Fortinet black logo

Administration Guide

Self-originating traffic

Self-originating traffic

Note

This topic applies to FortiOS 6.4.2. In other versions, self-originating (local-out) traffic behaves differently.

By default, self-originating traffic, such as Syslog, FortiAnalyzer logging, FortiGuard services, remote authentication, and others, relies on routing table lookups to determine the egress interface that is used to initiate the connection. Policy routes generated by SD-WAN rules do not apply to this traffic.

Explicit proxy traffic uses policy routes and SD-WAN rules to select an egress interface. Self-originating VXLAN traffic uses SD-WAN rules to select an egress interface.

For the following features, self-originating traffic can be configured to use SD-WAN rules or a specific interface:

PING

IPv4 and IPv6 pings can be configured to use SD-WAN rules.

execute ping-options use-sdwan {yes | no}
execute ping6-options use-sd-wan {yes | no}
DNS

DNS and non-management VDOM DNS traffic can use SD-WAN rules or a specific interface:

config system {dns | vdom-dns}
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end

interface-select-method {auto | sdwan | specify}

Select the interface selection method:

  • auto: Set the outgoing interface automatically (default)
  • sdwan: Set the interface by SD-WAN or policy routing rules
  • specify: Set the interface manually.

interface <interface>

Specify the outgoing interface. This option is only available and must be configured when interface-select-method is specify.

FortiGuard

FortiGuard traffic can use SD-WAN rules or a specific interface:

config system fortiguard
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end
RADIUS

RADIUS, and individual accounting servers, traffic can use SD-WAN rules or a specific interface:

config user radius
    edit <name>
        set interface-select-method {auto | sdwan | specify}
        set interface <interface>
        config accounting-server
            edit <name>
                set interface-select-method {auto | sdwan | specify}
                set interface <interface>
            next
        end
    next
end
LDAP

LDAP traffic can use SD-WAN rules or a specific interface:

config user ldap
    edit <name>
        set interface-select-method {auto | sdwan | specify}
        set interface <interface>
    next
end
TACACS+

TACACS+ traffic can use SD-WAN rules or a specific interface:

config user tacacs+
    edit <name>
        set interface-select-method {auto | sdwan | specify}
        set interface <interface>
    next
end
Central management

Central management traffic can use SD-WAN rules or a specific interface:

config system central-management
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end
FortiAnalyzer

FortiAnalyzer and FortiAnalyzer Cloud log traffic can use SD-WAN rules or a specific interface:

config log {fortianalyzer | fortianalyzer2 | fortianalyzer3 | fortianalyzer-cloud} {setting | override-setting}
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end
FortiGate Cloud logging

FortiGate Cloud log traffic can use SD-WAN rules or a specific interface:

config log fortiguard setting
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end
Syslog

Syslog traffic can use SD-WAN rules or a specific interface:

config log {syslog | syslog2 | syslog3} {setting | override-setting}
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end
Log disk upload

Log disk upload traffic can use SD-WAN rules or a specific interface:

config log disk setting
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end
FortiSandbox

FortiSandbox traffic can use SD-WAN rules or a specific interface:

config system fortisandbox
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end
FSSO

FSSO traffic can use SD-WAN rules or a specific interface:

config system fsso
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end
NTP server

NTP server traffic can use SD-WAN rules or a specific interface:

config system ntp
    config ntpserver
        edit <id>
            set interface-select-method {auto | sdwan | specify}
            set interface <interface>
        next
    end
end
External resources

External resource traffic can use SD-WAN rules or a specific interface:

config system external-resource
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end
DHCP proxy

DHCP proxy traffic can use SD-WAN rules or a specific interface:

config system settings
    set dhcp-proxy-interface-select-method {auto | sdwan | specify}
    set dhcp-proxy-interface <interface>
end

dhcp-proxy-interface-select-method {auto | sdwan | specify}

Select the interface selection method:

  • auto: Set the outgoing interface automatically (default)
  • sdwan: Set the interface by SD-WAN or policy routing rules
  • specify: Set the interface manually.

dhcp-proxy-interface <interface>

Specify the outgoing interface. This option is only available and must be configured when interface-select-method is specify.

DHCP relay

DHCP relay traffic can use SD-WAN rules or a specific interface:

config system interface
    edit <interface>
        set dhcp-relay-interface-select-method {auto | sdwan | specify}
        set dhcp-relay-interface <interface>
    next
end

dhcp-relay-interface-select-method {auto | sdwan | specify}

Select the interface selection method:

  • auto: Set the outgoing interface automatically (default)
  • sdwan: Set the interface by SD-WAN or policy routing rules
  • specify: Set the interface manually.

dhcp-relay-interface <interface>

Specify the outgoing interface. This option is only available and must be configured when interface-select-method is specify.

