Hi,
I'm searching for a decent solution to implement following:
I have 2 fortigates connected true ipsec tunnel and the default traffic goes from branch to HQ true ipsec tunnel. This is done true a policy route and works.
Now, i would like for certain "Internet Services" to take the internet-breakout of the branch firewall, instead of entering the ipsec tunnel to HQ.
I have tested this setup, but the "Internet Servcies" that i defined keep on entering the ipsec tunnel.
Questions:
Is it possible to change the order of policy routes so that the "static route with internet services" which is in fact a policy route in the background is the first in the list?
Is their another way to accomplish this?
Thanks in advance
Christophe
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Assuming that with "true" you mean "through"...
To determine if policy routing is indeed the right solution I'd like to know how you differentiate the traffic: by destination network, by service (port), by source network,...?
Internet-bound traffic is usually served by a default route, in your setup, pointing to the local breakout at the branch office. Then, either by policy route or regular route, the 'other' traffic is directed towards the tunnel.
Hi Ede,
Yes correct, through :)
For the default policy route to work through the IPsec tunnel, i configure the phase 2 selectors with 0.0.0.0 0.0.0.0 & the policy route with destination 0.0.0.0
Policy route:
Services is Any
Source is local network
Destination is 0.0.0.0
Gateway is IPSEC Tunnel HQ
Gateway IP is IP on both IPsec interfaces, so the firewall is able to use the policy route
Static route:
destination is e.g. Linkedin-Web
exit port is WAN interface (local break-out)
AD is default 10
So in this example it's not a spefic network that needs to be routed over the ipsec, but everything destined for internet except certain "Internet Services"
Christophe
That's what I thought.
If you can decide which route to take just by looking at the destination, then you create a static route.
If you need other selectors, like source network, source port etc., then you create a Policy route.
So, for the default internet traffic, just point a default route to the tunnel interface, no gateway.
For specific destinations, try to create static routes with destinations from the "Internet services" DB. This depends on the FortiOS version.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1560 | |
1034 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.