Skip to main content
alfredino
alfredino
New Member
February 2, 2026
Solved

Fortigate 200f: force a specific URL to a certain WAN

  • February 2, 2026
  • 3 replies
  • 400 views

Hi,

my network has a fortinet fortigate 200F firewall and active directory with windows server 2019 (DHCP and DNS) and is connected to the Internet via two different ISPs (A and B) with their respective routers/modems configured for load balancing. There is also an external web server connected to ISP A with a static IP. The ISP A router/modem is a netgate pfsense configured so that the web server uses public IP 1 for external connections (from the Internet) and private IP 2 for internal connections (LAN). Connections to the web server work fine from the external network, but from the internal network I am experiencing a potential DNS Rebind attack issue. After some research, I think this is due to the fact that sometimes internal connections use ISP B, which is the one that does not manage the web server.

So I wonder what is the best way to force the firewall to route all internal connections to the web server URL to ISP A (excluding ISP2). Where can I find a guide?

Thank you.

Best answer by alfredino

I've finally found a solution that works, even if it’s not ideal.

I have forced both internal traffic to the website and DNS traffic via ISP B using the Fortinet firewall SD-WAN rules (this prevents ISP A from manipulating the DNS).

Thanks to everyone

3 replies

funkylicious
SuperUser
funkylicious
SuperUser
February 2, 2026

hi,

a policy route should do the trick - https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-the-Firewall-Policy-Routes/ta-p/189996 

"jack of all trades, master of none"
alfredino
alfredinoAuthor
New Member
February 4, 2026

Hi,

thank you for the link. I read it, but I have two doubts:

  1. Note: An SD-WAN zone cannot be chosen in the interface section of the policy-route, as explained in Policy routes. So it seems that I cannot forward traffic to an SD-WAN.
  2. Where can I specify the web server URL? I know the addresses, but I have the DNS problem. Can I force to use the static public IP address and routing all the traffic to a specific SD-WAN?

Thank you

funkylicious
SuperUser
funkylicious
SuperUser
February 4, 2026

hi,

a certain url would not be possible afaik, but if you have the hostname should be enought.

create a sdwan rule, near the top and have the dst a fqdn object with the hostname and do interface selection strategy - Manual, where you define the exit interface.

"jack of all trades, master of none"
alfredino
alfredinoAuthor
New Member
February 8, 2026

Hi,

 

I should have solved the problem using two policy routes associated with two different objects addresses. The first one with FQDN, which therefore uses public IP 1 and a policy route that redirects all traffic to ISP B, while the second one with internal private IP 2 and a policy route that redirects all traffic to ISP A.

    alfredino
    alfredinoAuthorAnswer
    New Member
    March 20, 2026

    I've finally found a solution that works, even if it’s not ideal.

    I have forced both internal traffic to the website and DNS traffic via ISP B using the Fortinet firewall SD-WAN rules (this prevents ISP A from manipulating the DNS).

    Thanks to everyone

    sw2090
    SuperUser
    sw2090
    SuperUser
    March 20, 2026

    why don't you create an sdwan rule for that specific destination?

    It just has to be in front of any other rules because sdwan rules match top down.

    So just create a rule on top with source any and destination fqdn address object for that url that is set to manual selection (no loadbalancing) with only ISP B as interface. 

    Then just needs some internet policy with sdwan as destination and NAT enabled and you should be fine.

    alfredino
    alfredinoAuthor
    New Member
    March 20, 2026

    As I mentioned in my previous message, I did that, but it wasn’t enough, as ISP A was still able to manipulate the DNS.

    Terms & ConditionsAccessibility statement