Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mricardez
Staff
Staff

Created on ‎07-30-2023 08:53 AM

Article Id 266317

Technical Tip: Deny traffic to a WAN interface on an SD WAN solution

Description This article describes how to deny traffic from LAN devices from using the WAN interface in an SD WAN solution.
Scope FOS v7.2.3 and earlier.

Solution

Usually, the focus of SD WAN solutions is to steer traffic between WAN interfaces using an explicitly defined SD WAN rule or an implicit rule.

 

These SD WAN rules always come with the permissive (accept) action, but sometimes traffic needs to be restricted from using a WAN interface entirely.

 

Following a regular SD WAN topology:

  • There are two WAN interfaces (ISP1, ISP2) and one SDWAN Zone ISP-SDWAN.
  • There are two VLAN IDs (10, 11) with their respective IP LAN segment (192.168.10.0/24, 192, 168.11.0/24).

 

SDWAN-KB_Topology_v4.0.png

 

Requirements:

  1. The VLAN 10 segment must only be able to use ISP1. When a failure occurs, traffic will not commute to ISP2.
  2. The VLAN 11 segment must able to use both WAN interfaces (ISP1 and ISP2).

Note: Instead of using the IP segment on configurations, this setup was LAB tested using the IPs of the devices of each segment.

 

SD WAN configuration

 

The SDWAN Zone 'ISP-SDWAN' below has two WAN interfaces (ISP1 and ISP2).

 

Imagen16.png

 

The Default route using the SDWAN-Zone:

 

Imagen17.png

 

Create SD WAN SLAs associated with WAN interfaces ISP1 and ISP2 to detect WAN connectivity failure to the internet.

 

The SDWAN SLA must have 'Update static route' enabled. Since the rest of all LAN traffic is matching on the SDWAN rule Implicitly, it will allow the traffic session to commute when the SLA fails. 

 

Imagen18.png

 

Imagen27.png

 

Create an SD WAN rule at the top with Source 192.168.10.100 (VLAN 10). Apply the Manual interface selection strategy to force traffic out of using ISP1.

 

The implicit SD WAN rule will balance the rest of LAN traffic to both WAN interfaces (ISP1, ISP2).

 

Imagen19.png

 

Firewall policy configuration

 

Create a Firewall Policy on the top with Source 192.168.10.110 (VLAN 10) and the 'Deny' action.

 

At all times, this policy must have the 'Disable' status. Copy the ID (in this example, ID 3) since it will be used in further steps during the stitch creation.

 

When the ISP1 goes down because of the SD WAN SLA, this policy will be activate from the stitch to deny the traffic from VLAN 10 to ISP2.

 

Consider the following:

  • When the WAN interfaces (ISP1 and ISP2) are associated with the SD WAN Zone, the SD WAN members cannot be used directly in policies. As a result, a policy cannot be created from VLAN 10 to go out to specific WAN interface ISP2.
  • Leaving the policy ID in the 'Active' status will always deny traffic from VLAN10. Therefore, the policy must remain as 'Disable'.
  • The FortiGate automation stitch based on the SD WAN SLA logs will trigger the FortiOS CLI to enable or disable the firewall policy ID 3.

 

Imagen21.png

 

Automation stitch configuration

 

Create an automation stitch to enable the Firewall Policy ID 3 when a 'dead' status is received through the SD WAN SLA logs on the ISP1 interface.

 

  • The Trigger will monitor the SD WAN SLA log when the interface ISP1 changes its status to "dead".
  • The Action 'EnablePolicy3' with a FortiOS CLI script will enable the Policy ID 3.
  • The Action 'ClearSession' will clear all sessions from VLAN 10. Apply the filters required to clean the sessions as necessary for operations.

Imagen22.png

 

The automation trigger is based on the following SD WAN SLA information warning log:

 

date=2023-07-28 time=13:16:52 eventtime=1690568212905730343 tz="-0500" logid="0113022931" type="event" subtype="sdwan" level="warning" vd="root" logdesc="SDWAN SLA information warning" eventtype="Health Check" healthcheck="Default_DNS" interface="ISP1" probeproto="dns" oldvalue="alive" newvalue="dead" msg="SD-WAN health-check member changed state."

