Hi,
I´ve configured local out route to SD-WAN and tried to set source to the LAN1 interface of the firewall, the idea was to use SD-WAN Rules for DNS and Fortiguard link selection.
The problem is that while debugging I've confirmed that the traffic origin is not LAN1 interface, but local interface, so no policy for this traffic exists and package is dropped.
By reading the docs I've found only local-in policy, but no local out policy.
Any ideas on how to allow Fortigate local interface to reach Fortiguard servers using SD-WAN rules?
I´m using FortiOS v7
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Dear Oceanpact
Thank you for posting to the Fortinet Community Forum.
Problem Description:-
to allow Fortigate local interface to reach Fortiguard servers using SD-WAN rules
Sdwan rule is like policy route rule and for self generated traffic sdwan rules wont come to the picture.
If you want to use local interface to reach fortiguard server you can follow below steps:-
config system fortiguard
set source-ip .x.x.x.x >>> lan IP
set interface-select-method specify
set interface <local_int>
Let us know if this helps.
Thanks
Hi,
I've tried this, but it seems that it is the out interface.
Before, while using sdwan at interface select method I used to get this log at the debug:
id=65308 trace_id=283 func=print_pkt_detail line=5875 msg="vd-root:0 received a packet(proto=6, 10.18.0.1:20132->173.243.140.16:443) tun_id=0.0.0.0 from local. flag [.], seq 1048321583, ack 2456511463, win 64240"
id=65308 trace_id=283 func=resolve_ip_tuple_fast line=5958 msg="Find an existing session, id-0b6e9b64, original direction"
After configuring as below, I haven´t received anything at debug, it seems to be the output interface, so FW wont know what to do with this package at internal1
(fortiguard) # show
config system fortiguard
set source-ip 10.18.0.1
set interface-select-method specify
set interface "internal1"
end
Can you share below op:-
diag debug rating
Hi,
By default, local out traffic relies on routing table lookups to determine the appropriate egress interface for establishing the connection. However, certain types of local outbound traffic offer the option to select the egress interface based on SD-WAN or manually specified interfaces.
CLI Syntax:
config sys fortiguard
set interface-select-method sdwan -> sdwan: Set the interface by SD-WAN or policy routing rules.
end
For more details, Please refer to the below documents:
** https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/848980
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1502 | |
1011 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.