Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nalexiou
Staff
Staff

Created on ‎09-06-2019 04:19 AM Edited on ‎06-08-2022 02:28 PM By Anonymous

Article Id 189773

Technical Tip: How to route specific traffic to one member of the SD-WAN

Description
This article shows an example on how to route traffic from specific source to one member of the SD-WAN.

Solution
Configuration example:

In this configuration example the traffic coming from 'subnet' to port1 will be routed.
Only in case of link or interface failure the traffic from 'subnet' will be routed to port2.

1) Create address object

#config firewall address
edit subnet
set subnet 192.168.1.1 255.255.255.0
next

2) Configure SD-WAN members


3) Configure Performance SLA
 
 
4) Configure SD-WAN rule on CLI with mode manual including only the preferable member
#config system virtual-wan-link
config service
edit 1
set name subnet-to-port1
set mode manual
set member 1
set dst all
set src subnet
end

the config should be as below:
#config system virtual-wan-link
    set status enable
    config members
        edit 1
            set interface "port1"
            set gateway 10.1.1.2
        next
        edit 2
            set interface "port2"
            set gateway 20.2.2.2
        next
    end
    config health-check
        edit "8.8.8.8"
            set server "8.8.8.8"
            set members 1 2
        next
    end
    config service
        edit 1
            set name "subnet-to-port1"
            set member 1
            set dst "all"
            set src "subnet"
        next
    end
end

5) Generate traffic from 'subnet' to verify that it is using the correct interface
 
To verify run a sniffer to capture the traffic coming from 'subnet'
4.979750 port1 out 10.1.1.1 -> 8.8.4.4: icmp: echo request
4.981440 port1 in 8.8.4.4 -> 10.1.1.1: icmp: echo reply
4.981444 mgmt out 8.8.4.4 -> 192.168.1.1: icmp: echo reply
5.996049 mgmt in 192.168.1.1 -> 8.8.4.4: icmp: echo request
5.996053 port1 out 10.1.1.1 -> 8.8.4.4: icmp: echo request
5.997690 port1 in 8.8.4.4 -> 10.1.1.1: icmp: echo reply
5.997692 mgmt out 8.8.4.4 -> 192.168.1.1: icmp: echo reply
7.027688 mgmt in 192.168.1.1 -> 8.8.4.4: icmp: echo request
In case the link will fail the SD-WAN rule will be ignored and the traffic will be routed to port2
 
To verify run a sniffer to capture the traffic coming from 'subnet'
3.368375 port2 out 20.2.2.1 -> 8.8.4.4: icmp: echo request
203.370026 port2 in 8.8.4.4 -> 20.2.2.1: icmp: echo reply
203.370029 mgmt out 8.8.4.4 -> 192.168.1.1: icmp: echo reply
204.384004 mgmt in 192.168.1.1 -> 8.8.4.4: icmp: echo request
204.384006 port2 out 20.2.2.1 -> 8.8.4.4: icmp: echo request
204.385619 port2 in 8.8.4.4 -> 20.2.2.1: icmp: echo reply
204.385622 mgmt out 8.8.4.4 -> 192.168.1.1: icmp: echo reply
205.400076 mgmt in 192.168.1.1-> 8.8.4.4: icmp: echo request



Preview file
139 KB
5694
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.