Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sheerazali
New Contributor II

FortiWeb Routes Issue

Dear Fortinet Community,

We are currently experiencing challenges with a WAF deployment project using FortiWeb version 7.4.3. Our goal is to migrate several web applications behind FortiWeb, but we have encountered a routing issue due to our network configuration.

In our setup, we have two different FortiGate physical appliances, each configured for separate ISP connections. One FortiGate is connected to a physical port on FortiWeb with a distinct subnet, while the second FortiGate is connected to another physical port on FortiWeb. We have created two different virtual IPs (vIPs) on both FortiWeb ports where each ISP terminates, and we have linked these vIPs to a single virtual server.

Currently, we have configured a default route pointing to one of the ISPs. However, the issue we are facing is that all responses are being routed through the ISP associated with the default route. We have attempted various solutions, including Policy-Based Routing (PBR) and static routes, but none have resolved the issue in this environment.

Given that this firewall setup is in a production environment, we cannot modify the default route. We are seeking advice on potential solutions to ensure that traffic is correctly routed based on the incoming request, rather than defaulting to a single ISP.

Sheeraz Ali
Sheeraz Ali
1 Solution
AEK
SuperUser
SuperUser

For example lets say you have this config on FWB:

  • port1: 10.1.1.10
  • port2: 10.2.2.20
  • Def GW: 10.1.1.1
  • 2nd GW: 10.2.2.1

The policy route would be like this:

If source is 10.2.2.20 then send the packet to GW 10.2.2.1 through port2.

 

AEK

View solution in original post

AEK
3 REPLIES 3
jintrah_FTNT
Staff
Staff

Hi Sheeraz,

 

Please check if configuring a vzone is possible in setup, Understanding and Using the 'use-inte... - Fortinet Community should be helpful

 

Best regards,

Jin

AEK
SuperUser
SuperUser

Hi Sheeraz

I think your solution is to use policy routes on FWB. I always use it in such scenario.

AEK
AEK
AEK
SuperUser
SuperUser

For example lets say you have this config on FWB:

  • port1: 10.1.1.10
  • port2: 10.2.2.20
  • Def GW: 10.1.1.1
  • 2nd GW: 10.2.2.1

The policy route would be like this:

If source is 10.2.2.20 then send the packet to GW 10.2.2.1 through port2.

 

AEK
AEK
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors