Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
_panda_
New Contributor II

Created on ‎11-28-2025 06:53 AM

Using SD-WAN for Central-Management traffic to Fortimanager Cloud

Hi,

 

FortiGate - 7.4.9

Fortimanager Cloud - v7.4.8

 

I am configuring a FortiGate to use SD-WAN for connectivity to FortiManager Cloud and FortiGuard (plus more services once I have a confirmed config), and am hoping to get some feedback on the best way to configure this.

 

I have set the configured central-management to use sdwan (following this page)

 

config system central-management
set interface-select-method sdwan

 

All seems ok, however the Fortigate doesn't want to connect using the best connection. The firewall is connected to an FTTC and a 4G router. The FTTC connection has lower latency and jitter, but the firewall always seems to want to connect to FortiManager Cloud using the 4G.

 

Note the 4G interface is DHCP and the FTTC is using a fixed IP.

The default route on the Fortigate is pointing to the sdwan-zone as the interface.

Other SDWAN rules seem to work fine.

 

Whether I just leave the SDWAN rules blank and use the default 'sd-wan' rule or use a generic 'Best_Internet' rule with 'All' as the source and destination and the FTTC given the interface preference, or use the rule with (Source - All, Destination - Internet Services: FortiCloud, FortiGuard),

 

SDWAN-RULE2.PNG

 

the firewall always wants to use the 4G to connect to Fortimanager Cloud. If I disconnect the 4G it will move over to the FTTC.

 

The link above doesn't detail anything more regarding any specific SDWAN rules that should be in place or whether you should set a source interface (and if so should this be a loopback etc - This link would suggest not to do this?). The guide shows the command 'set interface <interface>' which is not even an option on the FortiGate. There is the option 'fmg-source-ip'

 

I suppose my question is what is the recommended config for using sdwan for the central management traffic, other than the 'set interface-select-method sdwan' command.

 

Thanks in advance!

 

Labels:
93
0 Kudos
2 REPLIES 2
funkylicious
SuperUser
SuperUser

Created on ‎11-28-2025 07:23 AM Edited on ‎11-28-2025 07:42 AM

hi,

can you confirm from, get router info routing-table all , that both routes/interfaces are installed in RIB?

also, if i recall correctly local-out/locally generated traffic isn't subject to sdwan rules/performance SLA, just traffic going through the firewall.

if you need a specific interface to use a service, i would encourage you to manually specify it.

"jack of all trades, master of none"
"jack of all trades, master of none"
83
0 Kudos
_panda_
New Contributor II
In response to funkylicious

Created on ‎11-28-2025 08:24 AM

Hi,

 

So, I've just been overthinking it, and have tripped myself up. I realised what the issue was the FortiGate automatically giving WAN interfaces set to DHCP a Distance of 5. The static route (pointing to the sdwan-zone) had a manually configured distance of 20.

 

I changed the 4G interface settings to manual. Both routes immediately appeared in the routing table and the connection to FortiManager Cloud jumped over to the FTTC straight away.

 

I have put the specific Fortinet Services SDWAN rule back. Source 'All'. Destination Services 'Fortinet-DNS, Fortinet-FortiCloud, Fortinet-FortiGuard' which should be everything (?).

 

I haven't set any source interface or IP. The only one that would make sense would be a loopback but unless I can find an official guide by Fortinet on what other firewall rules or NAT would need to be in place, I'll leave this.

 

Thanks for coming back to me so soon. Much appreciated.

71
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.