I have a Fortigate with 2 ISP connections, and 2 firewall policies.
Firewall Policy 1 - to send traffic from internal LAN to ISP A (ID 6)
Firewall Policy 2 - to send traffic from internal LAN to ISP B (ID 12)
Right now Fortigate seems to always select Policy2/ISP B, even if I change the sequence of the policies.
The only way I can get it to use ISP A, is to disable the port for ISP B.
I tried creating a static route to use ISP A, but that creates a whole different issue. Certain computers cannot connect to the internet and Windows troubleshooter points to DNS issue, while some computers have no problems at all. The few computers that had this problem were Windows 7. Not sure if that's coincidence.
So my question is, is there another way for Fortigate to prioritize one Firewall Policy over the other?
Firewall policy is selected based on the route, if the destination is reachable via ISP-A, then LAN to ISP-A policy will be used .
If the active route is via ISP-B, then LAN to ISP-B policy will be used.
When you are saying the Policy2 is always used, can you check the default route via ISP-B is active at that time?
Creating a higher preference route via ISP-B is the way to push all the traffic via ISP-B. I would suggest to check more on the DNS issue you have observed with ISP-B.
Where do I check the default route?
Initinally I did not have any Policy Route, because I had only one ISP. Routing was handled just by the Firewall Policy. Even now, I've disabled all Policy Routes because of the DNS issue but my internet connection still works. Is there something else that controls the route?
Static routes under "Network" settings on GUI or from CLI you can run "get router info routing-table details "
Right.. I have disabled Static Route as well.
In this case, where there are no Static/Policy routes, how do we set preference for Firewall policies?
If there are no routes, the packet will not reach policy lookup stage.
There should be a valid route for policy check to happen.
Policy is define between 2 interfaces, the first one is source interface (through which the packet reach fortigate) and the second one is destination interface (through which the packet leaves).
The destination interface is determined based on the route lookup, if there are no routes then there is no destination interfaces and no matching policies.
You may refer below document for more details on the flow.
Created on 01-17-2023 01:04 AM Edited on 04-09-2023 05:30 PM
Here's my 2 policies. They do work even when I don't have a static route.
This is my Static Route. It's disabled. But the policies above still work even though there's no static route. I can connect to the internet. I just have no control over which ISP it uses.
Can you share the policy routes configuration?
Created on 01-17-2023 04:14 AM Edited on 04-09-2023 05:31 PM
I have disabled policy routes.
But here's the configuration. I created it to test if I could forward traffic to certain websites. It worked fine. But I've disabled it until I can resolve the Firewall Policy issue.
So basically, without Static Route and without Policy Route, I can still access the internet because the Firewall Policy takes care of that. I just need a way to make the "Internet - Maxis" policy as the preferred policy.
Are you using DHCP on the ISP-A and ISP-B interfaces? If so, they may be getting the routes from the ISP/DHCP server.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.