Allowing traffic flow for directly connected networks: Set route precedence

In SD-WAN policy routes, if the destination network is set to Any, directly connected networks are routed through the WAN interface. Set the route precedence on the command-line console to allow internal traffic flow.

Introduction

XG Firewall applies SD-WAN policy routes to all (external and internal) traffic when both these scenarios happen together:
  • Route precedence: SD-WAN policy routes are set before static routes on the command-line console.
  • SD-WAN policy routes: Destination networks are set to Any on the web admin console.
Warning The default route precedence in 18.0 is set to static, SD-WAN policy routes, and VPN. When migrating an earlier version to 18.0, XG Firewall retains the route precedence set in the earlier version. Alternatively, in fresh 18.0 installations, you may have changed the default precedence.

This forces your internal sources to use the WAN gateway for internal destinations and may break the internal traffic flow.

To allow traffic flow among directly connected networks, check the route precedence, and set static routes before SD-WAN policy routes.

Setting route precedence to allow internal traffic flow

View the current route precedence. Change the precedence, if required.

  1. Sign in to the command-line interface using SSH. Alternatively, go to the web admin console and click admin > Console in the upper right corner.
  2. Enter 4 for Device console.
  3. Use the following command:

    console> system route_precedence show

  4. Optional Alternatively, view the route precedence on the web admin console. Go to Routing > SD-WAN policy routing and see the box below the menu.
  5. To allow internal sources to reach internal networks directly (internal hosts accessing internal devices and servers), set the routing precedence with static routing before SD-WAN policy routing on the command-line interface.

    Example: console> system route_precedence set static sdwan_policyroute vpn

  6. Optional To check the adjusted route precedence, use the following command again:

    console> system route_precedence show

You must create a firewall rule to allow traffic between internal zones, for example between the LAN and the DMZ.

XG Firewall now applies static routes before it applies the SD-WAN policy-based routes. Internal traffic is forwarded directly to the internal destination.