I want to test the diversion function of SDWAN. My fortinet has two wan ports. I add wan1 to the SDWAN area, and the default route is wan2. Then tracert checks the effect on PC, and the result shows that the data is forwarded by wan2 according to the default route. Does anyone know why
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
There could be several reasons why the traffic is being routed through WAN2 instead of WAN1. Here are a few things you can check:
Verify SD-WAN configuration: Make sure that the SD-WAN policy is configured correctly and is pointing to the correct WAN interface. Double-check the configuration of the SD-WAN rule to ensure that it is configured to use WAN1 as the primary link.
Check route table: Check the routing table on the FortiGate to verify that the SD-WAN policy is installed correctly and that the route to the destination network is pointing to WAN1 as the preferred path.
Check firewall policy: Make sure that the firewall policy for the traffic you are testing is correctly configured to use the SD-WAN policy. The firewall policy should be configured to use the SD-WAN policy as the routing method.
By verifying these settings, you should be able to determine why the traffic is not being routed through WAN1 as expected.
Regards,
Shilpa
I checked the configuration and did not find any problem. The following is my configuration. The default is lan3(10.0.0.2). I want to use sdwan to send Google icmp traffic out of wan(172.16.1.254), but it does not take effect。
FortiGate-40F # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.0.0.2, lan3, [112/0]
[10/0] via 172.16.1.254, wan, [200/0]
FortiGate-40F #
FortiGate-40F # diagnose firewall proute list
list route policy info(vf=root):
id=2138046466(0x7f700002) vwl_service=2(google-icmp) vwl_mbr_seq=1 dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0(any) dport=1-65535 path(1) oif=5(wan)
source(1): 0.0.0.0-255.255.255.255
destination wildcard(1): 0.0.0.0/0.0.0.0
internet service(1): Google-ICMP(65538,0,0,0,0)
hit_count=0 last_used=2023-04-21 02:32:55
FortiGate-40F (sdwan) # show
config system sdwan
set status enable
config zone
edit "virtual-wan-link"
next
edit "SDWAN"
next
end
config members
edit 1
set interface "wan"
set zone "SDWAN"
next
end
config service
edit 2
set name "google-icmp"
set src "all"
set internet-service enable
set internet-service-name "Google-ICMP"
set priority-members 1
next
end
end
FortiGate-40F (policy) # show
config firewall policy
edit 3
set name "inter-to-port3"
set uuid d87893be-df56-51ed-4a98-30d0e3d6840d
set srcintf "lan"
set dstintf "lan3"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set nat enable
next
edit 2
set name "lan-to-wan"
set uuid 66a6fe8e-e018-51ed-95b3-04244bc58479
set srcintf "lan"
set dstintf "SDWAN"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set nat enable
next
end
You need to put both your WAN interfaces into the SD-WAN zone. And use the SD-WAN zone as your default gateway/default route. Then you can use SD-WAN rules to determine how your traffic is routed.
The way you have it now will not work as expected since the routing table has a higher-priority default route that is not your SD-WAN interface.
https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/889544/sd-wan-quick-start
Created on 04-21-2023 07:49 PM Edited on 04-21-2023 07:53 PM
Thank you for your reply. After I added the lan3 port to the sdwan area, the sdwan rule worked, but I did not change the default route to SD-WAN interface; now I really want to know what is the prerequisite for the SDWAN rule to work, and his judgment logic about the route , not simply how should I configure, thank you
Well you should have a default route out the SD-WAN interface. So let's see your routing config please show output of "show router static"
here is my route,I found that I had to set a default route whose next hop was the egress corresponding to the SDWAN area. Because I wanted to set some specific traffic to go out from the SDWAN area, this default route could not take effect. If I did not add this default route, the sdwan rule would not take effect
--------------------------------------------------
FortiGate-40F # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.0.0.2, lan3, [112/0]
[10/0] via 172.16.1.254, wan, [200/0]
--------------------------------------------
Please read the linked documentation.
Your SD-WAN rules will not work properly until your default gateway is pointing to the SD-WAN zone.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.