Purpose
This article describes different route groups to different internet interface.
Scope
Diagram
Expectations, Requirements
Configuration
Verification
This article describes different route groups to different internet interface.
Scope
The scope of this article is to allocate different group internet over different internet interface, for example :
1) salesgrp via wan1
2) usrgrp via wan2
3) hrgrp via port1
Diagram
Network diagram:
1) mgmt - 10.40.1.181/20 (internal network)
2) wan1 - 10.5.17.181/20 G/w 10.5.31.254 (ISP1)
3) wan2 - 10.46.1.181/20 G/w 10.46.6.114 (ISP2)
4) port1 - 10.45.1.181/20 G/w 10.45.6.114 (ISP3)
All these ISPs are bound to SD-WAN, and have a default route configured to the 'sd-wan' interface
Verify all the 3 ISP routes are static as follows:
get router info routing-table all
Create SD-WAN policies by binding correct group to correct ISP interface as follows:
config system virtual-wan-linkconfig service
edit 1
set name "salesgrp"
set mode priority
set dst "all"
set src "all"
set groups "salesgrp"
set health-check "ping"
set priority-members 1 <-- wan1 interface
next
edit 2
set name "usrgrp"
set mode priority
set dst "all"
set src "all"
set groups "usergrp"
set health-check "ping"
set priority-members 3 <-- wan2 interface
next
edit 3
set name "hrgrp"
set mode priority
set dst "all"
set src "all"
set groups "hrgrp"
set health-check "ping"
set priority-members 2 <-- port1 interface
next
end
end
Expectations, Requirements
Configure the FSSO with advanced mode by monitoring 3 groups (salesgrp, usrgrp and hrgrp), bind these FSSO group on FortiGate local groups:
config user adgrp
edit "CN=salesgrp,CN=Users,DC=dubailab,DC=lab"
set server-name "fsso_lab"
next
edit "CN=usrgrp,CN=Users,DC=dubailab,DC=lab"
set server-name "fsso_lab"
next
edit "CN=hrgrp,CN=Users,DC=dubailab,DC=lab"
set server-name "fsso_lab"
next
end
config user groupedit "salesgrp"
set group-type fsso-service
set member "CN=salesgrp,CN=Users,DC=dubailab,DC=lab"
next
edit "usergrp"
set group-type fsso-service
set member "CN=usrgrp,CN=Users,DC=dubailab,DC=lab"
next
edit "hrgrp"
set group-type fsso-service
set member "CN=hrgrp,CN=Users,DC=dubailab,DC=lab"
next
end
Create identity base route policies via CLI as below
config firewall identity-based-route
edit "salesgrp"
config rule
edit 1
set gateway 10.5.31.254
set device "wan1"
set groups "salesgrp"
next
end
next
edit "usergrp"
config rule
edit 1
set gateway 10.5.63.254
set device "wan2"
set groups "usergrp"
next
end
next
edit "hrgrp"
config rule
edit 1
set gateway 172.31.176.254
set device "port1"
set groups "hrgrp"
next
end
next
end
Create 3 firewall policies from mgmt to sd-wan for 3 groups as follows:
config firewall policy
edit 1
set name "sd-wan"
set uuid e778ea7e-e27d-51e8-b054-5827c114cd1d
set srcintf "mgmt"
set dstintf "virtual-wan-link"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set groups "salesgrp"
set identity-based-route "salesgrp"
set nat enable
next
edit 2
set name "usrgrp"
set uuid f7a773e8-e27d-51e8-ae6b-dabe4bf69ca1
set srcintf "mgmt"
set dstintf "virtual-wan-link"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set groups "usergrp"
set identity-based-route "usergrp"
set nat enable
next
edit 3
set name "hrgrp"
set uuid 08d6bf2a-e27e-51e8-23f5-2a1301abe096
set srcintf "mgmt"
set dstintf "virtual-wan-link"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set groups "hrgrp"
set identity-based-route "hrgrp"
set nat enable
next
end
Note: Different group on different interface browsing can be achieved with these configurations.
