This topic applies to FortiOS 6.2.1 and earlier. In FortiOS 6.2.2 and later, self-originating (local-out) traffic will not match policy or SD-WAN rules.
By default, the policy route generated by SD-WAN rules applies on both forwarded and self-generated traffic. This means that some dynamic routing protocols that are managing traffic, such as OSPF and BGP, can have SD-WAN rules applied. It can also affect locally-originating traffic, such as syslog. This can cause traffic that is destined for a locally connected subnet to egress from an undesired interface.
There are four methods that can be used to avoid SD-WAN rules affecting policy routes for local-out traffic:
- Do not set the Source address to all in SD-WAN rules.
- Use an input interface in SD-WAN rules:
config system virtual-wan-link config service edit 1 set input-device <interface> ... next ... end
- Create a policy route with Destination address set to a locally connected subnet, and Action set to Stop Policy Routing to jump directly to forwarding information base (FIB) lookup and avoid the SD-WAN rules.
The Advanced Routing feature visibility must be enabled for the Policy Routes page to be visible; see Feature visibility for information.
- Enable negating the destination address match (dst-negate) to filter out specific destinations:
config system virtual-wan-link config service edit 1 set dst "bgp-neighbor-address" set dst-negate enable ... next ... end