GRE tunnel to Zscaler
Looking for some assistance on setting up GRE tunnels to Zscaler from our FortiGate 201F firmware version 7.4.9. I found the following community post Configuring a failover scenario using a r... - Fortinet Community and used it as a guide but was advised I would need to use a policy route instead of static routes as I only want traffic coming in from a specific interface to go over this GRE tunnel, not all traffic on the FortiGate. This is for some SSIDs available to teammates for personal WiFi. Below is the config for the GRE tunnel and interface, policy route and firewall policy. I do not see any logs on Zscaler to indicate any traffic is making it to that side. I have tried modifying the policy route but any changes I make there cause no traffic to log on the FortiGate. How it is set now at least shows DNS requests from devices in the FortiGate logs but nothing in Zscaler.
GRE Tunnel
config system gre-tunnel
edit "Zscaler"
set interface "port16"
set remote-gw xxx.xxx.10.32
set local-gw xxx.xxx.72.2
next
end
config system interface
edit "Zscaler"
set vdom "root"
set ip xxx.xx.216.153 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip xxx.xx.216.154 255.255.255.252
set monitor-bandwidth enable
set snmp-index 49
set interface "port16"
next
end
Policy Route
config router policy
edit 1
set input-device "port7"
set srcaddr "ZscalerExternal"
set dstaddr "all"
set gateway xxx.xx.216.154
set output-device "Zscaler"
next
Firewall Policy
config firewall policy
edit 94
set name "ZscalerExternal - Out"
set uuid 9ff34eb6-926a-51f0-a19d-21d0c0f9b82b
set srcintf "port7"
set dstintf "Zscaler"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
next
Here is the only route I see when showing the cache.
diag ip rtcache list
family=02 tab=254 vrf=0 vf=0 type=01 tos=0 flag=00000200
xxx.xx.216.153@0->xxx.xxx.10.32@22(port16) gwy=xxx.xxx.72.1 prefsrc=0.0.0.0
ci: ref=0 lastused=329 expire=0 err=00000000 used=689 br=0 pmtu=1500