 

 

Screenshot 2023-07-28 180620.png

 

The Action 'EnablePolicy3' with a FortiOS CLI script will enable the Policy ID 3.

 

Screenshot 2023-07-28 182357.png

 

The Action 'ClearSession' will clear all the sessions from VLAN 10.

 

Screenshot 2023-07-28 182708.png

 

Create an automation stitch to disable the Firewall Policy ID 3 when an 'alive' status is received through the SD WAN SLA logs on the ISP1 interface.

 

  • The Trigger will monitor the SD WAN SLA log when the ISP1 interface changes to the 'alive' status.
  • The Action 'EnablePolicy3' with a FortiOS CLI script will disable the Policy ID 3.
  • The Action 'ClearSession' will clear all the sessions from VLAN 10. Apply the filters required to clean the sessions as necessary for operations.

Imagen23.png

 

The automation trigger is based on the following SD WAN SLA notification log.

 

date=2023-07-28 time=13:08:49 eventtime=1690567729560744342 tz="-0500" logid="0113022933" type="event" subtype="sdwan" level="notice" vd="root" logdesc="SDWAN SLA notification" eventtype="Health Check" healthcheck="Default_DNS" interface="ISP1" probeproto="dns" oldvalue="dead" newvalue="alive" msg="SD-WAN health-check member changed state."

 

Screenshot 2023-07-28 184302.png

 

The Action 'DisablePolicy3' with a FortiOS CLI script will disable the Policy ID 3.

 

Screenshot 2023-07-28 184614.png

 

The Action 'ClearSession' will clear all the sessions from VLAN 10.

 

Screenshot 2023-07-28 184641.png

 

Results

 

  1. Normal condition:

 

  • Traffic from VLAN10 is outbound from ISP1, forced by the SD WAN rule.
  • Traffic from VLAN11 goes to ISP1 or ISP2 according the SD WAN implicit rule.

Imagen24.png

 

The SDWAN SLA is in a normal state. 

 

Imagen25.png

 

Policy ID 3 has the 'Disable' status according to the threshold configured for SD WAN SLA.

 

Imagen26.png

 

  1. Failure condition:

 

  • The SDWAN SLA on interface ISP1 changes to 'Dead'.
  • The Policy ID 3 changes to status 'Active'.
  • Traffic from VLAN ID 10 is denied to the WAN interface ISP2.
  • Traffic from VLAN ID 11 commutes to WAN interface ISP2 and is allowed.

 

Imagen28.png

 

The SD WAN SLA on interface ISP1 has almost 100% packet loss, resulting in a failure condition.

 

Imagen29.png

 

Policy ID 3 has the 'Enable' status triggered by the automation stitch.

 

Imagen30.png

 

See the screenshots below to compare traffic from VLAN 10 without internet access on ISP2 with traffic from VLAN 11 with internet access on ISP2:

 

Imagen31.png

 

  1. Restore condition:

 

  • The SDWAN SLA on interface ISP1 changes to 'Alive'.
  • The Policy ID 3 change to the 'Disable' status.
  • Traffic from VLAN10 goes to ISP1, forced by the SD WAN rule.
  • Traffic from VLAN11 goes to ISP1 or ISP2 according to the implicit SD WAN rule.

 

Imagen32.png

 

The SD WAN SLA restores since the packet losses disappear.

 

Imagen33.png

 

Firewall Policy ID 3 changes to the 'Disable' status since the SD WAN SLA on ISP1 restores.

 

Imagen34.png

 

 

Additional SD WAN configuration

 

Instead of using the SD WAN implicit rule to balance traffic to both WAN interfaces ISP1 and ISP2, a viable alternative is to use an SD WAN rule with a 'Best quality' strategy to steer all traffic from the LAN.

 

The configuration related to the SD WAN rule must be ordered as follows:

 

Imagen35.png
2330
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.