I have configured SD-WAN for the Internet links and working as expected for more than a year now. I have also configured the VPN tunnel (Named as SITE-A & SITE-B) in SD-WAN recently and it is working as expected. However, at times, the Internet traffic takes route via the SITE-A or SITE-B. I understand this is due to these 2 tunnels are also member of SD-WAN hence it takes a route. Is there a way that I should ONLY educate the Fortigate to take SITE-A & SITE-B routes only if it is matching the remote site's network segment (e.g. 172.16.0.0/24 & 172.17.0.0/24) and NOT all the Internet traffic? I also see COST in the SD-WAN which by default for the WAN links as 0. What cost should I mention for the VPN tunnel when it is member of SD-WAN?
Anand
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
hi would you mind to share your FORTIOS version?
Fortigate Newbie
FG-300D, v.6.4.0
Anand
The problem could be caused by persistence of some sessions so the traffic remains "stuck" with the old route.
To avoid this problem it is possible to create a route from the lan to the Internet interface (virtual-wan-link) where in destination we insert all private networks and set deny. Sessions if they pass by mistake from the virtual-wan-link interface will perforce be reset.
This action is also useful if the VPNs are in a different SD-WAN zone from the Internet.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.