Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rajamanickam
Contributor

GRE interace as SDWAN Member interface

Hi,

 

  Whether a GRE interface can be added to SDWAN member interface??

 

Currently we have a scenario, where forward traffic will be sent our through one physical interface (Internet) and return traffic will be through GRE built on top of same physical interface. By default with firewall behaviour this packet will be dropped, hence we are exploring on adding this GRE interface to SDWAN member interface to avoid this situation.

 

Regards

Raja

 

2 REPLIES 2
srajeswaran
Staff
Staff

GRE can be added as SDWAN member, but I don't think it is going to help in the specific condition you are referrring.
https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/942095/sd-wan-members-and-zo...
In your scenario the traffic will be considered asymmetric and will still be dropped. Do you know why the return traffic is coming on GRE instead of the original interface? May be fixing the route issue on peer side is better option.

ref: https://community.fortinet.com/t5/Support-Forum/Fortigate-same-zone-but-different-interface-packet-p...

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

rajamanickam

We have an external security services which inspects all return traffic and hence GRE tunnel from that device to Fortigate device. But I guess, SDWAN interfaces will be consider as one single logical interface and if bundle GRE interface into SDWAN , it wont consider it as asymmetric traffic..  Because in SDWAN sometimes when link is not performing well, forward traffic  might take that overlay path and return traffic comes in a different overlay path.. Hence I am assuming that within SDWAN member interfaces will be considered as symmetric flow.. Please clarify my understanding

 

Regards

Raja

Top Kudoed Authors