CA and local certificate renewal with SCEP

Certificate renewal with SCEP traffic can use SD-WAN rules or a specific interface:

config vpn certificate setting
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end

Self-originating traffic

Note

This topic applies to FortiOS 6.4.2. In other versions, self-originating (local-out) traffic behaves differently.

By default, self-originating traffic, such as Syslog, FortiAnalyzer logging, FortiGuard services, remote authentication, and others, relies on routing table lookups to determine the egress interface that is used to initiate the connection. Policy routes generated by SD-WAN rules do not apply to this traffic.

Explicit proxy traffic uses policy routes and SD-WAN rules to select an egress interface. Self-originating VXLAN traffic uses SD-WAN rules to select an egress interface.

For the following features, self-originating traffic can be configured to use SD-WAN rules or a specific interface:

PING

IPv4 and IPv6 pings can be configured to use SD-WAN rules.

execute ping-options use-sdwan {yes | no}
execute ping6-options use-sd-wan {yes | no}
DNS

DNS and non-management VDOM DNS traffic can use SD-WAN rules or a specific interface:

config system {dns | vdom-dns}
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end

interface-select-method {auto | sdwan | specify}

Select the interface selection method:

  • auto: Set the outgoing interface automatically (default)
  • sdwan: Set the interface by SD-WAN or policy routing rules
  • specify: Set the interface manually.

interface <interface>

Specify the outgoing interface. This option is only available and must be configured when interface-select-method is specify.

FortiGuard

FortiGuard traffic can use SD-WAN rules or a specific interface:

config system fortiguard
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end
RADIUS

RADIUS, and individual accounting servers, traffic can use SD-WAN rules or a specific interface:

config user radius
    edit <name>
        set interface-select-method {auto | sdwan | specify}
        set interface <interface>
        config accounting-server
            edit <name>
                set interface-select-method {auto | sdwan | specify}
                set interface <interface>
            next
        end
    next
end
LDAP

LDAP traffic can use SD-WAN rules or a specific interface:

config user ldap
    edit <name>
        set interface-select-method {auto | sdwan | specify}
        set interface <interface>
    next
end
TACACS+

TACACS+ traffic can use SD-WAN rules or a specific interface:

config user tacacs+
    edit <name>
        set interface-select-method {auto | sdwan | specify}
        set interface <interface>
    next
end
Central management

Central management traffic can use SD-WAN rules or a specific interface:

config system central-management
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end
FortiAnalyzer

FortiAnalyzer and FortiAnalyzer Cloud log traffic can use SD-WAN rules or a specific interface:

config log {fortianalyzer | fortianalyzer2 | fortianalyzer3 | fortianalyzer-cloud} {setting | override-setting}
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end
FortiGate Cloud logging

FortiGate Cloud log traffic can use SD-WAN rules or a specific interface:

config log fortiguard setting
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end
Syslog

Syslog traffic can use SD-WAN rules or a specific interface:

config log {syslog | syslog2 | syslog3} {setting | override-setting}
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end
Log disk upload

Log disk upload traffic can use SD-WAN rules or a specific interface:

config log disk setting
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end
FortiSandbox

FortiSandbox traffic can use SD-WAN rules or a specific interface:

config system fortisandbox
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end
FSSO

FSSO traffic can use SD-WAN rules or a specific interface:

config system fsso
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end
NTP server

NTP server traffic can use SD-WAN rules or a specific interface:

config system ntp
    config ntpserver
        edit <id>
            set interface-select-method {auto | sdwan | specify}
            set interface <interface>
        next
    end
end
External resources

External resource traffic can use SD-WAN rules or a specific interface:

config system external-resource
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end
DHCP proxy

DHCP proxy traffic can use SD-WAN rules or a specific interface:

config system settings
    set dhcp-proxy-interface-select-method {auto | sdwan | specify}
    set dhcp-proxy-interface <interface>
end

dhcp-proxy-interface-select-method {auto | sdwan | specify}

Select the interface selection method:

  • auto: Set the outgoing interface automatically (default)
  • sdwan: Set the interface by SD-WAN or policy routing rules
  • specify: Set the interface manually.

dhcp-proxy-interface <interface>

Specify the outgoing interface. This option is only available and must be configured when interface-select-method is specify.

DHCP relay

DHCP relay traffic can use SD-WAN rules or a specific interface:

config system interface
    edit <interface>
        set dhcp-relay-interface-select-method {auto | sdwan | specify}
        set dhcp-relay-interface <interface>
    next
end

dhcp-relay-interface-select-method {auto | sdwan | specify}

Select the interface selection method:

  • auto: Set the outgoing interface automatically (default)
  • sdwan: Set the interface by SD-WAN or policy routing rules
  • specify: Set the interface manually.

dhcp-relay-interface <interface>

Specify the outgoing interface. This option is only available and must be configured when interface-select-method is specify.

CA and local certificate renewal with SCEP

Certificate renewal with SCEP traffic can use SD-WAN rules or a specific interface:

config vpn certificate setting
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end