Self-originating traffic
|
This topic applies to FortiOS 6.4.4 and later. In other versions, self-originating (local-out) traffic behaves differently. |
By default, self-originating traffic, such as Syslog, FortiAnalyzer logging, FortiGuard services, remote authentication, and others, relies on routing table lookups to determine the egress interface that is used to initiate the connection. Policy routes generated by SD-WAN rules do not apply to this traffic.
Explicit proxy traffic uses policy routes and SD-WAN rules to select an egress interface. Self-originating VXLAN traffic uses SD-WAN rules to select an egress interface.
For the following features, self-originating traffic can be configured to use SD-WAN rules or a specific interface:
PING
IPv4 and IPv6 pings can be configured to use SD-WAN rules:
execute ping-options use-sdwan {yes | no}
execute ping6-options use-sd-wan {yes | no}
DNS
DNS and non-management VDOM DNS traffic can use SD-WAN rules or a specific interface:
config system {dns | vdom-dns}
set interface-select-method {auto | sdwan | specify}
set interface <interface>
end
|
interface-select-method {auto | sdwan | specify} |
Select the interface selection method:
|
|
interface <interface> |
Specify the outgoing interface. This option is only available and must be configured when |
FortiGuard
FortiGuard traffic can use SD-WAN rules or a specific interface:
config system fortiguard
set interface-select-method {auto | sdwan | specify}
set interface <interface>
end
RADIUS
RADIUS, and individual accounting servers, traffic can use SD-WAN rules or a specific interface:
config user radius
edit <name>
set interface-select-method {auto | sdwan | specify}
set interface <interface>
config accounting-server
edit <name>
set interface-select-method {auto | sdwan | specify}
set interface <interface>
next
end
next
end
LDAP
LDAP traffic can use SD-WAN rules or a specific interface:
config user ldap
edit <name>
set interface-select-method {auto | sdwan | specify}
set interface <interface>
next
end
TACACS+
TACACS+ traffic can use SD-WAN rules or a specific interface:
config user tacacs+
edit <name>
set interface-select-method {auto | sdwan | specify}
set interface <interface>
next
end
Central management
Central management traffic can use SD-WAN rules or a specific interface:
config system central-management
set interface-select-method {auto | sdwan | specify}
set interface <interface>
end
FortiAnalyzer
FortiAnalyzer and FortiAnalyzer Cloud log traffic can use SD-WAN rules or a specific interface:
config log {fortianalyzer | fortianalyzer2 | fortianalyzer3 | fortianalyzer-cloud} {setting | override-setting}
set interface-select-method {auto | sdwan | specify}
set interface <interface>
end
FortiGate Cloud logging
FortiGate Cloud log traffic can use SD-WAN rules or a specific interface:
config log fortiguard setting
set interface-select-method {auto | sdwan | specify}
set interface <interface>
end
Syslog
Syslog traffic can use SD-WAN rules or a specific interface:
config log {syslog | syslog2 | syslog3} {setting | override-setting}
set interface-select-method {auto | sdwan | specify}
set interface <interface>
end
Log disk upload
Log disk upload traffic can use SD-WAN rules or a specific interface:
config log disk setting
set interface-select-method {auto | sdwan | specify}
set interface <interface>
end
FortiSandbox
FortiSandbox traffic can use SD-WAN rules or a specific interface:
config system fortisandbox
set interface-select-method {auto | sdwan | specify}
set interface <interface>
end
FSSO
FSSO traffic can use SD-WAN rules or a specific interface:
config system fsso
set interface-select-method {auto | sdwan | specify}
set interface <interface>
end
NTP server
NTP server traffic can use SD-WAN rules or a specific interface:
config system ntp
config ntpserver
edit <id>
set interface-select-method {auto | sdwan | specify}
set interface <interface>
next
end
end
External resources
External resource traffic can use SD-WAN rules or a specific interface:
config system external-resource
set interface-select-method {auto | sdwan | specify}
set interface <interface>
end
DHCP proxy
DHCP proxy traffic can use SD-WAN rules or a specific interface:
config system settings
set dhcp-proxy-interface-select-method {auto | sdwan | specify}
set dhcp-proxy-interface <interface>
end
|
dhcp-proxy-interface-select-method {auto | sdwan | specify} |
Select the interface selection method:
|
|
dhcp-proxy-interface <interface> |
Specify the outgoing interface. This option is only available and must be configured when |
DHCP relay
DHCP relay traffic can use SD-WAN rules or a specific interface:
config system interface
edit <interface>
set dhcp-relay-interface-select-method {auto | sdwan | specify}
set dhcp-relay-interface <interface>
next
end
|
dhcp-relay-interface-select-method {auto | sdwan | specify} |
Select the interface selection method:
|
|
dhcp-relay-interface <interface> |
Specify the outgoing interface. This option is only available and must be configured when |
CA and local certificate renewal with SCEP
Certificate renewal with SCEP traffic can use SD-WAN rules or a specific interface:
config vpn certificate setting
set interface-select-method {auto | sdwan | specify}
set interface <interface>
end
IPS TLS protocol active probing
TLS active probing can use SD-WAN rules or a specific interface:
config ips global
config tls-active-probe
set interface-selection-method {auto | sdwan | specify}
set interface <interface>
set vdom <VDOM>
set source-ip <IPv4 address>
set source-ip6 <IPv6 address>
end
end
|
interface-select-method {auto | sdwan | specify} |
Select the interface selection method:
|
|
interface <interface> |
Specify the outgoing interface. This option is only available and must be configured when |
|
vdom <VDOM> |
Specify the VDOM. This option is only available and must be configured when |
|
source-ip <IPv4 address> |
Specify the source IPv4 address. This option is only available and must be configured when |
|
source-ip6 <IPv6 address> |
Specify the source IPv6 address. This option is only available and must be configured when |