ASA to Fortigate Specify Phase2 VPN source ip based to use destination gateway
I am new to fortigate.
I am considering replacing an ASA5506 with a Fortigate 60F, but I am unable to figure out how to create a more complex VPN phase 2 tunnel selector in the Fortigate.
Essentially, I have a tunnel between 2 locations. Each location has an internal /24 using RFC1918 space. 1 location has a static ip (location A) and the other a dynamic ip (Location B). Outside of these locations there are devices that can only be accessed using the IP address of the location with the static ip address. Because of this, the ASA is currently configured to use the remote gateway from Location A (the one with the static IP) when devices from Location B attempt to connect to those specific destination IPs. Further, there are some devices at Location B that ALWAYS need to use the remote gateway from LOCATION A. Finally, devices at Location B need to be able to communicate with the devices at Location A with their RFC1918 address spaces.
I cannot figure out how to replicate this on the fortigate as the phase 2 selector seems to be limited to address groups.
ASAs are use access lists to specify the split tunnel selector and currently that looks like this (using descriptive names that name this post question):
access-list TUNNEL_SELECTOR extended deny ip object LOCATIONB_NETWORK object-group ALWAYS_LOCAL_EXIT_NEVERTUNNEL access-list TUNNEL_SELECTOR extended permit ip object LOCATIONB_NETWORK object-group USELOCATIONA_GATEWAY_IPS access-list TUNNEL_SELECTOR extended permit ip object-group LOCATIONA_IPS_ALWAYS_USE_REMOTE_GATEWAY object ANY
access-list TUNNEL_SELECTOR extended permit ip object LOCATIONB_NETWORK object LOCATIONA_NETWORK
I see on the fortigate that tunnels use firewall policies and in those firewall policies the more granular source and destination can be used. However, this means that in the phase 2 selector I would basically need to set the remote address as the all object and then filter using vpn policy. My current thinking is that by doing that, phase 2 will attempt to tunnel all traffic and then the firewall policy will simply cause the traffic to be dropped as opposed to simply excluding it from being tunneled.
Any insight or assistance on this type of configuration would be helpful.
So, I have discovered policy routing on the F60, but just like using the vpn policy, I am unsure where or how traffic might be dropped.
I am thinking I might get the same functionality if I specify the remote end as ANY, but then use policy routing to only send the traffic I want to go across the tunnel to the VPN interface. I am just unsure what takes priority in routing decisions, the tunnel specifications or policy routing.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.