FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sagha
Staff
Staff
Article Id 196131
Description
This article explains that when DHCP relay is configured on an interface, FortiGate can use any interface to forward its traffic.

With DHCP relay configured on an interface, FortiGate will forward the traffic based on routing table even if there is a specific SD-WAN rule configured.

As an example, dhcp-relay is configured on the VLAN interface:
# config system interface
    edit "vlan-60"
        set vdom "root"
        set dhcp-relay-service enable
        set ip 10.10.60.254 255.255.255.0
        set allowaccess ping
        set device-identification enable
        set dhcp-relay-interface-select-method auto
        set dhcp-relay-ip "172.16.10.1" "172.16.10.2 "
        set interface "port1"
        set vlanid 60
    next
Since the traffic has to be relayed when it reaches FortiGate, it is considered as locally originated traffic.
Locally originated traffic would not match any SD-WAN rule.

Solution
By default 'set dhcp-relay-interface-select-method auto' is configured that means that traffic would be following the best interface available.

The following options are available to route the traffic for DHCP relay:

1) Auto - Set the outgoing interface automatically (default).
2) SD-WAN - Set the interface by SD-WAN or policy routing rules.
3) Specify - Set the interface manually.

In order to make sure that traffic matches the SD-WAN rule, following changes need to be made to the configuration on the interface where dhcp-relay is configured.
# config system interface
    edit "vlan-60"
        set dhcp-relay-interface-select-method sdwan
    end
Related document.
https://docs.fortinet.com/document/fortigate/7.0.1/administration-guide/848980/self-originating-traf...


Contributors