Description
This article explains the functionality of ‘set interface-select-method’ that was introduced to fix an issue faced with local self-originating traffic (DNS, FortiGuard, RADIUS, LDAP) on FortiGate on version 6.2.3 and earlier which would not match SD-WAN rules.
With FortiOS version 6.2.3 and earlier, the self-originating traffic was not using SD-WAN rules to push traffic to the correct Interface as defined in rules.
Related document.
Scope
For version 6.2.4 and later.
Solution
Taking FortiGuard as an example here.
# config system fortiguard
set interface-select-method {auto|sdwan|specify}
There is an option to configure the interface according to the following 3 options.
1) Auto: default and when used, it matches the implicit allow rule in SD-WAN rules.
# config system fortiguard
set interface-select-method auto
end
As per the above config the selection method is configured as auto.
Check the settings of the implicit SD-WAN rule and traffic is forwarded according to that rule.
If the config is as follows.
# config system virtual-wan-link
set status enable
set load-balance-mode usage-based <----- Spillover method.
end
The traffic is going to be forwarded to the first SD-WAN member and will keep forwarding the traffic until bandwidth reaches its limit.
Other methods are also listed here:
https://docs.fortinet.com/document/fortigate/6.2.4/cookbook/216765/implicit-rule
2) SD-WAN: used to match specific SD-WAN rules.
To match the traffic SD-WAN rules defined for certain traffic.
If traffic for fortiGuard goes via WAN1 interface and there is a SD-WAN rule present for it, the traffic will be matched against that rule.
# config system fortiguard3) Specify: Need to specify a specific interface.
set interface-select-method sdwan
end
This is straight forward to use a specific interface for specific traffic, just define this.
# config system fortiguardNote.
set interface-select-method specify
set interface wan1
end
This command cannot be enabled globally on FortiGate for all the locally-originating traffic.
Specify it individually for each traffic that is locally-originating.
Example.
DNS.
# config system dnsFortiGuard.
set interface-select-method [auto|sdwan|...]
set interface {string}
end
# config system fortiguardRADIUS.
set interface-select-method [auto|sdwan|...]
set interface {string}
end
# config user radius
set interface-select-method [auto|sdwan|...]
set interface {string}
end
From version 7.0, it is possible to select how specific local traffic will be routed out.
First, enable this option is Feature Visibility:
System -> Feature Visibility -> Local Out Routing.
Then, depends on the service, it is possible to change the setting in specific vdom or in Global.
Network -> Local Out Routing.
Outgoing interface method is described at the beginning.
Some services might not be visible in GUI.
For example, if there is no LDAP server configured, no LDAP service will be visible in the tab and will appear only if LDAP server is configured.
If there are multiple servers, option to change the behavior per server will appear.
Related articles.
https://docs.fortinet.com/document/fortigate/6.2.4/cookbook/216765/implicit-rule
https://docs.fortinet.com/document/fortigate/6.2.4/cli-reference/110620/system-fortiguard
