Hi, I have a scenario..
I have sdwan rule with source as 10.50.10.0/24 , destination as 10.90.10.0/24. Source is Spoke1 network. Destination is spoke2 network.. These networks interfaces are configured as vlan interface in the respective Fortigate devices. When I check the session for the source user PC (Took an ip as 10.50.10.11), it was hitting in the correct Service ID (Service ID 10) and end to end ping is happening.. But when I check the ping session with source as firewall Vlan interface (10.50.10.1) then I could see this session is through SDWAN default rule (SDWAN service 0). Since my vlan interface also falls under 10.50.10.0/24 my ping from vlan interface to other spoke IP should go through service ID 10 only but not sure why it is hitting default SDWAN rule (Service ID - 0). IS this an expected behaviour or I should raise a TAC case for this issue??
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
This might be a bit tricky. Session info might not contain this information, it might be 0 same as for policy_id. You will also not see it if you will do debug flow. Reliable way how to see that local traffic is matching SDWAN rules is hit count on rule. You can test it with some test rule only for this traffic and see if the hit count is increased.
Hello,
Thank you for your question. If you are pinging from the device, use this option:
exec ping-options use-sdwan yes
And then run the ping. Without it, as this is locally originated traffic, traffic will not be matched against any PBR and as result, it will hit default SDWAN rule.
Thanks for your very quick reply. I tried this command earlier.. I have some queries on it, if I use the command use-sdwan yes, then it might use one of the overlay interface ip to ping which will not match with my sdwan rule (Since I am matching with the source IP segment only and not matching overlay IPs).. I hope this understanding is correct?. Mainly we ping from vlan interface IP as part of troubleshooting the traffic flow... Is there a way, whether we can send source vlan interface IP traffic through a specific SDWAN rule?
Hello,
You can do all these things, use specific source interface or IP address and then "use-sdwan yes" option. This setting will only make traffic to be matched against sdwan rules. If you will not use any source-ip address, then yes, if the traffic (based on destination address) will match some SDWAN rule and use some overlay, FortiGate will use that source-ip. If you specify source ip under ping then the outgoing ping will use this IP address no matter what SDWAN rule and outgoing interface will be selected.
I tried, ping source IP and then use-sdwan yes. I am getting error.. I think syntax is not correct. But I understand the concept from your statements.. Thanks for your reply..
Getting below error, whether I am coding it correctly?
execute ping-options source 10.50.10.1 use-sdwan yes
command parse error before 'use-sdwan'
Command fail. Return code -61
Hello,
Use it like this:
exec ping-options source X.X.X.X
exec ping-options data-size 1200
exec ping-options use-sdwan yes
exec ping 10.255.255.1
This is the example. Everything you will configure as ping-options will be used when you will run "exec ping Y.Y.Y.Y".
Thank you for the commands, I tried these commands. But even after that, this traffic is going through SDWAN service ID = 0..
statistic(bytes/packets/allow_err): org=6140/5/1 reply=6140/5/1 tuples=2
tx speed(Bps/kbps): 497/3 rx speed(Bps/kbps): 497/3
orgin->sink: org out->post, reply pre->in dev=0->55/55->38 gwy=0.0.0.0/x.x.x.x
hook=out dir=org act=noop x.x.x.x:60338->y.y.y.y:8(0.0.0.0:0)
hook=in dir=reply act=noop y.y.y.y:60338->x.x.x.x:0(0.0.0.0:0)
misc=0 policy_id=0 auth_info=0 chk_client_info=0 vd=0
serial=041f15fd tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=3 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=00000000
npu info: flag=0x82/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
no_ofld_reason: local not-established
total session 1
Hi,
This might be a bit tricky. Session info might not contain this information, it might be 0 same as for policy_id. You will also not see it if you will do debug flow. Reliable way how to see that local traffic is matching SDWAN rules is hit count on rule. You can test it with some test rule only for this traffic and see if the hit count is increased.
Thanks Adrian for your support
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.