FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes the generic configuration steps when the internet traffic of a third-party router needs to egress to FortiGate which is located across the IPsec tunnel VPN.
Scope
FortiGate.
Solution
Third-party router might not have the needed security profile for outbound traffic. In this situation, the internet traffic can be sent across the IPsec tunnel where the necessary security profiles can be applied once the traffic reached the FortiGate.
In the FortiGate, create a firewall policy from IPsec tunnel interface to egress interface such as WAN1 or WAN2, set source to all, destination to all, service to all, and enable NAT. Enable the necessary security profiles such as Web Filter and AV if needed.
Next, modify the specific Phase2 in VPN -> IPsec tunnel, and set the local subnet to 0.0.0.0/0.
On the remote third-party router, modify Phase2 and set the remote subnet to 0.0.0.0/0. Test connecting to internet and use the browser to verify what is the current public IP address. If the IP address is not the same as the FortiGate public IP address, then verify on the third-party router if a default route (0.0.0.0/0) needs to be created and sent across the IPsec tunnel interface.
