Fortinet white logo
Fortinet white logo

SD-WAN routing logic

SD-WAN routing logic

Once configured, SD-WAN takes the responsibility of intelligent traffic steering. But how does it interact with the traditional routing subsystem?

The following main rules apply by default:

  1. SD-WAN rules are matched only if the best route to the destination points to SD-WAN.

    The best route to the destination must point to any SD-WAN Member—not necessarily the one selected to forward the traffic. This check allows you to easily fit SD-WAN functionality into your existing network topology without disrupting services that are not supposed to be handled by SD-WAN. For example, you may have an out-of-band management network or a group of sites that have not (yet) migrated to SD-WAN. If the best route to the destination does not point to your SD-WAN bundle, the traffic will be handled by conventional routing.

  2. SD-WAN member is selected only if it has a route to the destination.

    This check happens at a later stage when an SD-WAN rule is already matched and evaluated. Based on the configured strategy, one of the listed SD-WAN members will be preferred. But the traffic will only be forwarded via that member if there is a route to the destination through that path. Otherwise, the member will be skipped, and the next optimal member will be checked.

    Note

    This does not have be the best route this time!

As you can see, routing information serves as one of the inputs for SD-WAN intelligence.

The above behavior can be overridden: It is possible to configure an SD-WAN rule that will completely bypass route lookup. This option can help in specific scenarios, but it must be used with care!

Finally, what happens if none of the SD-WAN rules can forward the traffic? This can happen either because none of the rules could match the traffic or because none of the Members of the matching rules had a route to the destination. In this case, the traffic is forwarded using conventional routing (often called an implicit rule).

This concludes our overview of the SD-WAN functionality on FortiGate devices. Let us now turn to our main topic and see how we can build a complete Secure SD-WAN solution!

SD-WAN routing logic

SD-WAN routing logic

Once configured, SD-WAN takes the responsibility of intelligent traffic steering. But how does it interact with the traditional routing subsystem?

The following main rules apply by default:

  1. SD-WAN rules are matched only if the best route to the destination points to SD-WAN.

    The best route to the destination must point to any SD-WAN Member—not necessarily the one selected to forward the traffic. This check allows you to easily fit SD-WAN functionality into your existing network topology without disrupting services that are not supposed to be handled by SD-WAN. For example, you may have an out-of-band management network or a group of sites that have not (yet) migrated to SD-WAN. If the best route to the destination does not point to your SD-WAN bundle, the traffic will be handled by conventional routing.

  2. SD-WAN member is selected only if it has a route to the destination.

    This check happens at a later stage when an SD-WAN rule is already matched and evaluated. Based on the configured strategy, one of the listed SD-WAN members will be preferred. But the traffic will only be forwarded via that member if there is a route to the destination through that path. Otherwise, the member will be skipped, and the next optimal member will be checked.

    Note

    This does not have be the best route this time!

As you can see, routing information serves as one of the inputs for SD-WAN intelligence.

The above behavior can be overridden: It is possible to configure an SD-WAN rule that will completely bypass route lookup. This option can help in specific scenarios, but it must be used with care!

Finally, what happens if none of the SD-WAN rules can forward the traffic? This can happen either because none of the rules could match the traffic or because none of the Members of the matching rules had a route to the destination. In this case, the traffic is forwarded using conventional routing (often called an implicit rule).

This concludes our overview of the SD-WAN functionality on FortiGate devices. Let us now turn to our main topic and see how we can build a complete Secure SD-WAN solution!