Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aagrafi
Contributor II

Created on ‎03-19-2020 02:01 AM

Two default routes and SD-WAN

Hello,

 

I have two WAN interfaces in SD-WAN and a third WAN interface alone. I want to have two default routes, one over SD-WAN with distance 20 and one over the third interface with distance 10. The FortiGate does not allow me to do so, with a message: "You cannot have duplicated routes  on SD-WAN and non SD-WAN interfaces.".

 

Now, I remember that in the past, in the same FG but in different FortiOS version, I could do that. Now me FG is running 6.0.8. Has something change? Besides, I don't understand why shouldn't FortiOS allow me the option to have two default routes with different distance, no matter if I use SD-WAN or not.

 

Thanks

12184
0 Kudos
4 REPLIES 4
Jamie
New Contributor

Created on ‎10-30-2020 08:54 PM

Hi,

 

The reason is because the system handles policy routes taking precedence over the static routes. In this case policy routes meaning SD-WAN rules. What Fortinet wants us to do is have 1 default route to SD-WAN zone and then use the rules to route the traffic. For better or worse.

 

Your answer is somewhere in here...

https://docs.fortinet.com/document/fortigate/6.2.3/technical-tip-multiple-default-routes-where-sdwan...

 

I've been in a couple situations as yours and what I do is add the 3rd WAN interface into the SD-WAN zone.

8115
0 Kudos
boneyard
Valued Contributor
In response to Jamie

Created on ‎10-31-2020 11:27 AM

Fortinet also allows to to default routes to the different interfaces that are part of sd-wan (and then no default route to the sd-wan interface itself).

8115
0 Kudos
Jirka1
Contributor III
In response to boneyard

Created on ‎10-31-2020 12:19 PM

Yes, I had to set this on our devices on the advice of the TAC - if the DR is set to SD-WAN, self-originated traffic (DNS, FortiGuard etc.) does not work. Although everywhere in KB it is stated that DR should be set to SD-WAN only - it's a mess :\

8115
0 Kudos
boneyard
Valued Contributor
In response to Jirka1

Created on ‎11-01-2020 06:16 AM

i had the opposite reaction from support when i shared my setup they told me to configure the default route to the sd-wan interface. i got quite annoyed about that.

 

there are two ways and that should be clearly documented and supported.

 

as for the self-originated traffic issues i feel your pain, regular customer calls about FortiGuard traffic failing causing a manual config change until the regular interface is fine again.

 

6.4 is solving the only one SD-WAN interface issue, i hope the self-originated traffic is soon to follow, then finally SD-WAN is very usuable.

 

 

8115
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.