Troubleshooting Tip : Internal Traffic stop workin...

FortiGate

FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.

Article Id 390490

Description

This article describes how to troubleshoot traffic issues after configuring Policy Route for Internet traffic.

Scope

FortiGate.

Solution

The Policy Route is needed to steer Internet traffic from the usual outgoing Internet line:

config router policy
edit 1
set input-device "port2"
set src "10.10.10.1/255.255.255.255"
set dstaddr "all"
set gateway 192.168.30.1
set output-device "port3"
next
end

After this setting, internal traffic may be disrupted.

This happens because the destination address on Policy Route is the 'ALL' address. It will steer Internet traffic and all internal traffic as well, because it is being matched.

To resolve this, there needs to be another policy on top to stop Policy Route for internal traffic:

FGT-VM (root) # sh router policy
config router policy
edit 2
set input-device "port2"
set src "10.10.10.1/255.255.255.255"
set dstaddr "Private Address"
set action deny
next
edit 1
set input-device "port2"
set src "10.10.10.1/255.255.255.255"
set dstaddr "all"
set gateway 192.168.30.1
set output-device "port3"
next
end

FGT-VM (root) # sh firewall addrgrp Private\ Address
config firewall addrgrp
edit "Private Address"
set member "ClassA-10.0.0.0/8" "ClassB-172.16.0.0/12" "ClassC-192.168.0.0/16"
next
end

390

Contributors

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Troubleshooting Tip : Internal Traffic stop working after Policy Route configuration

You are leaving our website