Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Somashekara_Hanumant
Staff
Staff

Created on ‎11-07-2018 03:34 AM

Article Id 194317

Technical Tip: Identity based routing with SD-WAN

Purpose
This article describes different route groups to different internet interface.

Scope
The scope of this article is to allocate different group internet over different internet interface, for example :
  1) salesgrp via wan1
  2) usrgrp via wan2
  3) hrgrp via port1

Diagram
Network diagram:
   1) mgmt - 10.40.1.181/20 (internal network)
   2) wan1 - 10.5.17.181/20 G/w 10.5.31.254 (ISP1)
   3) wan2 - 10.46.1.181/20 G/w 10.46.6.114 (ISP2)
   4) port1 - 10.45.1.181/20 G/w 10.45.6.114 (ISP3)

All these ISPs are bound to SD-WAN, and have a default route configured to the 'sd-wan' interface

Verify all the 3 ISP routes are static as follows:
get router info routing-table all
Create SD-WAN policies by binding correct group to correct ISP interface as follows:
config system virtual-wan-link
config service
        edit 1
            set name "salesgrp"
            set mode priority
            set dst "all"
            set src "all"
            set groups "salesgrp"
            set health-check "ping"
            set priority-members 1    <-- wan1 interface
        next
        edit 2
            set name "usrgrp"
            set mode priority
            set dst "all"
            set src "all"
            set groups "usergrp"
            set health-check "ping"
            set priority-members 3    <-- wan2 interface
        next
        edit 3
            set name "hrgrp"
            set mode priority
            set dst "all"
            set src "all"
            set groups "hrgrp"
            set health-check "ping"
            set priority-members 2    <-- port1 interface
        next
    end
end



Expectations, Requirements
Configure the FSSO with advanced mode by monitoring 3 groups (salesgrp, usrgrp and hrgrp), bind these FSSO group on FortiGate local groups:
config user adgrp
    edit "CN=salesgrp,CN=Users,DC=dubailab,DC=lab"
        set server-name "fsso_lab"
    next
    edit "CN=usrgrp,CN=Users,DC=dubailab,DC=lab"
        set server-name "fsso_lab"
    next
    edit "CN=hrgrp,CN=Users,DC=dubailab,DC=lab"
        set server-name "fsso_lab"
    next
end
config user group
edit "salesgrp"
        set group-type fsso-service
        set member "CN=salesgrp,CN=Users,DC=dubailab,DC=lab"
    next
    edit "usergrp"
        set group-type fsso-service
        set member "CN=usrgrp,CN=Users,DC=dubailab,DC=lab"
    next
    edit "hrgrp"
        set group-type fsso-service
        set member "CN=hrgrp,CN=Users,DC=dubailab,DC=lab"
    next
end
Create identity base route policies via CLI as below
config firewall identity-based-route
    edit "salesgrp"
        config rule
            edit 1
                set gateway 10.5.31.254
                set device "wan1"
                set groups "salesgrp"
            next
        end
    next
    edit "usergrp"
        config rule
            edit 1
                set gateway 10.5.63.254
                set device "wan2"
                set groups "usergrp"
            next
        end
    next
    edit "hrgrp"
        config rule
            edit 1
                set gateway 172.31.176.254
                set device "port1"
                set groups "hrgrp"
            next
        end
    next
end
Create 3 firewall policies from mgmt to sd-wan for 3 groups as follows:
config firewall policy
    edit 1
        set name "sd-wan"
        set uuid e778ea7e-e27d-51e8-b054-5827c114cd1d
        set srcintf "mgmt"
        set dstintf "virtual-wan-link"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set groups "salesgrp"
        set identity-based-route "salesgrp"
        set nat enable
    next
    edit 2
        set name "usrgrp"
        set uuid f7a773e8-e27d-51e8-ae6b-dabe4bf69ca1
        set srcintf "mgmt"
        set dstintf "virtual-wan-link"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set groups "usergrp"
        set identity-based-route "usergrp"
        set nat enable
    next
    edit 3
        set name "hrgrp"
        set uuid 08d6bf2a-e27e-51e8-23f5-2a1301abe096
        set srcintf "mgmt"
        set dstintf "virtual-wan-link"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set groups "hrgrp"
        set identity-based-route "hrgrp"
        set nat enable
    next
end

Note: Different group on different interface browsing can be achieved with these configurations.

