Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
stepco
New Contributor

Created on ‎03-07-2022 12:18 PM Edited on ‎03-07-2022 12:22 PM

SD wan failover

Hi,

 

Is it possible to disable the sd wan failover for some specific traffic/policies.

 

Example

LANX -> WAN1 to google.be server

LAXY -> WAN2 to google.be server

 

If WAN1 goes down then LANX maybe NOT failover to WAN2 for the traffic to google.be

Other traffic from LANX may failover to WAN2 (this is working)

 

Reason

There ERP application is only identifying  the client based on IP adres and not on DNS name....

 

Running v6.4.6 on a Fortigate 60F

 

Kind Regards

Stephan

Labels:
4862
0 Kudos
10 REPLIES 10
naibaho
New Contributor III

Created on ‎03-07-2022 07:50 PM

Hi stepco

You can create rule to force LANX  to google.be in SD-WAN Rule and manually select Outgoing interface to WAN1, and LANY to google.be manually select Outgoing interface to WAN2

naibaho_0-1646711417315.png

 

hope this help you

 

best regard
best regard
4422
0 Kudos
stepco
New Contributor
In response to naibaho

Created on ‎03-08-2022 01:01 AM

Hi Naibaho,

This is common sense but  the Fortigate is will disable the rule if the WAN1 is down...

:)

4414
0 Kudos
akristof
Staff
Staff

Created on ‎03-08-2022 12:14 AM

Hi,

 

Thank you for your question. It is a bit more complex. Yes, you can create manual SDWAN rule that will send all traffic from LANX to WAN1. However, if you have health-check for WAN1 and even if you disable update-static-route and this health-check will fail, it will disable the SDWAN rule. So you would need to make sure that at least one health-check over WAN1 is working or no health-check for wan1.

Adrian
4418
0 Kudos
FortiGab
New Contributor II
In response to akristof

Created on ‎10-19-2022 06:56 AM

Hello akristof,
in case of WAN1 interface failover to WAN2, it is possible to stick connectivity on the WAN2 without switching back to WAN1 when it is come back?
 
 
Living our FortiLife
Living our FortiLife
2999
0 Kudos
stepco
New Contributor

Created on ‎03-08-2022 03:28 AM

Hi Akristof,

Thanks for you reply. But then there we be no failover for the other internet traffic.
We used Cyberoam in the past and there you could force a firewall rule to only use WAN1 and do not failover for that firewall rule.

In the docs of Fortiguard I have found if you disable SDwan that you can set deny rules.

But then you lose the use of SDwan...

 

Any other ideas?

 

kind regards

Stephan

4407
0 Kudos
Debbie_FTNT
Staff
Staff

Created on ‎03-08-2022 05:07 AM

Hey stepco,

you could try policy routing maybe, and force all traffic to a specific destination via interface a/b? That should supersede SD-WAN routing to my knowledge, but I'm not sure how SD-WAN related health-checks would impact policy routing.

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/34912/policy-routing

Debbie_FTNT_0-1646744808955.png

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
4403
0 Kudos
stepco
New Contributor
In response to Debbie_FTNT

Created on ‎03-08-2022 06:22 AM

Hi Debbie,

I tried the routing policy but the SD wan logic is taking over :)

Policy route:

1 policy: "Forward Traffic" to WAN1
2 policy: "Stop Policy Routing"

 

Regards

Stephan

 

4388
0 Kudos
vponmuniraj
Staff
Staff

Created on ‎03-08-2022 05:10 AM

Hi Stephan,

 

This should be possible if you have separate zones for your wan interfaces.

1. Add a manual SDWAN rule from lanx to google.be, member -> WAN1
2. Place a policy to 'deny' traffic over wan2 from lanx to google.be

 

So in case there is a failover (manual rule would not be hit, traffic hits the implicit rule to be forwarded to wan2), traffic would be denied by the policy.

 

Similar rule and policy can be used for traffic from lany to google.be through wan2.

 

Regards,
Vignesh.

Vignesh
4401
stepco
New Contributor
In response to vponmuniraj

Created on ‎03-08-2022 06:20 AM

Hi Vponmunirai,

 

You can only select the SDwan interfaces in the Policies.  :(

 

Regards

Stephan

4390
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.