Local Breakout / Policy routes

Forum|Forum|4 years ago
October 15, 2021
1 reply
5408 views

Current set up: Multiple sites with firewalls all part of MLPS with a central breakout for internet via data center firewalls

Goal: To have local breakout for internet at each site

My understanding would be, we would have another VLAN under the WAN interface on our remote site firewall which would then have say a /30 for routing out to the internet this would be configured with policy routes so www. traffic from interface X goes to internet.

Question: As these are policy routes say if the interface goes down they won't then have a failover because they are not dynamic and would require manual interference.

Is there a better way to configure local breakouts which is dynamic ?

A

Anonymous_User

Contributor

Hello Nolzee,

The simple and more better way to design/configure your FortiGate is to use SD-WAN as you can have some additional benefits of failover, link-monitor and traffic load balancing.

But, I can understand that SD-WAN needs a whole re-configuration of FortiGate and if you want to use policy routes then you can do so as well.

In FortiOS 7.0.1, policy-routes can detect the health-monitor of the interface it is sending traffic to and depending on that the policy route could failover.

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/81096/enable-or-disable-updating-policy-routes-when-link-health-monitor-fails-7-0-1

So, yes policy routes are not dynamic in earlier versions, but if your FortiGate is capable of running FortiOS 7.0.1 and later, then you can use the above feature and failover without any manual intervention.

Hopefully, this helps.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded