Skip to main content
atsak
atsak
New Member
June 30, 2020
Question

Policy based route for all outbound traffic

  • June 30, 2020
  • 2 replies
  • 10781 views

Scenario - FG200E on datcenter side, FG60E on branch side

 

Using a policy based route I'd like a particular source IP on the branch side to route all traffic via the tunnel to the datacenter then out on the internet via the outbound interface IP.

 

Running 6.2.1

 

Followed this article:

https://kb.fortinet.com/kb/documentLink.do?externalID=FD38790

 

Route is selected but does not actually pass traffic (hit count increments).   Both sides configured with opposite IP on the tunnel, can ping the IP of the local tunnel assigned address but not remote.   Tried also just configuring only the branch side of the private IP, but that also doesn't work.

 

Tunnel is up and working.

Policies are in place and working (tested using a Juniper firewall which does not require the IP be assigned to the interface for policy based routing, traffic flows as expected on that equipment)

 

Anyone have this working?  What did you do or what does the configuration look like on both sides?

 

    2 replies

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    June 30, 2020

    You still need to have a default route into the tunnel in addition to the default route via the local internet. Then the policy route can choose the one into the tunnel based on the source.

    I recommend you use two static default routes then put higher number of priority (lower priority) on the one toward the tunnel so that all the other traffic prefer the local internet.

    atsak
    atsakAuthor
    New Member
    June 30, 2020

    So static route 0.0.0.0/0.0.0.0 interface TUNNELNAME distance 100 or does it need to be the same distance as the WAN1 link and just a lower priority (but higher number in the actual priority field)

     

     

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    June 30, 2020

    Not a distance, which is a different matric. Leave the default value (10?) for distance for both. You might need to expand "Advanced Options" in GUI to see Priority setting. I regularly use CLI so I'm not familiar how it would look like.

    emnoc
    emnoc
    New Member
    July 3, 2020

    The "diag debug flow" is your best friend for analyzing flow issues. It is your 1st step in  trouble-shooting. Did you do that ?

     

     

    Ken Felix

    Terms & ConditionsAccessibility statement