Created on 08-24-2023 10:14 PM Edited on 08-24-2023 10:15 PM By Anthony_E
Description |
This article discusses VoIP(Specific) traffic to use only 1 wan connection in SD-WAN. |
Scope |
FortiGate. |
Solution |
Topology:
Currently, there is no feature that can exempt specific networks not to using the implicit SD-WAN rule. So, it is possible to achieve it with the help of a firewall policy where each ISP belongs to an individual SD-WAN zone.
There are 2 SD-WAN zones: VoIP and DATA. Wan1 belongs to the DATA zone and Wan2 belongs to the VoIP zone.
Create a static default route with both zones:
It is necessary to create two firewall policies.
SD-WAN rules allow the Data to use the Wan1 interface and VoIP to use the Wan2 interface:
Testing: A PC from the voice network(10.10.10.0/24) ping 1.1.1.1 when Wan2 is up. It is successful as Wan2 (port2) is up.
Challenger-kvm24 # dia sniffer packet any ' host 1.1.1.1 and icmp' 4 20
Wan2 goes down, so the voice network should not be able to send access Internet (1.1.1.1) as it is the therequirement. The ping failed on the PC due to an implicit deny policy.
C:\>ping 1.1.1.1 Pinging 1.1.1.1 with 32 bytes of data:
Diag de flow on FortiGate shows traffic is denied by implicit policy.
hallenger-kvm24 # id=65308 trace_id=11 func=print_pkt_detail line=5861 msg="vd-root:0 received a packet(proto=1, 10.10.10.2:1->1.1.1.1:2048) tun_id=0.0.0.0 from port3. type=8, code=0, id=1, seq=19."
Now, let's test from Data network(10.10.20.0/24). Both Wan interfaces are up. Traffic went over port1 (Wan1) as expected.
Challenger-kvm24 # dia sniffer packet any ' host 1.1.1.1 and icmp' 4 20
Wan1 goes down, and Wan2 is up, and now, Data network traffic will go over wan2 as expected.
Challenger-kvm24 # dia sniffer packet any ' host 1.1.1.1' 4 20
So, with the help of the SD-WAN zone and firewall policy, it is possible to achieve it. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.