Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
hothot
New Contributor

sdwan rule not effective

I want to test the diversion function of SDWAN. My fortinet has two wan ports. I add wan1 to the SDWAN area, and the default route is wan2. Then tracert checks the effect on PC, and the result shows that the data is forwarded by wan2 according to the default route. Does anyone know why

7 REPLIES 7
Shilpa1
Staff
Staff

Hello,

There could be several reasons why the traffic is being routed through WAN2 instead of WAN1. Here are a few things you can check:

  1. Verify SD-WAN configuration: Make sure that the SD-WAN policy is configured correctly and is pointing to the correct WAN interface. Double-check the configuration of the SD-WAN rule to ensure that it is configured to use WAN1 as the primary link.

  2. Check route table: Check the routing table on the FortiGate to verify that the SD-WAN policy is installed correctly and that the route to the destination network is pointing to WAN1 as the preferred path.

  3. Check firewall policy: Make sure that the firewall policy for the traffic you are testing is correctly configured to use the SD-WAN policy. The firewall policy should be configured to use the SD-WAN policy as the routing method.

By verifying these settings, you should be able to determine why the traffic is not being routed through WAN1 as expected.

Regards,

Shilpa

hothot
New Contributor

I checked the configuration and did not find any problem. The following is my configuration. The default is lan3(10.0.0.2). I want to use sdwan to send Google icmp traffic out of wan(172.16.1.254), but it does not take effect。

 

FortiGate-40F # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default

Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.0.0.2, lan3, [112/0]
[10/0] via 172.16.1.254, wan, [200/0]

 

 

FortiGate-40F #
FortiGate-40F # diagnose firewall proute list
list route policy info(vf=root):

id=2138046466(0x7f700002) vwl_service=2(google-icmp) vwl_mbr_seq=1 dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0(any) dport=1-65535 path(1) oif=5(wan)
source(1): 0.0.0.0-255.255.255.255
destination wildcard(1): 0.0.0.0/0.0.0.0
internet service(1): Google-ICMP(65538,0,0,0,0)
hit_count=0 last_used=2023-04-21 02:32:55

 

FortiGate-40F (sdwan) # show
config system sdwan
set status enable
config zone
edit "virtual-wan-link"
next
edit "SDWAN"
next
end
config members
edit 1
set interface "wan"
set zone "SDWAN"
next
end
config service
edit 2
set name "google-icmp"
set src "all"
set internet-service enable
set internet-service-name "Google-ICMP"
set priority-members 1
next
end
end


FortiGate-40F (policy) # show
config firewall policy
edit 3
set name "inter-to-port3"
set uuid d87893be-df56-51ed-4a98-30d0e3d6840d
set srcintf "lan"
set dstintf "lan3"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set nat enable
next
edit 2
set name "lan-to-wan"
set uuid 66a6fe8e-e018-51ed-95b3-04244bc58479
set srcintf "lan"
set dstintf "SDWAN"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set nat enable
next
end

gfleming
Staff
Staff

You need to put both your WAN interfaces into the SD-WAN zone. And use the SD-WAN zone as your default gateway/default route. Then you can use SD-WAN rules to determine how your traffic is routed.

 

The way you have it now will not work as expected since the routing table has a higher-priority default route that is not your SD-WAN interface.

 

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/889544/sd-wan-quick-start

Cheers,
Graham
hothot

Thank you for your reply. After I added the lan3 port to the sdwan area, the sdwan rule worked, but I did not change the default route to SD-WAN interface; now I really want to know what is the prerequisite for the SDWAN rule to work, and his judgment logic about the route , not simply how should I configure, thank you

gfleming

Well you should have a default route out the SD-WAN interface. So let's see your routing config please show output of "show router static"

Cheers,
Graham
hothot

here is my route,I found that I had to set a default route whose next hop was the egress corresponding to the SDWAN area. Because I wanted to set some specific traffic to go out from the SDWAN area, this default route could not take effect. If I did not add this default route, the sdwan rule would not take effect

--------------------------------------------------

FortiGate-40F # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default

Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.0.0.2, lan3, [112/0]
[10/0] via 172.16.1.254, wan, [200/0]

--------------------------------------------

 

gfleming

Please read the linked documentation. 

 

Your SD-WAN rules will not work properly until your default gateway is pointing to the SD-WAN  zone. 

Cheers,
Graham
Labels
Top Kudoed Authors