Configuration
config system virtual-wan-link
    set status enable
    config members
        edit 1
            set interface "wan1"
            set gateway 10.5.31.254
        next
        edit 2
            set interface "port1"
            set gateway 10.45.6.114
        next
        edit 3
            set interface "wan2"
            set gateway 10.46.6.114
        next
    end
    config health-check
        edit "ping"
            set server "8.8.8.8"
            set members 2 1 3
        next
    end
    end

Verification
diagnose netlink interface list

if=mgmt family=00 type=1 index=2 mtu=1500 link=0 master=0
ref=32 state=start present fw_flags=0 flags=up broadcast run allmulti multicast

if=wan1 family=00 type=1 index=6 mtu=1500 link=0 master=0
ref=45 state=start present fw_flags=4000000 flags=up broadcast run allmulti multicast

if=wan2 family=00 type=1 index=7 mtu=1500 link=0 master=0
ref=30 state=start present fw_flags=4000000 flags=up broadcast run allmulti multicast

if=port1 family=00 type=1 index=10 mtu=1500 link=0 master=0
ref=16 state=start present fw_flags=4000000 flags=up broadcast run multicast
Login 'SALES' user from 10.40.9.42 system:
IP: 10.40.9.42  User: SALES  Groups: CN=SALESGRP,CN=USERS,DC=DUBAILAB,DC=LAB  Workstation: BOSON-KVM42.DUBAILAB.LAB MemberOf: salesgrp
Total number of logons listed: 1, filtered: 0

diag sys sesion filter src 10.40.9.42
diag sys session list

session info: proto=6 proto_state=02 duration=0 expire=9 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
user=SALES auth_server=fsso_lab state=may_dirty authed acct-ext
statistic(bytes/packets/allow_err): org=52/1/1 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=2->6/6->2 gwy=10.5.31.254/0.0.0.0
hook=post dir=org act=snat 10.40.9.42:10685->50.31.142.19:443(10.5.17.181:10685)
hook=pre dir=reply act=dnat 50.31.142.19:443->10.5.17.181:10685(10.40.9.42:10685)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 auth_info=2 chk_client_info=0 vd=0
serial=00181ed7 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = ff000001
dd_type=0 dd_mode=0
npu_state=0x040000
no_ofld_reason:  non-npu-intf
Login using 'USER' user from 10.40.9.42
IP: 10.40.9.42  User: USER  Groups: CN=USRGRP,CN=USERS,DC=DUBAILAB,DC=LAB  Workstation: BOSON-KVM42.DUBAILAB.LAB MemberOf: usergrp
Total number of logons listed: 1, filtered: 0

diag sys sesion filter src 10.40.9.42
diag sys session list
session info: proto=6 proto_state=06 duration=3 expire=1 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
user=USER auth_server=fsso_lab state=may_dirty authed acct-ext
statistic(bytes/packets/allow_err): org=92/2/1 reply=52/1/0 tuples=2
tx speed(Bps/kbps): 27/0 rx speed(Bps/kbps): 15/0
orgin->sink: org pre->post, reply pre->post dev=2->7/7->2 gwy=10.46.6.114/10.40.9.42
hook=post dir=org act=snat 10.40.9.42:9875->208.91.114.47:443(10.46.1.181:9875)
hook=pre dir=reply act=dnat 208.91.114.47:443->10.46.1.181:9875(10.40.9.42:9875)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 auth_info=3 chk_client_info=0 vd=0
serial=0018186b tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = ff000002
dd_type=0 dd_mode=0
npu_state=0x040000
no_ofld_reason:  non-npu-intf
Login using 'HR1' user from 10.40.9.42
IP: 10.40.9.42  User: HR1  Groups: CN=HRGRP,CN=USERS,DC=DUBAILAB,DC=LAB  Workstation: BOSON-KVM42.DUBAILAB.LAB MemberOf: hrgrp
Total number of logons listed: 1, filtered: 0

diag sys sesion filter src 10.40.9.42
diag sys session list

session info: proto=6 proto_state=01 duration=5 expire=3595 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
user=HR1 auth_server=fsso_lab state=may_dirty authed acct-ext
statistic(bytes/packets/allow_err): org=721/4/1 reply=1564/4/1 tuples=2
tx speed(Bps/kbps): 121/0 rx speed(Bps/kbps): 264/2
orgin->sink: org pre->post, reply pre->post dev=2->10/10->2 gwy=10.45.6.114/10.40.9.42
hook=post dir=org act=snat 10.40.9.42:10212->18.195.39.25:80(10.45.1.181:10212)
hook=pre dir=reply act=dnat 18.195.39.25:80->10.45.1.181:10212(10.40.9.42:10212)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=3 auth_info=4 chk_client_info=0 vd=0
serial=00181adf tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = ff000003
dd_type=0 dd_mode=0
npu_state=0x040000
no_ofld_reason:  non-npu-intf


1798
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.