Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fortinetforumfiokom
New Contributor II

How how can I limit the traffic to only one SD-WAN interface

Hi, 

(Fortigate 201F, 7.4.3)

I have a new SD-WAN setting, and I have an internal e-mail server. How can I limit the email server traffic (SMTP) so that traffic  only goes out through the designated SD-WAN interface. If that interfece go down, I do not want to allow to go this traffic out in other SD-WAN interface. 

A would like to prevent the email traffic to go out from an other public IP.  My current goal is not to configure the mail server (DNS, MX, SPF etc...)

I tried to create an SD-WAN rule (Interface selection strategy = Manual) with the mail server address and SMTP traffic, where I only specify one SD-WAN interface in the interface preferences, but it seems that if I stop this interface, the traffic still starts to go out on the other interface. How can I stop this from happening?

 

Thanks

 

12 REPLIES 12
atakannatak
New Contributor III

Hi @fortinetforumfiokom ,

 

In fact, SD-WAN basically allows you to manage multiple lines that you have for the same purpose on an application basis. In this context, as you can see in the link below, you will see that you must select at least one interface as implict SD-WAN rule.

 

https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/216765/implicit-rule

 

In your scenario, using policy routes might be the right solution. You can review documentation for more details:

 

https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/144044/policy-routes

 

BR.

 

If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.

Atakan Atak
Atakan Atak
fortinetforumfiokom

HI @atakannatak 

If I understand what you have written correctly, it is not possible to solve what I want. The traffic will go out one way or the other.

I tested the SD-WAN rules and I see, e.g. for the following rules, that after I disable the WAN-ISP1 interface, it just skips the rule (ID 1.) and since the (ID 2) rule is also valid for it, it will apply this rule (if there is no other rule, it will apply the implicit rule in the last case).

sdwanrule.png

 

I can see from the logs that if I configure an SD-WAN rule like this:

rule2.png

 even setting the interface preference, the traffic goes on both interfaces:

sdwanlog.png

 

The policy routing makes sense to me if a SD-WAN rule has more than one interface in interface preference then a the policy rule can force the traffic into the selected one.

 

So if I want a traffic to go out only on a specific interface or not at all, then the solution is that I can't do that on SD-WAN?

hbac

Hi @fortinetforumfiokom,

 

I don't think it is possible because when one wan goes down traffic will match the implicit SDWAN-rule. 

 

Regards, 

atakannatak

Hi, 

 


Concept of the sdwan doesn’t allow such things which you want. Basically as I mentioned sdwan implicit deny cover all available interfaces not force the specific rules and their associated interface to relevant traffic. Because if their associated interface goes down sdwan keep looking for the next traffic match on your sdwan policies and than select to available interfaces on the matched rule which means default implicit rule.

 

BR.

Atakan Atak
Atakan Atak
Toshi_Esumi
SuperUser
SuperUser

First, you need to understand FGT's SD-WAN features are only targeting situations with multiple circuits and how to select one of them to send a particular type of traffic over the others to get the best performance. The design concept doesn't include prioritization of traffic on the same circuit. 
This is probably the biggest difference from other SD-WAN vendors.

This is partly, if not mainly, because the prioritization of traffic on one circuit has been in FortiOS as "Traffic Shaping" for very long time.
https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/297431/traffic-shaping
You should look into this feature to accomplish your goal.

 

Toshi

sahmed_FTNT
Staff
Staff

In your case, Traffic shaper might help you for some extent. We need to understand that SDWAN is mainly used for controlling traffic using multiple interfaces.

 

https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/249147/sd-wan-traffic-shapin...

Security all we want
fortinetforumfiokom
New Contributor II

I just got my second ISP line (wery fast but not guaranteed), and I'm learning now how to use it. 

 

I've read quite a lot of documentation (watched videos), and from these, it didn't make clear to me how SD-WAN will work in practice. How SD-WAN rules are handled by the system (if interfaces in a rule are down, the rule itself is not valid). After testing and reading the comments to my question, it is clear now that in my case I may not need to use it.

 

I don't want to prioritize traffic, I want to allow a traffic to go out on a specific interface but not elsewhere, and of course the other SD-WAN features would be fine too.

 

So to my original question, whether it is possible to control outbound SMTP traffic to go out only on a specific interface and if that interface is not working, not to go out at all, is not possible with SD-WAN olny. In my opinion, traffic shaping does not help here either.  /I could imagine that somtime in the future there could be DENY option in these rules./

 

In my case the solution could be to manage the two WAN connections separately and use policy routing. Setting the deffault gatwey to WAN1 and with policy route I can send every traffic to WAN2 exept SMTP from selected machine so the SMTP only goes in WAN1. If WAN2 goes down, all traffic automaticly goes to WAN1 so I have failover (but of course not load balancing).

 

Thank you for your replies.

 

  

mcveyroosevelt219
New Contributor

To ensure your email server's SMTP traffic only uses a specific SD-WAN interface and does not failover to another, you need to configure a static route and apply a firewall policy. First, create an SD-WAN rule with the interface selection strategy set to Manual and specify the desired SD-WAN interface for SMTP traffic. Then, in the Advanced Options, disable "Implicit Route Override" to prevent failover. Additionally, set a static route for the mail server's traffic pointing exclusively to the desired SD-WAN interface. Finally, create a firewall policy explicitly allowing SMTP traffic from the mail server via the specified SD-WAN interface only, ensuring no other interfaces are listed.

sjoshi
Staff
Staff

Hi fortinetforumfiokom,

 

You can use below article on how to setup manual rule.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-SD-WAN-Rule-Manual-Interface-Selection-Str...

Let us know if this helps.
Salon Raj Joshi
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors