FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
naveenk
Staff
Staff
Article Id 190297
Description
By default, the policy route generated by SD-WAN rules applies on both forwarded and self-generated traffic.
This means that some dynamic routing protocols which manage traffic and syslog traffic are affected.
This can cause traffic that is destined for a locally connected subnet to egress from an undesired interface.

This article describes how to avoid SD-WAN rules affecting policy routes for local-out traffic.

Scope
This topic is for FortiOS 6.2.1 and earlier.
In FortiOS 6.2.2 and later, self-originating (local-out) traffic will not match policy or SD-WAN rules.


Solution
There are four methods that can be used to avoid SD-WAN rules affecting policy routes for local-out traffic:

1) Do not set the Source address to 'ALL' in SD-WAN rules.
Instead specify which traffic should subject to SD-WAN rules.


2) Use an input interface in SD-WAN rules:
# config system virtual-wan-link
# config service
    edit 1
        set input-device  <Select specific internal LAN interface>
    end
3) Create a 'policy route' with destination address set to a locally connected subnet, and action set to 'Stop Policy Routing' to jump directly to forwarding information base (FIB) lookup and avoid the SD-WAN rules.




4) Enable negating the destination address match (dst-negate) to filter out specific destinations:
# config system virtual-wan-link
# config service

    edit 1
        set dst "bgp-neighbor-address"
        set dst-negate enable
    end
Flow verification:

Run sniffer to check whether self-originated traffic is taking desired interface or not.
#diag sniffer packet any “host x.x.x.x or port xxx” 4 a                                                          <-----  x.x.x.x is IP address and xxx is port number.  In case if it is routing protocol specify only the port number.

Contributors