What's the difference between policy routes and SD-WAN rules on FortiGates?
Comparing policy based routing with SD-WAN on FortiGates.
I'd like to take a moment to clarify on an interesting topic: the difference between Policy Routes and SD-WAN rules on a FortiGate. Lots of training material talks about the two terms but it gets a little bit confusing when differentiating. I'll try to clarify.
For a looooooooooooooooooooong time, traditional network routing has been focused on the destination network. When a router got a packet to deliver, it didn't really care much about the content of the data. It just wanted to get rid of that packet as soon as possible. Over time, needs and use cases changed. Now, modern networks have recognized a need for different types of traffic to take (potentially) different paths.
Think of it this way: if a freight truck driver and a bicyclist asked you for directions to a common location (e.g. your nearby Wal-Mart) would you give both individuals the exact same directions to follow? Maybe... but perhaps not. Maybe driving on the highway is suitable for large vehicles but unsafe for bicyclists. Maybe there's a shortcut through a suburban neighborhood that would save time, but isn't feasible for a large vehicle. My point is that context matters. That principle holds true for routing as well.
Policy routes are a feature in FortiGate that allow the firewall to forward packets to a specific gateway (next hop) based on certain characteristics of the incoming data. Things like:
- Incoming interface
- Source address / destination address
- Protocol (e.g. TCP, UDP, SCTP, etc)
- Source ports / destination ports
- Type of Service (ToS) markings
This level of detail makes it very helpful, because now, we can have certain types of data riding certain paths... and other types of data riding other paths. There's a catch though: policy routes are still pretty "fixed" in nature. These rules need to be setup in advance and assume that a given circuit/path is going to be stable and reliable.
OK, but what if a circuit DOES have issues? What if things get congested and the path we are directing packets to take is not necessarily the "best" choice for a given situation? That's where the SD-WAN rules feature comes in.
SD-WAN Rules leverage "Performance SLAs" which allow the FortiGate to actively monitor the health and performance of a WAN link (e.g. latency, jitter, packet loss, bandwidth). Based on these real-time metrics, SD-WAN can dynamically select the best path for specific traffic, ensuring optimal application forwarding. That's the biggest difference and advantage of SD-WAN on a FortiGate.
Of course, there could be situations where manual policy routes make sense (e.g. small networks with limited transport options) but generally speaking, SD-WAN rules are going to be the preferred choice for environments with multiple WAN links where admins need dynamic, intelligent, and application-aware routing.
Hopefully that helps to clarify a little. I know that barely scratches the surface of the topic. For more information, check out the following resources:
alif
