Self-originating traffic
This topic applies to FortiOS 6.2.7. In other versions, self-originating (local-out) traffic behaves differently. |
By default, self-originating traffic, such as Syslog, FortiAnalyzer logging, FortiGuard services, remote authentication, and others, relies on routing table lookups to determine the egress interface that is used to initiate the connection. Policy routes generated by SD-WAN rules do not apply to this traffic.
For the following features, self-originating traffic can be configured to use SD-WAN rules or a specific interface:
PING
IPv4 and IPv6 pings can be configured to use SD-WAN rules.
execute ping-options use-sdwan {yes | no} execute ping6-options use-sd-wan {yes | no}
DNS
DNS and non-management VDOM DNS traffic can use SD-WAN rules or a specific interface:
config system {dns | vdom-dns} set interface-select-method {auto | sdwan | specify} set interface <interface> end
interface-select-method {auto | sdwan | specify} |
Select the interface selection method:
|
interface <interface> |
Specify the outgoing interface. This option is only available and must be configured when |
FortiGuard
FortiGuard traffic can use SD-WAN rules or a specific interface:
config system fortiguard set interface-select-method {auto | sdwan | specify} set interface <interface> end
RADIUS
RADIUS, and individual accounting servers, traffic can use SD-WAN rules or a specific interface:
config user radius edit <name> set interface-select-method {auto | sdwan | specify} set interface <interface> config accounting-server edit <name> set interface-select-method {auto | sdwan | specify} set interface <interface> next end next end
LDAP
LDAP traffic can use SD-WAN rules or a specific interface:
config user ldap edit <name> set interface-select-method {auto | sdwan | specify} set interface <interface> next end
TACACS+
TACACS+ traffic can use SD-WAN rules or a specific interface:
config user tacacs+ edit <name> set interface-select-method {auto | sdwan | specify} set interface <interface> next end
Central management
Central management traffic can use SD-WAN rules or a specific interface:
config system central-management set interface-select-method {auto | sdwan | specify} set interface <interface> end
DHCP proxy
DHCP proxy traffic can use SD-WAN rules or a specific interface:
config system settings set dhcp-proxy-interface-select-method {auto | sdwan | specify} set dhcp-proxy-interface <interface> end
dhcp-proxy-interface-select-method {auto | sdwan | specify} |
Select the interface selection method:
|
dhcp-proxy-interface <interface> |
Specify the outgoing interface. This option is only available and must be configured when |
DHCP relay
DHCP relay traffic can use SD-WAN rules or a specific interface:
config system interface edit <interface> set dhcp-relay-interface-select-method {auto | sdwan | specify} set dhcp-relay-interface <interface> next end
dhcp-relay-interface-select-method {auto | sdwan | specify} |
Select the interface selection method:
|
dhcp-relay-interface <interface> |
Specify the outgoing interface. This option is only available and must be configured when |
CA and local certificate renewal with SCEP
Certificate renewal with SCEP traffic can use SD-WAN rules or a specific interface:
config vpn certificate setting set interface-select-method {auto | sdwan | specify} set interface <interface> end