Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Amyd80
New Contributor

Controlling outgoing WAN for specific IPs or IP ranges

Hi everybody, on our new FortiGate 100D, we have two WAN Links (wan1/wan2) out of which only one has a static IP (wan2). They are load-balanced via ECMP and WLB weights for regular Internet access. However, we would like to make sure that specific IPs from the internal network (192.168.1.0/24) only go out on the wan2 connection, because of how some external applications they use do IP-based filtering. I tried to do it via policies, by doing two policies with for IP_RANGE -> wan1 (DENY) and IP_RANGE -> wan2 (ALLOW), and this works, but it causes ping timeouts and slow name resolving for the IPs that hit this policy pair, probably because the connections are first tried on wan1 (higher weight) and then get denied, move to wan2, etc. It doesn' t seem to matter in which order the policies are arranged, the timeouts and hiccups on browsing still occur. Is there another, smarter way to go about setting this up? I guess a policy route would work, but I can' t seem to find out how to make sure that the route only is to be applied on destination addresses outside of our internal network (we have a couple of other ports/subnets between which we need to route internally). Thanks for any tips - Fortigate newbie here!
6 REPLIES 6
rwpatterson
Valued Contributor III

Welcome to the forums. The policy route definition can get pretty granular. You can specify the source IP/subnet as well as the destination. You may need to create more than one to cover the scope your require. If you could bunch all of the IPs together you may be able to create a superscope using a subnet mask that covers 8 or 16 IPs. Hope that helps

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
ede_pfau
SuperUser
SuperUser

If you want to route based on source IPs then you have to use a policy route. No other means to do that. If you can route based on destination addresses then use specific static (standard) routes: for instance, always use wan1 for access to 8.8.8.8: -> create static route " 8.8.8.8/32" , interface " wan1"
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Amyd80
New Contributor

Thanks Bob und danke EDV I built the policy-based routes, and it looks like it works like it should, but just to be sure I understand correctly: - if there are several internal ports / subnets, one needs to create a source IP-based policy route for each of them (with the external being last in order), otherwise everything from the IP(s) will be thrown through the - in my case - wan2 interface; - there is no way to say: this policy route applies to all destinations except for instance an internal subnet; - if there are several IPs, one has to either build by hand routes for each of them, or group them together so that they are all within a mask block, you can' t use the nice firewall object groups that the other policies allows one to use; - or alternatively if there are only a few external IPs that need to be connected to through a specific wan connection, it is easier to do static routes for them; Did I get everything right? It' s a bit of a headache to do it this way in our case, but I guess Fortinet is working on improving this area. It would make a lot of sense, at least to me, when you could use objects here instead of just IPs/subnets.
ede_pfau
SuperUser
SuperUser

You are right in everything you are assuming. Policy routes are obeyed prior to regular routing. Technically they are different. I agree that it might be useful to be able to group single IP addresses but I don' t think this is going to come soon. (but then again, my crystal ball is dusty...) If you can determine routing from the destination addresses alone then my all means use static routes. They have the benefit of being visible in the Routing Monitor so you can check anytime where traffic is sent. Policy routes are just configured, not monitored (at least not in the WebGUI) so you need to remember they are in place. Not-so-nice when debugging. BTW, have we met before? no clear names these days, sigh...
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Amyd80
New Contributor

Ah, sorry, no, I don' t believe we have met, I just found your nick funny. I noticed in the updated " What' s New" PDF for 5.0.2 actually a mention about authentication-based routing, which seems to accomplish what I am looking for without limiting itself to IPs. It' s on page 41 and it seems it' s currently only available from the CLI, but here is what it says:
FortiOS 5.0 supports authentication-based routing by creating an identity-based route that associates a user group with one or more routes. This identity-based route is then added to a security policy and all traffic from users authenticated by this user group is routed to the gateway. This feature is configured from the CLI and can be useful for MSSPs who need to route users from different organizations to different Internet gateways. Enter the following command to add an identity-based route that routes all traffic from users in the company1-user-group and the company2-user-group user groups out the wan1 interface to a next-hop router with IP address 172.20.120.2.
config firewall identity-based-route
 edit new-id-route
 config rule
 edit 1
 set gateway 172.20.120.2
 set device wan1
 set groups company1-user-group company2-user-group
 end
 end
Enter the following command to add the identity-based route to a security policy:
config firewall policy
 edit 1
 ...
 set identity-based enable
 set identity-based-route new-id-route
 ...
 end
We haven' t yet upgraded to 5.0.2 (or was that already in 5.0/5.0.1?), so I can' t try it, but does anybody know more about how it works? Does it only work with authentificated users in user groups (which we don' t currently have implemented) or can one simply create a IP-based group manually and use that as a selector?
rwpatterson
Valued Contributor III

Identity based policy uses FSSO (or prior FSAE) and AD (or Novell) user groups to select users for policies. No other way to implement that.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors