Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
byrsa08
New Contributor

SDWAN for local out traffic

Hi,

 

we have configured the fortigate to use SDWAN for the fortiguard traffic, we are also using UDP 8888 for that traffic for better performance. Everything is working fine but iam not sure if the traffic is being processed by the dedicated SDWAN rule or the implicit rule (routing table lookup) which will work anyway (the internet SDWAN zone has the 2 WAN interfaces in it and the default static route is pointing to that zone). Both interfaces are up and running.

 

The dedicated SDWAN rule is placed as the first rule (src: ALL / dst: Fortinet-Services) - manual rule with the 2 WAN interfaces as members. This rule is constantly used (hit counts and last hit) but the confusion comes when i check the session information (diag sys session filter dport 8888) i can not see one single session with SDWAN information in it. 

 

Questions:

 

1. how can i check whether the fortiguard traffic is actually processed by the configured SDWAN rule?

 

2. must the SRC be set to 'all' in the SDWAN rule to be matched?

In the Fortiguard setting we have not set a source IP:

--

set source-ip 0.0.0.0

set interface-select-method sdwan

--

 

My understanding is that the src IP is unknown before the interface has been chosen (src IP will be the outgoing interface IP) and therefore the src in the SDWAN rule must be set to 'all'.

 

Thank you in advance!

Regards

Mo 

 

 

7 REPLIES 7
pmeet
Staff
Staff

when you have a manual rule then the first selected WAN interface will be used and then the second,

 

Also note that SD WAN rules are policy routes,

 

To verify the proute traffic please refer this article:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Verify-the-matching-policy-route/ta-p/1906... 

 

My understanding is that the src IP is unknown before the interface has been chosen (src IP will be the outgoing interface IP) and therefore the src in the SDWAN rule must be set to 'all'.

 

Yes you are correct!

 

Cheers!!

 

 

 

PATELMM
byrsa08
New Contributor

Thanks for the update! I have already checked the proute lookup and it is ok but why the session information contains no SDWAN info like other regular (non local traffic) sessions handled by SDWAN?

 

Here is one example of a fortiguard traffic session:

 

--

session info: proto=17 proto_state=01 duration=934 expire=85 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=255/255
state=log local nds
statistic(bytes/packets/allow_err): org=900/9/1 reply=576/8/1 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org out->post, reply pre->in dev=0->5/5->13 gwy=0.0.0.0/222.185.237.146
hook=out dir=org act=noop 222.185.237.146:17071->12.34.97.74:8888(0.0.0.0:0)
hook=in dir=reply act=noop 12.34.97.74:8888->222.185.237.146:17071(0.0.0.0:0)
misc=0 policy_id=0 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=0
serial=02df6a8b tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=00000000
no_ofld_reason: local

--

Regards

Mo

SonaMuvv

Hello,

Generate the continuous traffic from that source ip x.x.x.x for which the traffic should hit the sd-wan rule

-Then can you filter the session list using source ip.

diag sys session filter src x.x.x.x

diag sys session list

-Now please check if you are seeing the sd-wan rule in the session list and please paste the output here.

 

 

byrsa08

Hey,

 

i've tried the same on my Fortigate with different settings (system fortiguard with and without source IP address / sd-wan rule with that src address and with 'all' / destination with a specific fortiguard address and with the fortiguard ISDB).

 

I can tell you the sd-wan is being hit but there is no sd-wan info what so ever in the session (both on CLI system session list and in the local traffic logs on the GUI). Maybe is that the 'normal' behaviour for local out traffic?

 

Here are my test sd-wan rule for the fortiguard traffic:

 

sd-wan.png

khdanbo8
New Contributor

I ran into something like this as well, an alternative method that I used is to set a higher priority on the tunnel interface members from the CLI, that way, any self orientation will egress the underlay without requiring an SDWAN rule.

10.0.0.0.1 192.168.1.254
byrsa08

Hi,

 

thanks for the input but we want that particular local traffic (to fortiguard) to be processed by sdwan, we just miss the sdwan information in the system session list although the sdwan rule is clearly being hit :)

sean3
New Contributor III

Hi Byrsa08,

I did not go through the whole thread but I have some experience about local-out traffic and SD-WAN,

we have an SD-WAN rule for destination 10.74.0.0/15 with source address set to All.

Then we have configured FortiClient EMS connection under Security Fabric in Foritgate with 10.74.12.146 (port 443) as the destination EMS server (this is definitely the local-out traffic). But I found that the connection to 10. 10.74.12.146 failed, so I later found the article

it mentioned: 10.20.99.2 is the Firewall interface's IP address, traffic from it will be considered local-out traffic and by default, it does not follow the SD-WAN rule. If the 'use-sdwan' option is enabled, it will follow the SD-WAN rule

then I found there is a static route with default priority 1 which will impact the connection, so I modified the priority of that static route and that local-out connection works.

 

Sean

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors