Self-originating traffic
This topic applies to FortiOS 6.4.4 and later. In other versions, self-originating (local-out) traffic behaves differently. |
By default, self-originating traffic, such as Syslog, FortiAnalyzer logging, FortiGuard services, remote authentication, and others, relies on routing table lookups to determine the egress interface that is used to initiate the connection. Policy routes generated by SD-WAN rules do not apply to this traffic.
Explicit proxy traffic uses policy routes and SD-WAN rules to select an egress interface. Self-originating VXLAN traffic uses SD-WAN rules to select an egress interface.
For the following features, self-originating traffic can be configured to use SD-WAN rules or a specific interface:
PING
IPv4 and IPv6 pings can be configured to use SD-WAN rules:
execute ping-options use-sdwan {yes | no} execute ping6-options use-sd-wan {yes | no}
DNS
DNS and non-management VDOM DNS traffic can use SD-WAN rules or a specific interface:
config system {dns | vdom-dns} set interface-select-method {auto | sdwan | specify} set interface <interface> end
interface-select-method {auto | sdwan | specify} |
Select the interface selection method:
|
interface <interface> |
Specify the outgoing interface. This option is only available and must be configured when |
FortiGuard
FortiGuard traffic can use SD-WAN rules or a specific interface:
config system fortiguard set interface-select-method {auto | sdwan | specify} set interface <interface> end
RADIUS
RADIUS, and individual accounting servers, traffic can use SD-WAN rules or a specific interface:
config user radius edit <name> set interface-select-method {auto | sdwan | specify} set interface <interface> config accounting-server edit <name> set interface-select-method {auto | sdwan | specify} set interface <interface> next end next end
LDAP
LDAP traffic can use SD-WAN rules or a specific interface:
config user ldap edit <name> set interface-select-method {auto | sdwan | specify} set interface <interface> next end
TACACS+
TACACS+ traffic can use SD-WAN rules or a specific interface:
config user tacacs+ edit <name> set interface-select-method {auto | sdwan | specify} set interface <interface> next end
Central management
Central management traffic can use SD-WAN rules or a specific interface:
config system central-management set interface-select-method {auto | sdwan | specify} set interface <interface> end
FortiAnalyzer
FortiAnalyzer and FortiAnalyzer Cloud log traffic can use SD-WAN rules or a specific interface:
config log {fortianalyzer | fortianalyzer2 | fortianalyzer3 | fortianalyzer-cloud} {setting | override-setting} set interface-select-method {auto | sdwan | specify} set interface <interface> end
FortiGate Cloud logging
FortiGate Cloud log traffic can use SD-WAN rules or a specific interface:
config log fortiguard setting set interface-select-method {auto | sdwan | specify} set interface <interface> end
Syslog
Syslog traffic can use SD-WAN rules or a specific interface:
config log {syslog | syslog2 | syslog3} {setting | override-setting} set interface-select-method {auto | sdwan | specify} set interface <interface> end
Log disk upload
Log disk upload traffic can use SD-WAN rules or a specific interface:
config log disk setting set interface-select-method {auto | sdwan | specify} set interface <interface> end
FortiSandbox
FortiSandbox traffic can use SD-WAN rules or a specific interface:
config system fortisandbox set interface-select-method {auto | sdwan | specify} set interface <interface> end
FSSO
FSSO traffic can use SD-WAN rules or a specific interface:
config system fsso set interface-select-method {auto | sdwan | specify} set interface <interface> end
NTP server
NTP server traffic can use SD-WAN rules or a specific interface:
config system ntp config ntpserver edit <id> set interface-select-method {auto | sdwan | specify} set interface <interface> next end end
External resources
External resource traffic can use SD-WAN rules or a specific interface:
config system external-resource set interface-select-method {auto | sdwan | specify} set interface <interface> end
DHCP proxy
DHCP proxy traffic can use SD-WAN rules or a specific interface:
config system settings set dhcp-proxy-interface-select-method {auto | sdwan | specify} set dhcp-proxy-interface <interface> end
dhcp-proxy-interface-select-method {auto | sdwan | specify} |
Select the interface selection method:
|
dhcp-proxy-interface <interface> |
Specify the outgoing interface. This option is only available and must be configured when |
DHCP relay
DHCP relay traffic can use SD-WAN rules or a specific interface:
config system interface edit <interface> set dhcp-relay-interface-select-method {auto | sdwan | specify} set dhcp-relay-interface <interface> next end
dhcp-relay-interface-select-method {auto | sdwan | specify} |
Select the interface selection method:
|
dhcp-relay-interface <interface> |
Specify the outgoing interface. This option is only available and must be configured when |
CA and local certificate renewal with SCEP
Certificate renewal with SCEP traffic can use SD-WAN rules or a specific interface:
config vpn certificate setting set interface-select-method {auto | sdwan | specify} set interface <interface> end
IPS TLS protocol active probing
TLS active probing can use SD-WAN rules or a specific interface:
config ips global config tls-active-probe set interface-selection-method {auto | sdwan | specify} set interface <interface> set vdom <VDOM> set source-ip <IPv4 address> set source-ip6 <IPv6 address> end end
interface-select-method {auto | sdwan | specify} |
Select the interface selection method:
|
interface <interface> |
Specify the outgoing interface. This option is only available and must be configured when |
vdom <VDOM> |
Specify the VDOM. This option is only available and must be configured when |
source-ip <IPv4 address> |
Specify the source IPv4 address. This option is only available and must be configured when |
source-ip6 <IPv6 address> |
Specify the source IPv6 address. This option is only available and must be configured when |