach with Policy Routes doesn't look reliable as any activities with Starlink equipment power (e.g. lost power, unit reboot, cable disconnection etc. ) will start to failover traffic from Subnet_B via WAN1.
I checked several articles and as per them Stop Policy Forwarding do not stop traffic mentioned in this rule from routing but just informes Fortigate to stop looking further in other Policy Routing rules and jump to Routing Table:
Created on 09-03-2023 01:29 PM Edited on 09-07-2023 12:03 AM
For the time being found three options how to block traffic originated from subnet 192.168.0.0 (port3) to be routed via WAN1 port even if WAN2 is physically down (cable unplugged):
1) Found on this resource absolutely the same issue what I have:
https://www.reddit.com/r/fortinet/comments/p7j1zl/restrict_certain_subnetinterface_from_using/
On port3 (subnet 192.168.0.0), I created secondray IP 100.64.0.1/24
Created two policy routes. First routing policy is to route always traffic from 192.168.0.0/24 subnet (port3) via WAN2 (Starlink):
Second policy to route traffic from port3 to port3 with gateway as this port's secondary IP which is 100.64.0.1. Once WAN2 link is down (cable unplugged for example) then first routing policy is skipped and below is taking care of 192.168.0.0 traffic since will match:
2) Another option, is two remove SD-WAN zone and make WAN1 and WAN2 as the separate interfaces.
Configure failover between WAN1 and WAN2 using link-monitor as per below resource:
Configure Policy to block traffic from 192.168.0.0 to WAN1
Not sure how practical is first approach but it is working without removing SD-WAN zone. Was tested and found working.
2nd option was tested as well.
3) Under SD-WAN create two new zones:
WAN1 ZONE
WAN2 ZONE
Add WAN1 and WAN2 interfaces to respective zone.
Create two SD-WAN rules:
- Rule1: Source Address specify subnet what you want to route via WAN2 only. Manual mode -> Interface Preference: WAN2
- Rule2: Source Address specify all remaining subnets what can access WAN2 and WAN1. Manual mode -> Interface Preference: WAN2, WAN1 (order of interfaces is important)
Go to Routes -> Static Routes -> Add both new SD-WAN zones to Static Route Device fields
Configure SLA under SD-WAN
Configure Policy Firewall:
Top rule Block subnet 192.168.0.0/24 from accessing WAN1 (WAN1 ZONE as destination interface)
Second rule allow 192.168.0.0/24 subnet to access WAN2 interface (WAN2 ZONE as destination interface)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1766 | |
1116 | |
766 | |
447 | |
242 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.