Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Oceanpact
New Contributor

Local Out route using SD-WAN + SD-WAN Rules

Hi,

 

I´ve configured local out route to SD-WAN and tried to set source to the LAN1 interface of the firewall, the idea was to use SD-WAN Rules for DNS and Fortiguard link selection.

 

The problem is that while debugging I've confirmed that the traffic origin is not LAN1 interface, but local interface, so no policy for this traffic exists and package is dropped.

 

By reading the docs I've found only local-in policy, but no local out policy.

 

Any ideas on how to allow Fortigate local interface to reach Fortiguard servers using SD-WAN rules?

 

I´m using FortiOS v7

4 REPLIES 4
sjoshi
Staff
Staff

Dear Oceanpact

 

Thank you for posting to the Fortinet Community Forum.

 

Problem Description:-

to allow Fortigate local interface to reach Fortiguard servers using SD-WAN rules

 

Sdwan rule is like policy route rule and for self generated traffic sdwan rules wont come to the picture.

If you want to use local interface to reach fortiguard server you can follow below steps:-

config system fortiguard

set source-ip .x.x.x.x >>> lan IP

set interface-select-method specify

set interface <local_int>

 

Let us know if this helps.

Thanks

Salon Raj Joshi
Oceanpact

Hi,

 

I've tried this, but it seems that it is the out interface.

 

Before, while using sdwan at interface select method I used to get this log at the debug:

 

id=65308 trace_id=283 func=print_pkt_detail line=5875 msg="vd-root:0 received a packet(proto=6, 10.18.0.1:20132->173.243.140.16:443) tun_id=0.0.0.0 from local. flag [.], seq 1048321583, ack 2456511463, win 64240"
id=65308 trace_id=283 func=resolve_ip_tuple_fast line=5958 msg="Find an existing session, id-0b6e9b64, original direction"

 

After configuring as below, I haven´t received anything at debug, it seems to be the output interface, so FW wont know what to do with this package at internal1

(fortiguard) # show
config system fortiguard
set source-ip 10.18.0.1
set interface-select-method specify
set interface "internal1"
end

sjoshi
Staff
Staff

Can you share below op:-

diag debug rating

 

Salon Raj Joshi
akileshc
Staff
Staff

Hi,

 

By default, local out traffic relies on routing table lookups to determine the appropriate egress interface for establishing the connection. However, certain types of local outbound traffic offer the option to select the egress interface based on SD-WAN or manually specified interfaces. 

CLI Syntax:

config sys fortiguard

set interface-select-method sdwan -> sdwan: Set the interface by SD-WAN or policy routing rules.
end

 

For more details, Please refer to the below documents:
** https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/848980

 

 

 

Akilesh
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors