Skip to main content
evl
evl
New Member
January 2, 2008
Question

Policy based routing based on TCP/UDP source ports

  • January 2, 2008
  • 2 replies
  • 2710 views
Hi, as we are using Fortigate firewalls to do offloading of certain traffic types over the internet, while other traffic remains on a private VPN, currently the FGT' s policy based routing rules can only use DESTINATION TCP or UDP ports. On most other routers which support policy based routing also SOURCE PORTS can be used to route (for example RETURN) traffic over specific interfaces. This should be a feature on Fortigate also but it is not. Is there a possibility to add this to the next patch/release, or is there a good alternative? Currently I use hiding of traffic coming in or going out the backup interface which only works for one-way session setup.

    2 replies

    doshbass
    doshbass
    New Member
    January 2, 2008
    OK, As Fortinet is a stateful device, there should be no need for policy routing return traffic, this should be taken care of by the state tables. Do you have a prticular scenarion in mind where this may not work?
    A
    Anonymous_User
    Contributor
    January 15, 2008
    I have a similar situation, not involving a VPN. Let' s say I have 1 public routable IP configured on an external interface on a Fortigate. Let' s use a simplistic scenario of secure and non-secure web servers running on 2 different internal machines that I want to be protected by the Fortigate. If the packet comes in destined for port 443 I want it to go to 1 server, if it comes in on port 80 I want it to go to the other server. In both cases the destination IP is the virtual IP that is the public IP configured on the Fortigate' s external interface. I don' t see a way to use static VIP to accomplish this. It seems like this flexibility is inherent in other firewall systems. Is there a way to accomplish this? Thanks, Doug
    rwpatterson
    rwpatterson
    New Member
    January 15, 2008
    Use port forwarding in the VIP definition and policy. Only traffic bound for 80 or 443 will pass to the correct server. Right now my external address points to three different servers: HTTP/HTTPS, FTP, and email. I use port forwarding, and it works fine.
    Terms & ConditionsAccessibility statement