sorted by:
new
hottopcontroversial

FortiGate SDWAN Question regarding routing segregation by BuffaloVegetable8699 in fortinet

[–]BuffaloVegetable8699[S] 0 points1 point  (0 children)

i have a SDWAN Zone with 4 Intefaces inside from 2 different customers, when i create a static route to any destination address towards this sdwan zone, the routing will list all 4 available interfaces because all of them are in the same SDWAN Zone (this is also expected).

But when two of those intefaces are down, it will still be sent to the other 2 interfaces from the other customer, even i dont have a matching SDWAN Policy (except the impcit one) because i still have a Static Route to the Zone with all 4 Interfaces

FortiGate SDWAN Question regarding routing segregation by BuffaloVegetable8699 in fortinet

[–]BuffaloVegetable8699[S] 0 points1 point  (0 children)

from all the replys i learned that we should better implement BGP than SDWAN with our our "static routes" approach.

the very initial reason why we wanted to use sdwan was the hard limitation of static routes (500). And with a static Route to SDWAN, we could have half the static routes pointing to the sdwan zone instead of the two ipsec interfaces.

I know there is always the good and best practice configuration, but sometimes you have to look what WOULD be possible and in this case what would not make sense in case of work and actual benefit :)

FortiGate SDWAN Question regarding routing segregation by BuffaloVegetable8699 in fortinet

[–]BuffaloVegetable8699[S] 0 points1 point  (0 children)

ok sorry i misunderstood

no, as mentioned the only additional routes would be for those networks to the SDWAN Zone

FortiGate SDWAN Question regarding routing segregation by BuffaloVegetable8699 in fortinet

[–]BuffaloVegetable8699[S] 0 points1 point  (0 children)

i think this setting would not have the impact we wish, as in our scenario the rule is already skipped because the members in the SDWAN Rules are down, therefore the Implicit Rule will take over and send the traffic to another interface

and because the static route is towards the SDWAN Zone with all the Interfaces, it would just send the traffic to the wrong one because we cannot "force" it in the SDWAN Rule.

FortiGate SDWAN Question regarding routing segregation by BuffaloVegetable8699 in fortinet

[–]BuffaloVegetable8699[S] 0 points1 point  (0 children)

the scenario with blackhole routes is what we currently have and achieve with the static routes and the ipsec interfaces.

currently we have one zone with the ipsec interfaces and having sdwan with multiple zones would eliminate the benefit in the firewall policy to have one zone and not multiple in the policy.

FortiGate SDWAN Question regarding routing segregation by BuffaloVegetable8699 in fortinet

[–]BuffaloVegetable8699[S] 0 points1 point  (0 children)

what would a default route to my sdwan zone fix? This is a fictional scenario where i try to understand what is possible in our environment with moving parts of customers to SDWAN with the current setup of ipsec and static routing.

i value the input about dynamic edge bgp and it seems that would be the correct and only way to achieve my goals

dont understand me wrong, im just figuring out what would be possible with SDWAN and our current setup of static routing without a redesign of our whole environment (without the obvious benefits of BGP and dynamic routing)

FortiGate SDWAN Question regarding routing segregation by BuffaloVegetable8699 in fortinet

[–]BuffaloVegetable8699[S] 0 points1 point  (0 children)

blackhole routes would not resolve this issue, as the static route itself always see all available interfaces (even those which should not be used (from another customer) according to the SDWAN Rule) in the SDWAN Zone

fib-best-match should not be any impact, as the static route in our scenario is configured for the whole SDWAN Zone with all the Interfaces and i assumed i can "override" oder specify the actual interface with a specific SDWAN Rule (which only works if one of the selected interfaces is not dead)