100D Firewall Proxy issue

Question

Hi All, Finally moved from lurking these forums to joining them with something that I am struggling to find the answer for. Was hoping that someone else might have encountered a similar issue and might know of a workaround. Scenario: Customer has a 100D Firewall running in NAT mode which which connects directly to their switch on the LAN the FortiGate has been assigned an IP address from the /23 available to their network, the switch connects to their hosts as well as a Cisco 1900 router that grants them connectivity to their MPLS as well as internet breakout through ISP1, they have now connected a much bigger connection and it is plugging in directly onto the FortiGate's WAN1 port from ISP2 and would like to configure this bigger connection as a proxy to be used to grant certain users faster internet access. The problem that we are experiencing is when they use the FortiGate as their Proxy server the speeds that they are getting are the same as those on ISP1 (however the session IP to speedtest and whatismyip shows ISP2's IP address) This only happens when the Cisco 1900 is specified as a default gateway, when you change the default gateway from the Cisco to the FortiGate you get the full speed of the connection. This lead me to believe that there is some or other issue between the Cisco and the FortiGate but I am running around in circles trying to find the issue. I have done some research and found something that appears to be a possible solution, however I am not sure about how reliable this is and if it will suite the customer's requirements:

http://kb.fortinet.com/kb/documentLink.do?externalID=FD33835 I have recommended that we move the Cisco and plug this in directly from the Switch into the FortiGate and configure this as a WAN2 on the Firewall, however how would I go about differentiating proxy traffic from normal traffic, effectively routing all Proxy traffic over WAN1 and all traffic not specified as a proxy over WAN2? As the customer wants to be able to control who is using which link. I have never tried doing any kind of PBR on a Proxy and the above link is the only thing that I can find that hints to an answer, however it also states that ALL HTTP traffic would traverse one link, which is not what the customer wants. Any advice would be greatly appreciated!!!

gschmitt · Answer

Cymric wrote:how would I go about differentiating proxy traffic from normal traffic, effectively routing all Proxy traffic over WAN1 and all traffic not specified as a proxy over WAN2? Ugh the proxy part makes your concept a tad difficult, if you'd route all internet traffic via wan2 and use the mpls connection as a backup, that would be easy... I'd assume the proxy potion uses the route the fortigate would choose so:If you create a static route to 0.0.0.0/0.0.0.0 with wan2 priority 10 (or if you use PPPoE on wan2 set the priority in the interface)and a policy route routing all internal traffic to 0.0.0.0/0.0.0.0 to the mpls priority 9 (lower than wan2)I'd assume the fortigate would use the static route but the clients the policy route resulting in proxy users to take the default route. But I am not sure about that :\

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded