FIrewall Policy preference (Dual Internet) Fortigate

IronMan · ‎01-16-2023

I have a Fortigate with 2 ISP connections, and 2 firewall policies.

Firewall Policy 1 - to send traffic from internal LAN to ISP A (ID 6)

Firewall Policy 2 - to send traffic from internal LAN to ISP B (ID 12)

Right now Fortigate seems to always select Policy2/ISP B, even if I change the sequence of the policies.

The only way I can get it to use ISP A, is to disable the port for ISP B.

I tried creating a static route to use ISP A, but that creates a whole different issue. Certain computers cannot connect to the internet and Windows troubleshooter points to DNS issue, while some computers have no problems at all. The few computers that had this problem were Windows 7. Not sure if that's coincidence.

So my question is, is there another way for Fortigate to prioritize one Firewall Policy over the other?

IronMan · ‎01-17-2023

Yes, I'm using DHCP on ISP-B. Static on ISP-A.

In this situation, is there anything we can do to get it it to use ISP-A? Other than a static route is there any other way?

srajeswaran · ‎01-17-2023

Since ISP-B is using static IP, we need to configure a static or policy route via this interface with a higher preference value.

Once configured, please collect " get router info routing-table details 0.0.0.0" from CLI to confirm the ISP-B route is preferred.

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

IronMan · ‎01-17-2023

OK.

This is my interface for ISP-A. Should I Override internal DNS? I remember having some PCs with DNS issues the other day when I enabled static route. In all my PCs and in the Fortigate DNS settings it is 8.8.8.8.

srajeswaran · ‎01-18-2023

If this DNS works fine for you, then try enabling the override internal DNS option.

Ideally 8.8.8.8 as DNS should work.

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.