Description | This article describes how to deny traffic from LAN devices from using the WAN interface in an SD WAN solution. |
Scope | FOS v7.2.3 and earlier. |
Solution |
Usually, the focus of SD WAN solutions is to steer traffic between WAN interfaces using an explicitly defined SD WAN rule or an implicit rule.
These SD WAN rules always come with the permissive (accept) action, but sometimes traffic needs to be restricted from using a WAN interface entirely.
Following a regular SD WAN topology:
Requirements:
Note: Instead of using the IP segment on configurations, this setup was LAB tested using the IPs of the devices of each segment.
SD WAN configuration
The SDWAN Zone 'ISP-SDWAN' below has two WAN interfaces (ISP1 and ISP2).
The Default route using the SDWAN-Zone:
Create SD WAN SLAs associated with WAN interfaces ISP1 and ISP2 to detect WAN connectivity failure to the internet.
The SDWAN SLA must have 'Update static route' enabled. Since the rest of all LAN traffic is matching on the SDWAN rule Implicitly, it will allow the traffic session to commute when the SLA fails.
Create an SD WAN rule at the top with Source 192.168.10.100 (VLAN 10). Apply the Manual interface selection strategy to force traffic out of using ISP1.
The implicit SD WAN rule will balance the rest of LAN traffic to both WAN interfaces (ISP1, ISP2).
Firewall policy configuration
Create a Firewall Policy on the top with Source 192.168.10.110 (VLAN 10) and the 'Deny' action.
At all times, this policy must have the 'Disable' status. Copy the ID (in this example, ID 3) since it will be used in further steps during the stitch creation.
When the ISP1 goes down because of the SD WAN SLA, this policy will be activate from the stitch to deny the traffic from VLAN 10 to ISP2.
Consider the following:
Automation stitch configuration
Create an automation stitch to enable the Firewall Policy ID 3 when a 'dead' status is received through the SD WAN SLA logs on the ISP1 interface.
The automation trigger is based on the following SD WAN SLA information warning log:
date=2023-07-28 time=13:16:52 eventtime=1690568212905730343 tz="-0500" logid="0113022931" type="event" subtype="sdwan" level="warning" vd="root" logdesc="SDWAN SLA information warning" eventtype="Health Check" healthcheck="Default_DNS" interface="ISP1" probeproto="dns" oldvalue="alive" newvalue="dead" msg="SD-WAN health-check member changed state."
The Action 'EnablePolicy3' with a FortiOS CLI script will enable the Policy ID 3.
The Action 'ClearSession' will clear all the sessions from VLAN 10.
Create an automation stitch to disable the Firewall Policy ID 3 when an 'alive' status is received through the SD WAN SLA logs on the ISP1 interface.
The automation trigger is based on the following SD WAN SLA notification log.
date=2023-07-28 time=13:08:49 eventtime=1690567729560744342 tz="-0500" logid="0113022933" type="event" subtype="sdwan" level="notice" vd="root" logdesc="SDWAN SLA notification" eventtype="Health Check" healthcheck="Default_DNS" interface="ISP1" probeproto="dns" oldvalue="dead" newvalue="alive" msg="SD-WAN health-check member changed state."
The Action 'DisablePolicy3' with a FortiOS CLI script will disable the Policy ID 3.
The Action 'ClearSession' will clear all the sessions from VLAN 10.
Results
The SDWAN SLA is in a normal state.
Policy ID 3 has the 'Disable' status according to the threshold configured for SD WAN SLA.
The SD WAN SLA on interface ISP1 has almost 100% packet loss, resulting in a failure condition.
Policy ID 3 has the 'Enable' status triggered by the automation stitch.
See the screenshots below to compare traffic from VLAN 10 without internet access on ISP2 with traffic from VLAN 11 with internet access on ISP2:
The SD WAN SLA restores since the packet losses disappear.
Firewall Policy ID 3 changes to the 'Disable' status since the SD WAN SLA on ISP1 restores.
Additional SD WAN configuration
Instead of using the SD WAN implicit rule to balance traffic to both WAN interfaces ISP1 and ISP2, a viable alternative is to use an SD WAN rule with a 'Best quality' strategy to steer all traffic from the LAN.
The configuration related to the SD WAN rule must be ordered as follows:
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.