FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
seshuganesh
Staff
Staff
Description This article describeshow policy routes work with FortiGate Firewall with Scenario
Scope All FortiOS.
Solution

The topology is as follows:

 

Two LAN networks and two ISP connections.

 

The requirement is to route LAN1 connections to the Internet only through ISP1 and LAN2 connections to the Internet through ISP2, and LAN1 and LAN2 must be able to connect to each other.

 

The first step is to configure two policy routes, LAN1 to ISP1 and LAN2 to ISP2.

 

Configuration of first policy route:

 

Go to Network -> Policy Routes to create a new route and fill in the fields as shown below.

 

Incoming interface: Select LAN1 interface.

 

Source address: Specify the LAN1 network.


Destination address: Specify the destination that matches all IP addresses as '0.0.0.0/0'.


Outbound Interface: Select the outbound interface as 'WAN1' and specify the following gateway IP address for the outbound interface.

 

Similarly, it is necessary  to configure another policy route from LAN2 to WAN2.

The first requirement is now met.

 

The second requirement is to allow LAN-to-LAN routing.

This can be achieved by configuring two more policy routes in addition to these policy routes.

 

The first policy route from LAN1 to LAN2 and the second policy route from LAN2 to LAN1.

Setting a policy route from LAN1 to LAN2:

Incoming interface: Select the incoming LAN1 interface.
 
Source address: Specify the LAN1 address range.

Destination address: Specify the LAN2 address range. 
 
Outgoing interface: Select the LAN2 interface as the. 
 
Outbound interface Gateway: If LAN2 is not a directly connected network, it is possible to define a gateway.
For directly connected networks, the gateway can be defined as '0.0.0.0'.
This means that there is no gateway.
 

In the similar way, it is necessary to configure LAN2 to LAN1 policy route as well.

 

Note-1: Make sure to define both LAN1 to LAN2 policy route and LAN2 to LAN1 policy route on top.

 

Note-2: As per the routing configured, make sure there are firewall policies to allow the traffic for the respective interfaces.