Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
stepco
New Contributor

SD wan failover

Hi,

 

Is it possible to disable the sd wan failover for some specific traffic/policies.

 

Example

LANX -> WAN1 to google.be server

LAXY -> WAN2 to google.be server

 

If WAN1 goes down then LANX maybe NOT failover to WAN2 for the traffic to google.be

Other traffic from LANX may failover to WAN2 (this is working)

 

Reason

There ERP application is only identifying  the client based on IP adres and not on DNS name....

 

Running v6.4.6 on a Fortigate 60F

 

Kind Regards

Stephan

10 REPLIES 10
naibaho
New Contributor III

Hi stepco

You can create rule to force LANX  to google.be in SD-WAN Rule and manually select Outgoing interface to WAN1, and LANY to google.be manually select Outgoing interface to WAN2

naibaho_0-1646711417315.png

 

hope this help you

 

best regard
best regard
stepco
New Contributor

Hi Naibaho,

This is common sense but  the Fortigate is will disable the rule if the WAN1 is down...

:)

akristof
Staff
Staff

Hi,

 

Thank you for your question. It is a bit more complex. Yes, you can create manual SDWAN rule that will send all traffic from LANX to WAN1. However, if you have health-check for WAN1 and even if you disable update-static-route and this health-check will fail, it will disable the SDWAN rule. So you would need to make sure that at least one health-check over WAN1 is working or no health-check for wan1.

Adrian
FortiGab
New Contributor II

Hello akristof,
in case of WAN1 interface failover to WAN2, it is possible to stick connectivity on the WAN2 without switching back to WAN1 when it is come back?
 
 
Living our FortiLife
Living our FortiLife
stepco
New Contributor

Hi Akristof,

Thanks for you reply. But then there we be no failover for the other internet traffic.
We used Cyberoam in the past and there you could force a firewall rule to only use WAN1 and do not failover for that firewall rule.

In the docs of Fortiguard I have found if you disable SDwan that you can set deny rules.

But then you lose the use of SDwan...

 

Any other ideas?

 

kind regards

Stephan

Debbie_FTNT
Staff
Staff

Hey stepco,

you could try policy routing maybe, and force all traffic to a specific destination via interface a/b? That should supersede SD-WAN routing to my knowledge, but I'm not sure how SD-WAN related health-checks would impact policy routing.

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/34912/policy-routing

Debbie_FTNT_0-1646744808955.png

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
stepco

Hi Debbie,

I tried the routing policy but the SD wan logic is taking over :)

Policy route:

1 policy: "Forward Traffic" to WAN1
2 policy: "Stop Policy Routing"

 

Regards

Stephan

 

vponmuniraj
Staff
Staff

Hi Stephan,

 

This should be possible if you have separate zones for your wan interfaces.

1. Add a manual SDWAN rule from lanx to google.be, member -> WAN1
2. Place a policy to 'deny' traffic over wan2 from lanx to google.be

 

So in case there is a failover (manual rule would not be hit, traffic hits the implicit rule to be forwarded to wan2), traffic would be denied by the policy.

 

Similar rule and policy can be used for traffic from lany to google.be through wan2.

 

Regards,
Vignesh.

Vignesh
stepco

Hi Vponmunirai,

 

You can only select the SDwan interfaces in the Policies.  :(

 

Regards

Stephan

Labels
Top Kudoed Authors