Configuration
config system virtual-wan-link
set status enable
config members
edit 1
set interface "wan1"
set gateway 10.5.31.254
next
edit 2
set interface "port1"
set gateway 10.45.6.114
next
edit 3
set interface "wan2"
set gateway 10.46.6.114
next
end
config health-check
edit "ping"
set server "8.8.8.8"
set members 2 1 3
next
endend
Verification
diagnose netlink interface listif=mgmt family=00 type=1 index=2 mtu=1500 link=0 master=0
ref=32 state=start present fw_flags=0 flags=up broadcast run allmulti multicastif=wan1 family=00 type=1 index=6 mtu=1500 link=0 master=0
ref=45 state=start present fw_flags=4000000 flags=up broadcast run allmulti multicastif=wan2 family=00 type=1 index=7 mtu=1500 link=0 master=0
ref=30 state=start present fw_flags=4000000 flags=up broadcast run allmulti multicastif=port1 family=00 type=1 index=10 mtu=1500 link=0 master=0
ref=16 state=start present fw_flags=4000000 flags=up broadcast run multicast
Login 'SALES' user from 10.40.9.42 system:
IP: 10.40.9.42 User: SALES Groups: CN=SALESGRP,CN=USERS,DC=DUBAILAB,DC=LAB Workstation: BOSON-KVM42.DUBAILAB.LAB MemberOf: salesgrp
Total number of logons listed: 1, filtered: 0diag sys sesion filter src 10.40.9.42diag sys session listsession info: proto=6 proto_state=02 duration=0 expire=9 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
user=SALES auth_server=fsso_lab state=may_dirty authed acct-ext
statistic(bytes/packets/allow_err): org=52/1/1 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=2->6/6->2 gwy=10.5.31.254/0.0.0.0
hook=post dir=org act=snat 10.40.9.42:10685->50.31.142.19:443(10.5.17.181:10685)
hook=pre dir=reply act=dnat 50.31.142.19:443->10.5.17.181:10685(10.40.9.42:10685)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 auth_info=2 chk_client_info=0 vd=0
serial=00181ed7 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = ff000001
dd_type=0 dd_mode=0
npu_state=0x040000
no_ofld_reason: non-npu-intf
Login using 'USER' user from 10.40.9.42
IP: 10.40.9.42 User: USER Groups: CN=USRGRP,CN=USERS,DC=DUBAILAB,DC=LAB Workstation: BOSON-KVM42.DUBAILAB.LAB MemberOf: usergrp
Total number of logons listed: 1, filtered: 0diag sys sesion filter src 10.40.9.42diag sys session list
session info: proto=6 proto_state=06 duration=3 expire=1 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
user=USER auth_server=fsso_lab state=may_dirty authed acct-ext
statistic(bytes/packets/allow_err): org=92/2/1 reply=52/1/0 tuples=2
tx speed(Bps/kbps): 27/0 rx speed(Bps/kbps): 15/0
orgin->sink: org pre->post, reply pre->post dev=2->7/7->2 gwy=10.46.6.114/10.40.9.42
hook=post dir=org act=snat 10.40.9.42:9875->208.91.114.47:443(10.46.1.181:9875)
hook=pre dir=reply act=dnat 208.91.114.47:443->10.46.1.181:9875(10.40.9.42:9875)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 auth_info=3 chk_client_info=0 vd=0
serial=0018186b tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = ff000002
dd_type=0 dd_mode=0
npu_state=0x040000
no_ofld_reason: non-npu-intf
Login using 'HR1' user from 10.40.9.42
IP: 10.40.9.42 User: HR1 Groups: CN=HRGRP,CN=USERS,DC=DUBAILAB,DC=LAB Workstation: BOSON-KVM42.DUBAILAB.LAB MemberOf: hrgrp
Total number of logons listed: 1, filtered: 0diag sys sesion filter src 10.40.9.42diag sys session listsession info: proto=6 proto_state=01 duration=5 expire=3595 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
user=HR1 auth_server=fsso_lab state=may_dirty authed acct-ext
statistic(bytes/packets/allow_err): org=721/4/1 reply=1564/4/1 tuples=2
tx speed(Bps/kbps): 121/0 rx speed(Bps/kbps): 264/2
orgin->sink: org pre->post, reply pre->post dev=2->10/10->2 gwy=10.45.6.114/10.40.9.42
hook=post dir=org act=snat 10.40.9.42:10212->18.195.39.25:80(10.45.1.181:10212)
hook=pre dir=reply act=dnat 18.195.39.25:80->10.45.1.181:10212(10.40.9.42:10212)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=3 auth_info=4 chk_client_info=0 vd=0
serial=00181adf tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = ff000003
dd_type=0 dd_mode=0
npu_state=0x040000
no_ofld_reason: non-npu-intf
Labels:
