I am trying to create a script to clear specific sessions. We often find that when the VPN tunnels bounce, sessions are started from our phone system that should be directed across the tunnels, but are sent directly out the WAN interfaces. It appears the option to simply filter by VLANID has been deprecated, but source interface is a valid filter. The name of the interface I want to filter to is ‘voice_vlan (VLAN20)’ I’ve tried the alias of ‘voice_vlan’ as well as the full name, but both fail with ‘Command fail. Return code -61’ I can use the source IP range, but that is different at each site, where the VLAN name is same at all sites. Am I doing something wrong? This is on 7.0.14.
Non-SNAT sessions should get re-evaluated as soon as a routing change happens. If your VOIP traffic uses SNAT even for the VPN tunnels you’d need to tell the FortiGate to re-evaluate SNAT sessions as well.
If you want your VOIP traffic to always use the VPN tunnels create a policy route.
You need to have a blackhole route for the remote vpn subnets, this way they won’t get stuck trying to go out to the internet when the vpn goes down.
You should definitely be able to use sintf for the source interface in the session filter. The name you need is exactly what shows in quotes after edit when you do a show system interface.