Skip to main content
gmanea
Staff
gmanea
Staff
April 3, 2019

Technical Tip: Creating a static route for Predefined Internet Services (ISDB)

  • April 3, 2019
  • 0 replies
  • 27212 views

Description

 

This article explains how to add a static route for predefined internet services (ISDB) available in FortiGate.

 

Scope

 

FortiGate.

Solution

 

From the GUI:

 

  • Go to Network -> Static Routes,
  • Select 'Create New'.
  • Select 'Internet Service' as the Destination.
  • Select the Internet service from the drop-down menu.
  • Add the gateway IP address.
  • Select the Internet Interface.
  • Select 'OK' to save the changes.

 

static-route.gif

 

 
From the CLI:
 
config router static
    edit <ID>
        set gateway <Gateway of Internet interface>
        set device <internet interface>
        set internet-service <Internet Service ID #>
    next
end
 
diag firewall internet-service list   <----- This command will provide the list of available Internet services.
 
The ISDB static route will not create an entry directly in the routing-table.
Here, ISDB acts as a policy route. To verify the ISDB route, run 'diag firewall proute list':
 
 
CLI.gif

 

 
This means that ISDB routes apply the same rules as policy-routes.
Namely: in order for policy-routes to work, it is necessary to have a valid route in the routing-table for the outgoing interface because the traffic will not follow a policy route otherwise.

Consider a scenario where the ISDB route is used with IPsec as the exit interface.
For example: when routing the traffic for Microsoft-Office365, Microsoft-Office365.Published and Microsoft-Skupe_Teams via IPsec with a configuration that looks like the following:

 

config router static

edit 1

set gateway 10.191.31.254
set device "port3"

next

edit 2

set device "ipsec"
set internet-service 327782

next

edit 3

set device "ipsec"
set internet-service 327880

next
edit 4

set device "ipsec"
set internet-service 327781

next

end


In this case, the ISDB routes associated with IPsec will not be respected because a next hop is not available.
When configuring an ISDB route, it is necessary to configure a next-hop. This is not possible for IPsec, so it is necessary to configure a second static default route with the same AD and a different priority like the primary default route in order to make ISDB routes with IPsec work:

 

get router info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
> - selected route, * - FIB route, p - stale info

Routing table for VRF=0
S *> 0.0.0.0/0 [10/0] via 10.191.31.254, port3, [1/0]
*> [10/0] via ipsec tunnel 10.10.250.1, [40/0] <- Newly added.
C *> 10.10.250.0/24 is directly connected, port1
C *> 10.10.251.0/24 is directly connected, port2
C *> 10.191.16.0/20 is directly connected, port3
C *> 190.190.190.0/24 is directly connected, port4


With this additional default static route, it is possible to have working ISDB routes with an IPsec interface. There is a valid route pointing to the next hop 10.10.250.1.

This is necessary to route ISDB routes via IPsec.

    Terms & ConditionsAccessibility statement