Description
Scope
FortiGate v6.2.4 and later.
Solution
As of FortiOS v6.2.4, the interface-select-method CLI option was added to several config sections on the FortiGate that control self-originating traffic such as DNS, FortiGuard, RADIUS, LDAP, TACACS+, and Central Management (i.e. FortiManager/FortiGate Cloud). Note that this setting is configured on a per-traffic-type basis and
is not available as a global command (i.e. it cannot be set once and applied to all traffic, it must be set under each CLI section if necessary).
Consider the FortiGuard section as an example:
config system fortiguard
set interface-select-method {auto|sdwan|specify}
Under 'set interface-select-method', there are three options available:
- auto: default behavior where the FortiGate will select the best path to the associated destinations (in this case, FortiGuard server addresses) via the route table/Forward Information Base (FIB). Notably, this traffic will not match any explicit/user-defined SD-WAN rules, and instead, it will follow the implicit SD-WAN rule if the best-path is via an SD-WAN zone interface.
For example, if the implicit SD-WAN rule is configured with a set load-balance-mode usage-based (aka Spillover method) then this self-originated FortiGuard traffic will utilize the first SD-WAN member and will keep forwarding traffic until bandwidth reaches the spillover limit (see also: Implicit rule).
config system virtual-wan-link
set status enable
set load-balance-mode usage-based <----- Spillover method.
end
-
sdwan: Allows the self-originated traffic to follow user-defined SD-WAN rules.
For example, if a Manual SD-WAN rule exists to send FortiGuard traffic out via WAN2 and set interface-select-method sdwan is configured then the FortiGate will send traffic out via the WAN2 interface, rather than being potentially load-balanced via the implicit SD-WAN rule. -
specify: self-originating traffic will only ever attempt to be transmitted via the specified interface.
Important Note:
The FortiGate must have a route in the routing table/FIB for the destinations associated with this self-originating traffic (e.g. if DMZ is the specified interface to reach RADIUS server 10.0.0.1 then the FortiGate must have a valid route to 10.0.0.1 via the DMZ interface). If a route does not exist then the FortiGate will not be able to send traffic out to the destination.
After configuring the set interface-select-method specify, the interface option will become available for specifying a single outgoing interface to use for this set of traffic:
config system fortiguard
set interface-select-method specify
set interface wan1
end
The following are some of the original places in the CLI where interface-select-method can be configured, though note that over time many (if not all) of the FortiGate CLI sections regarding self-originated traffic have had interface-select-method added as a capability. Check the FortiOS CLI References for a given FortiOS version to see which CLI options support this (search for 'interface-select-method'): FortiOS CLI reference.
- DNS (config system dns).
- Per-VDOM DNS (config system vdom-dns).
- FortiGuard (config system fortiguard).
- LDAP (config user ldap).
- RADIUS (config user radius).
- FortiManager/FortiGate Cloud Central Management (config system central-management).
- FortiAnalyzer (config log fortianalyzer setting).
- FortiAnalyzer Cloud (config log fortianalyzer-cloud setting).
- TACACS+ (config user tacacs+).
- NTP (config system ntp).
- FSSO (config user fsso) **.
- Certificate (config vpn certificate setting).
- Security Fabric (config system csf)***.
- NTP (config system ntp).
- Syslog server (config log syslogd setting).
** Using interface-select-method sdwan with FSSO can be very useful when the Collector Agent is accessed over two or more redundant IPsec tunnels. To facilitate this, make sure the IPsec tunnels are members of SD-WAN, then pair set interface-select-method sdwan with set source-ip <address> (if the IPsec tunnels do not have addresses, or if traffic must be sourced from a LAN address).
*** The Security Fabric section (added in FortiOS v7.2.8, v7.4.4, and v7.6.0) modifies the CLI option to upstream-interface-select-method, though the usage remains the same as other sections:
This option was added along with the source-ip option so that administrators could set a loopback address as the source while accommodating redundant routing scenarios (like when the Leaf FortiGate connects to the upstream Root FortiGate via two or more IPsec tunnels).
config system csf
set source-ip <IPv4 Address>
set upstream-interface-select-method {auto | sdwan | specify}
set upstream-interface <port>
end
To specify interface-select-method for NTP server.
- NTP server type must be set to custom even though the default FortiGuard NTP server is in use:
config system ntpserver
set ntpsync enable
set type custom
config ntpserver
edit 1
set server "ntp1.fortiguard.com"
set interface-select-method <auto | sdwan | specify>
next
end
end
Configuring interface-select-method via the GUI (FortiOS v7.0 and later):
V7.0 added the Local Out Routing page, which allows administrators to set source IPs and outgoing interfaces from the GUI, rather than having to do so from the CLI only. See also: Summarize source IP usage on the Local Out Routing page.
This feature must first be enabled under System -> Feature Visibility -> Local Out Routing. Then, depending on the service, it is possible to change the setting in a specific VDOM or the Global VDOM under Network -> Local Out Routing.
Note that the GUI will only show options that have already been configured (e.g. if an LDAP server has not been configured first then there will not be any LDAP-related entries on the Local Out Routing page. If there are multiple entries configured for a given section (e.g. multiple LDAP server entries) then the administrator has the option of modifying behavior on a per-entry basis.
Note:
In case the local out traffic has multiple egress SD-WAN members available, it might be a requirement to specify the source IP for the local out traffic (especially in case the SD-WAN member does not have an interface IP address configured, for example, IPsec VPN tunnels). For such a scenario, use the 'set preferred-source <IP>' option under the SD-WAN member configuration to specify what source IP the local-out traffic uses when egressing from said interface.
Refer to this document Defining a preferred source IP for local-out egress interfaces on SD-WAN members for more on this.
Related documents:
Defining a preferred source IP for local-out egress interfaces on SD-WAN members
