Fortinet black logo

Administration Guide

Home FortiGate / FortiOS 6.4.1 Administration Guide
6.4.1
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0

Self-originating traffic

Self-originating traffic

Note

This topic applies to FortiOS 6.4.1. In other versions, self-originating (local-out) traffic behaves differently.

By default, self-originating traffic, such as Syslog, FortiAnalyzer logging, FortiGuard services, remote authentication, and others, relies on routing table lookups to determine the egress interface that is used to initiate the connection. Policy routes generated by SD-WAN rules do not apply to this traffic.

Explicit proxy traffic uses policy routes and SD-WAN rules to select an egress interface.

For the following features, self-originating traffic can be configured to use SD-WAN rules or a specific interface:

PING

IPv4 and IPv6 pings can be configured to use SD-WAN rules.

execute ping-options use-sdwan {yes | no}
execute ping6-options use-sd-wan {yes | no}
DNS

DNS and non-management VDOM DNS traffic can use SD-WAN rules or a specific interface:

config system {dns | vdom-dns}
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end

interface-select-method {auto | sdwan | specify}

Select the interface selection method:

  • auto: Set the outgoing interface automatically (default)
  • sdwan: Set the interface by SD-WAN or policy routing rules
  • specify: Set the interface manually.

interface <interface>

Specify the outgoing interface. This option is only available and must be configured when interface-select-method is specify.

FortiGuard

FortiGuard traffic can use SD-WAN rules or a specific interface:

config system fortiguard
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end
RADIUS

RADIUS, and individual accounting servers, traffic can use SD-WAN rules or a specific interface:

config user radius
    edit <name>
        set interface-select-method {auto | sdwan | specify}
        set interface <interface>
        config accounting-server
            edit <name>
                set interface-select-method {auto | sdwan | specify}
                set interface <interface>
            next
        end
    next
end
LDAP

LDAP traffic can use SD-WAN rules or a specific interface:

config user ldap
    edit <name>
        set interface-select-method {auto | sdwan | specify}
        set interface <interface>
    next
end
TACACS+

TACACS+ traffic can use SD-WAN rules or a specific interface:

config user tacacs+
    edit <name>
        set interface-select-method {auto | sdwan | specify}
        set interface <interface>
    next
end
Central management

Central management traffic can use SD-WAN rules or a specific interface:

config system central-management
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end
Previous
Next

Self-originating traffic

Note

This topic applies to FortiOS 6.4.1. In other versions, self-originating (local-out) traffic behaves differently.

By default, self-originating traffic, such as Syslog, FortiAnalyzer logging, FortiGuard services, remote authentication, and others, relies on routing table lookups to determine the egress interface that is used to initiate the connection. Policy routes generated by SD-WAN rules do not apply to this traffic.

Explicit proxy traffic uses policy routes and SD-WAN rules to select an egress interface.

For the following features, self-originating traffic can be configured to use SD-WAN rules or a specific interface:

PING

IPv4 and IPv6 pings can be configured to use SD-WAN rules.

execute ping-options use-sdwan {yes | no}
execute ping6-options use-sd-wan {yes | no}
DNS

DNS and non-management VDOM DNS traffic can use SD-WAN rules or a specific interface:

config system {dns | vdom-dns}
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end

interface-select-method {auto | sdwan | specify}

Select the interface selection method:

  • auto: Set the outgoing interface automatically (default)
  • sdwan: Set the interface by SD-WAN or policy routing rules
  • specify: Set the interface manually.

interface <interface>

Specify the outgoing interface. This option is only available and must be configured when interface-select-method is specify.

FortiGuard

FortiGuard traffic can use SD-WAN rules or a specific interface:

config system fortiguard
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end
RADIUS

RADIUS, and individual accounting servers, traffic can use SD-WAN rules or a specific interface:

config user radius
    edit <name>
        set interface-select-method {auto | sdwan | specify}
        set interface <interface>
        config accounting-server
            edit <name>
                set interface-select-method {auto | sdwan | specify}
                set interface <interface>
            next
        end
    next
end
LDAP

LDAP traffic can use SD-WAN rules or a specific interface:

config user ldap
    edit <name>
        set interface-select-method {auto | sdwan | specify}
        set interface <interface>
    next
end
TACACS+

TACACS+ traffic can use SD-WAN rules or a specific interface:

config user tacacs+
    edit <name>
        set interface-select-method {auto | sdwan | specify}
        set interface <interface>
    next
end
Central management

Central management traffic can use SD-WAN rules or a specific interface:

config system central-management
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end
Previous
Next