FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes the generic configuration steps when the internet traffic of a third-party router needs to egress to FortiGate which is located across the IPsec tunnel VPN.
Scope
FortiGate.
Solution
Third-party routers might not have the needed security profile for outbound traffic. In this situation, the internet traffic can be sent across the IPsec tunnel where the necessary security profiles can be applied once the traffic reaches the FortiGate.
In the FortiGate, create a firewall policy from the IPsec tunnel interface to the egress interface such as WAN1 or WAN2, set source to all, destination to all, service to all, and enable NAT. Enable the necessary security profiles such as Web Filter and antivirus if needed.
Next, modify the specific Phase2 in VPN -> IPsec tunnel, and set the local subnet to 0.0.0.0/0.
On the remote third-party router, modify Phase2 and set the remote subnet to 0.0.0.0/0. Test connecting to the internet and use the browser to verify what is the current public IP address. If the IP address is not the same as the FortiGate public IP address, then verify on the third-party router if a default route (0.0.0.0/0) needs to be created and sent across the IPsec tunnel interface.
It is also a good idea to adjust TCP-MSS on the IPSEC firewall policy created in point 1, because of the extra overhead of the IPSEC encapsulation. More information on the following article Technical Tip: Setting TCP MSS value.
