Fortinet Document Library

Version:

Version:


Table of Contents

Cookbook

Download PDF
Copy Link

Self-originating traffic

Note

This topic applies to FortiOS 6.2.1 and earlier. In FortiOS 6.2.2 and later, self-originating (local-out) traffic will not match policy or SD-WAN rules.

By default, the policy route generated by SD-WAN rules applies on both forwarded and self-generated traffic. This means that some dynamic routing protocols that are managing traffic, such as OSPF and BGP, can have SD-WAN rules applied. It can also affect locally-originating traffic, such as syslog. This can cause traffic that is destined for a locally connected subnet to egress from an undesired interface.

There are four methods that can be used to avoid SD-WAN rules affecting policy routes for local-out traffic:

  1. Do not set the Source address to all in SD-WAN rules.

  2. Use an input interface in SD-WAN rules:
    config system virtual-wan-link
        config service
            edit 1
                set input-device <interface>
                ...
            next
        ...
    end
  3. Create a policy route with Destination address set to a locally connected subnet, and Action set to Stop Policy Routing to jump directly to forwarding information base (FIB) lookup and avoid the SD-WAN rules.

    The Advanced Routing feature visibility must be enabled for the Policy Routes page to be visible; see Feature visibility for information.

  4. Enable negating the destination address match (dst-negate) to filter out specific destinations:
    config system virtual-wan-link
        config service
            edit 1
                set dst "bgp-neighbor-address"
                set dst-negate enable
                ...
            next
        ...
    end

Self-originating traffic

Note

This topic applies to FortiOS 6.2.1 and earlier. In FortiOS 6.2.2 and later, self-originating (local-out) traffic will not match policy or SD-WAN rules.

By default, the policy route generated by SD-WAN rules applies on both forwarded and self-generated traffic. This means that some dynamic routing protocols that are managing traffic, such as OSPF and BGP, can have SD-WAN rules applied. It can also affect locally-originating traffic, such as syslog. This can cause traffic that is destined for a locally connected subnet to egress from an undesired interface.

There are four methods that can be used to avoid SD-WAN rules affecting policy routes for local-out traffic:

  1. Do not set the Source address to all in SD-WAN rules.

  2. Use an input interface in SD-WAN rules:
    config system virtual-wan-link
        config service
            edit 1
                set input-device <interface>
                ...
            next
        ...
    end
  3. Create a policy route with Destination address set to a locally connected subnet, and Action set to Stop Policy Routing to jump directly to forwarding information base (FIB) lookup and avoid the SD-WAN rules.

    The Advanced Routing feature visibility must be enabled for the Policy Routes page to be visible; see Feature visibility for information.

  4. Enable negating the destination address match (dst-negate) to filter out specific destinations:
    config system virtual-wan-link
        config service
            edit 1
                set dst "bgp-neighbor-address"
                set dst-negate enable
                ...
            next
        ...
    end