Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rajamanickam
Contributor

SDWAN Rule functionality 6.4.7 version

Hi, I have a scenario..

I have sdwan rule with source as 10.50.10.0/24 , destination as 10.90.10.0/24. Source is Spoke1 network. Destination is spoke2 network.. These networks interfaces are configured as vlan interface in the respective Fortigate devices. When I check the session for the source user PC (Took an ip as 10.50.10.11), it was hitting in the correct Service ID (Service ID 10) and end to end ping is happening.. But when I check the ping session with source as firewall Vlan interface (10.50.10.1) then I could see this session is through SDWAN default rule (SDWAN service 0). Since my vlan interface also falls under 10.50.10.0/24 my ping from vlan interface to other spoke IP should go through service ID 10 only but not sure why it is hitting default SDWAN rule (Service ID - 0). IS this an expected behaviour or I should raise a TAC case for this issue?? 

1 Solution
akristof

Hi,

 

This might be a bit tricky. Session info might not contain this information, it might be 0 same as for policy_id. You will also not see it if you will do debug flow. Reliable way how to see that local traffic is matching SDWAN rules is hit count on rule. You can test it with some test rule only for this traffic and see if the hit count is increased.

Adrian

View solution in original post

8 REPLIES 8
akristof
Staff
Staff

Hello,

 

Thank you for your question. If you are pinging from the device, use this option:

exec ping-options use-sdwan yes

And then run the ping. Without it, as this is locally originated traffic, traffic will not be matched against any PBR and as result, it will hit default SDWAN rule.

Adrian
rajamanickam
Contributor

Thanks for your very quick reply. I tried this command earlier.. I have some queries on it, if I use the command use-sdwan yes, then it might use one of the overlay interface ip to ping which will not match with my sdwan rule (Since I am matching with the source IP segment only and not matching overlay IPs).. I hope this understanding is correct?.  Mainly we ping from  vlan interface IP as part of troubleshooting the traffic flow... Is there a way, whether we can send source vlan interface IP traffic through a specific SDWAN rule?

akristof

Hello,

 

You can do all these things, use specific source interface or IP address and then "use-sdwan yes" option. This setting will only make traffic to be matched against sdwan rules. If you will not use any source-ip address, then yes, if the traffic (based on destination address) will match some SDWAN rule and use some overlay, FortiGate will use that source-ip. If you specify source ip under ping then the outgoing ping will use this IP address no matter what SDWAN rule and outgoing interface will be selected.

Adrian
rajamanickam
Contributor

I tried, ping  source IP and then use-sdwan yes. I am getting error.. I think syntax is not correct. But I understand the concept from your statements.. Thanks for your reply..

Getting below error, whether I am coding it correctly?

execute ping-options source 10.50.10.1 use-sdwan yes

command parse error before 'use-sdwan'
Command fail. Return code -61

akristof

Hello,

 

Use it like this:
exec ping-options source X.X.X.X

exec ping-options data-size 1200

exec ping-options use-sdwan yes

exec ping 10.255.255.1

 

This is the example. Everything you will configure as ping-options will be used when you will run "exec ping Y.Y.Y.Y".

Adrian
rajamanickam
Contributor

Thank you for the commands, I tried these commands. But even after that, this traffic is going through SDWAN service ID = 0.. 

 

statistic(bytes/packets/allow_err): org=6140/5/1 reply=6140/5/1 tuples=2
tx speed(Bps/kbps): 497/3 rx speed(Bps/kbps): 497/3
orgin->sink: org out->post, reply pre->in dev=0->55/55->38 gwy=0.0.0.0/x.x.x.x
hook=out dir=org act=noop x.x.x.x:60338->y.y.y.y:8(0.0.0.0:0)
hook=in dir=reply act=noop y.y.y.y:60338->x.x.x.x:0(0.0.0.0:0)
misc=0 policy_id=0 auth_info=0 chk_client_info=0 vd=0
serial=041f15fd tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=3 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=00000000
npu info: flag=0x82/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
no_ofld_reason: local not-established
total session 1

akristof

Hi,

 

This might be a bit tricky. Session info might not contain this information, it might be 0 same as for policy_id. You will also not see it if you will do debug flow. Reliable way how to see that local traffic is matching SDWAN rules is hit count on rule. You can test it with some test rule only for this traffic and see if the hit count is increased.

Adrian
rajamanickam
Contributor

Thanks Adrian for your support

Labels
Top Kudoed Authors