Description

This article describes an example of policy based routing.

Scope 

FortiGate.

Solution

Policy Based routing example:

A FortiGate-VM with two WAN interfaces that uses policies to direct traffic to a specific interface.

The rules the policies need to implement are:

• The HTTP and HTTPS traffic should always go out from WAN2 interface.
• The sample below shows policy 1 and policy 2. The VPN traffic should go out via WAN2 (Policy 3).
• Note that the source and destination subnets for that particular VPN are specified here for understanding.
• All other traffic should go out WAN1 (Policy 4).

Note:  If the WAN interface is using PPPOE or DHCP, it is better not to specify the gateway in the policy.

In this case, the gateway is taken from the interface setting. The gateway should be set to 0.0.0.0.

This will ensure that if Ping Server is used, when the failover happens, the policy route will choose the active interface.

# config router policy
    edit 1
        set end-port 80
        set input-device "internal"
        set output-device "wan2"
        set protocol 6
        set start-port 80
    next
    edit 2
        set end-port 443
        set input-device "internal"
        set output-device "wan2"
        set protocol 6
        set start-port 443
    next
    edit 3
        set dst 10.0.47.0 255.255.255.0
        set input-device "internal"
        set output-device "wan2"
        set src 10.0.46.0 255.255.255.0
    next
    edit 4
        set input-device "internal"
        set output-device "wan1"
    next

Following shows how to configure the same in GUI.

Navigate to Network -> Policy Routes -> Select Create New.

Note: There is no need to create an address object to call the subnet in the policy route. The IP address is enough.