greetings friend,

I created an IPsec tunnel named OL_INET_AZ, and it was added to an SD-WAN zone. but there is NO SD-WAN rule using this IPsec tunnel as the outgoing interface.

there are 3 static routes:

S 10.74.0.0/15 [10/0] via 1.2.3.4, port17, [1/0]
                        [10/0] via OL_INET_SKO tunnel a.b.c.d, [20/0]
S 10.75.0.0/23 [10/0] via OL_INET_AZ tunnel v.w.x.y, [1/0]

Now my LAN network want to talk to 10.75.1.68 via OL_INET_AZ.  From the routing table 10.75.0.0/23 via OL_INET_AZ is the best route as it is most specific. When I ping 10.75.1.68 from the fortigate itself, the traffic is going through OL_INET_AZ, but if I ping from a LAN host behind the Fortigate (and behind the core switch) , it will hit the SD-WAN rule with destination 10.74.0.0/15, and going through port17.

From SD-WAN routing logic, it said SD-WAN rules are matched only if the best route to the destination points to SD-WAN, will this rule be applicable even though the Ipsec tunnel is not used by any SD-WAN rule (but added to SD-WAN zone) ?

If I want to achieve my goal that the traffic to 10.75.1.68 go through OL_INET_AZ, I need to either:

1. remove the OL_INET_AZ from SD-WAN zone, to make it a non SD-WAN member interface, or
2. create sd-wan rule for 10.75.0.0/23, add OL_INET_AZ as the outgoing interface for this rule

am I right?

Thanks