Fortinet white logo
Fortinet white logo

Cookbook

Self-originating traffic

Self-originating traffic

Note

This topic applies to FortiOS 6.2.7. In other versions, self-originating (local-out) traffic behaves differently.

By default, self-originating traffic, such as Syslog, FortiAnalyzer logging, FortiGuard services, remote authentication, and others, relies on routing table lookups to determine the egress interface that is used to initiate the connection. Policy routes generated by SD-WAN rules do not apply to this traffic.

For the following features, self-originating traffic can be configured to use SD-WAN rules or a specific interface:

PING

IPv4 and IPv6 pings can be configured to use SD-WAN rules.

execute ping-options use-sdwan {yes | no}
execute ping6-options use-sd-wan {yes | no}
DNS

DNS and non-management VDOM DNS traffic can use SD-WAN rules or a specific interface:

config system {dns | vdom-dns}
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end

interface-select-method {auto | sdwan | specify}

Select the interface selection method:

  • auto: Set the outgoing interface automatically (default)
  • sdwan: Set the interface by SD-WAN or policy routing rules
  • specify: Set the interface manually.

interface <interface>

Specify the outgoing interface. This option is only available and must be configured when interface-select-method is specify.

FortiGuard

FortiGuard traffic can use SD-WAN rules or a specific interface:

config system fortiguard
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end
RADIUS

RADIUS, and individual accounting servers, traffic can use SD-WAN rules or a specific interface:

config user radius
    edit <name>
        set interface-select-method {auto | sdwan | specify}
        set interface <interface>
        config accounting-server
            edit <name>
                set interface-select-method {auto | sdwan | specify}
                set interface <interface>
            next
        end
    next
end
LDAP

LDAP traffic can use SD-WAN rules or a specific interface:

config user ldap
    edit <name>
        set interface-select-method {auto | sdwan | specify}
        set interface <interface>
    next
end
TACACS+

TACACS+ traffic can use SD-WAN rules or a specific interface:

config user tacacs+
    edit <name>
        set interface-select-method {auto | sdwan | specify}
        set interface <interface>
    next
end
Central management

Central management traffic can use SD-WAN rules or a specific interface:

config system central-management
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end
DHCP proxy

DHCP proxy traffic can use SD-WAN rules or a specific interface:

config system settings
    set dhcp-proxy-interface-select-method {auto | sdwan | specify}
    set dhcp-proxy-interface <interface>
end

dhcp-proxy-interface-select-method {auto | sdwan | specify}

Select the interface selection method:

  • auto: Set the outgoing interface automatically (default)
  • sdwan: Set the interface by SD-WAN or policy routing rules
  • specify: Set the interface manually.

dhcp-proxy-interface <interface>

Specify the outgoing interface. This option is only available and must be configured when interface-select-method is specify.

DHCP relay

DHCP relay traffic can use SD-WAN rules or a specific interface:

config system interface
    edit <interface>
        set dhcp-relay-interface-select-method {auto | sdwan | specify}
        set dhcp-relay-interface <interface>
    next
end

dhcp-relay-interface-select-method {auto | sdwan | specify}

Select the interface selection method:

  • auto: Set the outgoing interface automatically (default)
  • sdwan: Set the interface by SD-WAN or policy routing rules
  • specify: Set the interface manually.

dhcp-relay-interface <interface>

Specify the outgoing interface. This option is only available and must be configured when interface-select-method is specify.

CA and local certificate renewal with SCEP

Certificate renewal with SCEP traffic can use SD-WAN rules or a specific interface:

config vpn certificate setting
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end

Self-originating traffic

Self-originating traffic

Note

This topic applies to FortiOS 6.2.7. In other versions, self-originating (local-out) traffic behaves differently.

By default, self-originating traffic, such as Syslog, FortiAnalyzer logging, FortiGuard services, remote authentication, and others, relies on routing table lookups to determine the egress interface that is used to initiate the connection. Policy routes generated by SD-WAN rules do not apply to this traffic.

For the following features, self-originating traffic can be configured to use SD-WAN rules or a specific interface:

PING

IPv4 and IPv6 pings can be configured to use SD-WAN rules.

execute ping-options use-sdwan {yes | no}
execute ping6-options use-sd-wan {yes | no}
DNS

DNS and non-management VDOM DNS traffic can use SD-WAN rules or a specific interface:

config system {dns | vdom-dns}
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end

interface-select-method {auto | sdwan | specify}

Select the interface selection method:

  • auto: Set the outgoing interface automatically (default)
  • sdwan: Set the interface by SD-WAN or policy routing rules
  • specify: Set the interface manually.

interface <interface>

Specify the outgoing interface. This option is only available and must be configured when interface-select-method is specify.

FortiGuard

FortiGuard traffic can use SD-WAN rules or a specific interface:

config system fortiguard
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end
RADIUS

RADIUS, and individual accounting servers, traffic can use SD-WAN rules or a specific interface:

config user radius
    edit <name>
        set interface-select-method {auto | sdwan | specify}
        set interface <interface>
        config accounting-server
            edit <name>
                set interface-select-method {auto | sdwan | specify}
                set interface <interface>
            next
        end
    next
end
LDAP

LDAP traffic can use SD-WAN rules or a specific interface:

config user ldap
    edit <name>
        set interface-select-method {auto | sdwan | specify}
        set interface <interface>
    next
end
TACACS+

TACACS+ traffic can use SD-WAN rules or a specific interface:

config user tacacs+
    edit <name>
        set interface-select-method {auto | sdwan | specify}
        set interface <interface>
    next
end
Central management

Central management traffic can use SD-WAN rules or a specific interface:

config system central-management
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end
DHCP proxy

DHCP proxy traffic can use SD-WAN rules or a specific interface:

config system settings
    set dhcp-proxy-interface-select-method {auto | sdwan | specify}
    set dhcp-proxy-interface <interface>
end

dhcp-proxy-interface-select-method {auto | sdwan | specify}

Select the interface selection method:

  • auto: Set the outgoing interface automatically (default)
  • sdwan: Set the interface by SD-WAN or policy routing rules
  • specify: Set the interface manually.

dhcp-proxy-interface <interface>

Specify the outgoing interface. This option is only available and must be configured when interface-select-method is specify.

DHCP relay

DHCP relay traffic can use SD-WAN rules or a specific interface:

config system interface
    edit <interface>
        set dhcp-relay-interface-select-method {auto | sdwan | specify}
        set dhcp-relay-interface <interface>
    next
end

dhcp-relay-interface-select-method {auto | sdwan | specify}

Select the interface selection method:

  • auto: Set the outgoing interface automatically (default)
  • sdwan: Set the interface by SD-WAN or policy routing rules
  • specify: Set the interface manually.

dhcp-relay-interface <interface>

Specify the outgoing interface. This option is only available and must be configured when interface-select-method is specify.

CA and local certificate renewal with SCEP

Certificate renewal with SCEP traffic can use SD-WAN rules or a specific interface:

config vpn certificate setting
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end