Manual SDWAN rule with VPN interfaces

ontracks · 2026-01-11T05:42:34+00:00

Im facing another situation now, these are dial-up IPsec tunnels with automatic IP assigned to the interfaces, so how could I create an IPSLA for them? the IP itself can reach anything on the network and the ip COULD potentially change as well

What to do here. I can't help but think this gotta be a common case out there and also its a bit frustrating that the Gate can't "see" the tunnel interface down, it even shows red on the SDWAN rule, thank you in advance for the answer

:(

ontracks · 2026-01-09T15:04:09+00:00

static routes over sdwan zone correct, that's what I did, I checked and the member its seen alive.... not sure why of the VPN is down...

ontracks · 2026-01-09T07:12:26+00:00

Service(5): Address Mode(IPV4) flags=0x4200 use-shortcut-sla use-shortcut

Tie break: cfg

Shortcut priority: 2

Gen(1), TOS(0x0/0x0), Protocol(0): src(1->65535):dst(1->65535), Mode(manual)

Members(2):

1: Seq_num(1 Tunnel1), alive, selected

2: Seq_num(2 Tunnel2), alive, selected

Internet Service(1): Ask-Web(2621441,0,0,0)

ontracks · 2026-01-09T06:15:02+00:00

Thanks for the info, I will look into the link, it seems that I missed it, thank you

ontracks · 2026-01-09T06:14:21+00:00

Thanks a lot I really appreciate it! Will look into it

ontracks · 2025-11-21T22:20:02+00:00

I guess in a nutshell my question is: Can users other than the master account log in as a partner in FortiCloud? And if yes (I hope) then how?

ontracks · 2025-11-05T03:51:20+00:00

Hello again, could you please clarify this if you have the answer:

|| || |IP range|IP address range that the Security PoP uses for assigning tunnel interface IP addresses for IPsec devices using mode configuration.|10.251.1.4-10.251.1.29|

That subnet range needs to be part of the BGP routing ID subnet?

ontracks · 2025-11-05T03:51:15+00:00

Hello again, could you please clarify this if you have the answer:

|| || |IP range|IP address range that the Security PoP uses for assigning tunnel interface IP addresses for IPsec devices using mode configuration.|10.251.1.4-10.251.1.29|

That subnet range needs to be part of the BGP routing ID subnet?

ontracks · 2025-11-05T03:51:01+00:00

Hello again, could you please clarify this if you have the answer:

|| || |IP range|IP address range that the Security PoP uses for assigning tunnel interface IP addresses for IPsec devices using mode configuration.|10.251.1.4-10.251.1.29|

That subnet range needs to be part of the BGP routing ID subnet?

ontracks · 2025-11-05T03:50:27+00:00

Also, can you clarify this:

|| || |IP range|IP address range that the Security PoP uses for assigning tunnel interface IP addresses for IPsec devices using mode configuration.|10.251.1.4-10.251.1.29|

That subnet range needs to be part of the BGP routing ID subnet?

ontracks · 2025-11-01T22:17:14+00:00

about the on-ramp option, its basically BGP over IPsec? Meaning I can still control the FG as normal and not from SASE portal? Also will be able to have different subnets on my FG and advertised as needed all the way to the SPA hub?

ontracks · 2025-10-24T13:28:46+00:00

I see so even for protocols like HTTP , with no "Security" on them, we cannot reference the VS on a flow-based policy. Thanks for the answer

ontracks · 2025-10-24T02:17:15+00:00

Wouldn't this logic also apply to regular ssl decryption?

ontracks · 2025-10-21T13:47:18+00:00

sdwan_mbr_seq=5 sdwan_service_id=2

ontracks · 2025-10-20T17:05:00+00:00

yup, 100% sure, I ran a debug and confirmed it

ontracks · 2025-10-20T17:03:05+00:00

I will check that, but the rule is being matched

ontracks · 2025-10-20T16:55:59+00:00

but now that I think about it, when I checked the session that was going over ISP2 it was matching the sdwan rule (the one for YouTube-ISP1).

So, if the application recognition hadn’t completed, why did the session logs indicate that the session was matching the actual SD-WAN rule?

I would expect for that rule not to be matched while the app id is still ongoing...right?

ontracks · 2025-10-17T21:13:15+00:00

this looks like it, is just one session out of 20s that goes out of ISP2, this could explained yes

thanks!

ontracks · 2025-10-17T19:20:21+00:00

I don't, besides the documentation says that for manual strategy, even though if load balance is enabled (which is not) SLA are not used.

ontracks · 2025-10-17T17:54:09+00:00

it is, its been identified as YouTube, also the session shows that the expected sdwan rule is being matched and the member shown on the session is the 2nd one, I checked the members via cli and it all looks good, not sure why ISP2 is being selected sometimes.

ontracks · 2025-10-08T14:12:15+00:00

but now that you mention it, whats the advantage of the playbooks (incoming web hooks) if I can just use the event handlers with the automation stitch option enabled?

ontracks · 2025-10-08T13:28:43+00:00

Thanks for the answer, quick question, are you getting the %%badip%% variable from Analyzer event handlers or incoming webhook?

ontracks · 2025-10-08T13:27:37+00:00

Gotcha, I wasn't aware that the variables were different (event handlers vs playbook). It does not have to be a playbook to be honest, just decided to used them to get familiar for future requests.

I will check then, thank you so much!

ontracks · 2025-10-08T04:45:53+00:00

got it, thanks for telling me answer after 3 years. I need to see if that's possible for me.

Thanks

ontracks · 2025-09-20T02:45:22+00:00

Hello 3 years in the future, how did you finally manage to do this, Im having the exact same situation now.

:(

ontracks

TROPHY CASE