Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
IronMan
New Contributor III

FIrewall Policy preference (Dual Internet) Fortigate

I have a Fortigate with 2 ISP connections, and 2 firewall policies.

 

Firewall Policy 1 - to send traffic from internal LAN to ISP A (ID 6)

Firewall Policy 2 - to send traffic from internal LAN to ISP B (ID 12)

 

Right now Fortigate seems to always select Policy2/ISP B, even if I change the sequence of the policies.

The only way I can get it to use ISP A, is to disable the port for ISP B.

 

I tried creating a static route to use ISP A, but that creates a whole different issue. Certain computers cannot connect to the internet and Windows troubleshooter points to DNS issue, while some computers have no problems at all. The few computers that had this problem were Windows 7. Not sure if that's coincidence.

 

So my question is, is there another way for Fortigate to prioritize one Firewall Policy over the other?

13 REPLIES 13
srajeswaran
Staff
Staff

Firewall policy is selected based on the route, if the destination is reachable via ISP-A, then LAN to ISP-A policy will be used .

If the active route is via ISP-B, then LAN to ISP-B policy will be used.

 

When you are saying the Policy2 is always used, can you check the default route via ISP-B is active at that time?

 

Creating a higher preference route via ISP-B is the way to push all the traffic via ISP-B.  I would suggest to check more on the DNS issue you have observed with ISP-B.

 

 

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

IronMan
New Contributor III

Where do I check the default route?

Initinally I did not have any Policy Route, because I had only one ISP. Routing was handled just by the Firewall Policy. Even now, I've disabled all Policy Routes because of the DNS issue but my internet connection still works. Is there something else that controls the route?

srajeswaran

Static routes under "Network" settings on GUI or from CLI you can run "get router info routing-table details "

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

IronMan
New Contributor III

Right.. I have disabled Static Route as well.

In this case, where there are no Static/Policy routes, how do we set preference for Firewall policies?

srajeswaran

If there are no routes, the packet will not reach policy lookup stage.

There should be a valid route for policy check to happen.

 

Policy is define between 2 interfaces, the first one is source interface (through which the packet reach fortigate) and the second one is destination interface (through which the packet leaves).

 

The destination interface is determined based on the route lookup, if there are no routes then there is no destination interfaces and no matching policies.

 

You may refer below document for more details on the flow.

https://docs.fortinet.com/document/fortigate/6.4.0/parallel-path-processing-life-of-a-packet/086811/...

 

 

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

IronMan
New Contributor III

 

Here's my 2 policies. They do work even when I don't have a static route.

 

 

 

 

This is my Static Route. It's disabled. But the policies above still work even though there's no static route. I can connect to the internet.  I just have no control over which ISP it uses.

IronMan_3-1673945894248.png

 

 

 

srajeswaran

Can you share the policy routes configuration?

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

IronMan
New Contributor III

I have disabled policy routes.

IronMan_0-1673956897395.png

 

But here's the configuration. I created it to test if I could forward traffic to certain websites. It worked fine. But I've disabled it until I can resolve the Firewall Policy issue.

 

 

 

So basically, without Static Route and without Policy Route, I can still access the internet because the Firewall Policy takes care of that. I just need a way to make the "Internet - Maxis" policy as the preferred policy.

 

srajeswaran

Are you using DHCP on the ISP-A and ISP-B interfaces? If so, they may be getting the routes from the ISP/DHCP server.

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

Top Kudoed Authors