Description
By default, the policy route generated by SD-WAN rules applies on both forwarded and self-generated traffic.
This means that some dynamic routing protocols which manage traffic and syslog traffic are affected.
This can cause traffic that is destined for a locally connected subnet to egress from an undesired interface.
This article describes how to avoid SD-WAN rules affecting policy routes for local-out traffic.
Scope
This topic is for FortiOS 6.2.1 and earlier.
In FortiOS 6.2.2 and later, self-originating (local-out) traffic will not match policy or SD-WAN rules.
Solution
There are four methods that can be used to avoid SD-WAN rules affecting policy routes for local-out traffic:
1) Do not set the Source address to 'ALL' in SD-WAN rules.
Instead specify which traffic should subject to SD-WAN rules.
2) Use an input interface in SD-WAN rules:
By default, the policy route generated by SD-WAN rules applies on both forwarded and self-generated traffic.
This means that some dynamic routing protocols which manage traffic and syslog traffic are affected.
This can cause traffic that is destined for a locally connected subnet to egress from an undesired interface.
This article describes how to avoid SD-WAN rules affecting policy routes for local-out traffic.
Scope
This topic is for FortiOS 6.2.1 and earlier.
In FortiOS 6.2.2 and later, self-originating (local-out) traffic will not match policy or SD-WAN rules.
Solution
There are four methods that can be used to avoid SD-WAN rules affecting policy routes for local-out traffic:
1) Do not set the Source address to 'ALL' in SD-WAN rules.
Instead specify which traffic should subject to SD-WAN rules.
2) Use an input interface in SD-WAN rules:
# config system virtual-wan-link3) Create a 'policy route' with destination address set to a locally connected subnet, and action set to 'Stop Policy Routing' to jump directly to forwarding information base (FIB) lookup and avoid the SD-WAN rules.
# config service
edit 1
set input-device <Select specific internal LAN interface>
end
4) Enable negating the destination address match (dst-negate) to filter out specific destinations:
Run sniffer to check whether self-originated traffic is taking desired interface or not.
# config system virtual-wan-linkFlow verification:
# config service
edit 1
set dst "bgp-neighbor-address"
set dst-negate enable
end
Run sniffer to check whether self-originated traffic is taking desired interface or not.
#diag sniffer packet any “host x.x.x.x or port xxx” 4 a <----- x.x.x.x is IP address and xxx is port number. In case if it is routing protocol specify only the port number.
