Fortigate Route Trafic from Specific Interface to Specific WAN

Vurdalag · ‎08-28-2023

Hi, I have Fortigate 60F and two ISP added to SD-WAN:

WAN1

WAN2

I would like always to route traffic from Interface "3" (Subnet 192.168.0.0/24) to ISP "WAN2" and never failover to ISP "WAN1". If "WAN2" is down then clients on Interface "3" will be offline (that is OK). When other interfaces can use WAN2 as primary ISP and failover to WAN1 ISP.

If I will create below SD-WAN RULE then won't Interface "3" (192.168.0.0/24) failover to WAN1 in case of WAN2 is offline?

SD-WAN Rule

Vurdalag · ‎09-03-2023

For the time being found three options how to block traffic originated from subnet 192.168.0.0 (port3) to be routed via WAN1 port even if WAN2 is physically down (cable unplugged):

1) Found on this resource absolutely the same issue what I have:

https://www.reddit.com/r/fortinet/comments/p7j1zl/restrict_certain_subnetinterface_from_using/

On port3 (subnet 192.168.0.0), I created secondray IP 100.64.0.1/24

Secondary IP address

Created two policy routes. First routing policy is to route always traffic from 192.168.0.0/24 subnet (port3) via WAN2 (Starlink):

Policy Route Nr. 1

Second policy to route traffic from port3 to port3 with gateway as this port's secondary IP which is 100.64.0.1. Once WAN2 link is down (cable unplugged for example) then first routing policy is skipped and below is taking care of 192.168.0.0 traffic since will match:

Policy Route Nr. 2

2) Another option, is two remove SD-WAN zone and make WAN1 and WAN2 as the separate interfaces.

Configure failover between WAN1 and WAN2 using link-monitor as per below resource:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Redundant-Internet-connection-without-load...

Configure Policy to block traffic from 192.168.0.0 to WAN1

Not sure how practical is first approach but it is working without removing SD-WAN zone. Was tested and found working.
2nd option was tested as well.

3) Under SD-WAN create two new zones:

WAN1 ZONE

WAN2 ZONE

Add WAN1 and WAN2 interfaces to respective zone.

Create two SD-WAN rules:

- Rule1: Source Address specify subnet what you want to route via WAN2 only. Manual mode -> Interface Preference: WAN2

- Rule2: Source Address specify all remaining subnets what can access WAN2 and WAN1. Manual mode -> Interface Preference: WAN2, WAN1 (order of interfaces is important)

Go to Routes -> Static Routes -> Add both new SD-WAN zones to Static Route Device fields

Configure SLA under SD-WAN

Configure Policy Firewall:

Top rule Block subnet 192.168.0.0/24 from accessing WAN1 (WAN1 ZONE as destination interface)

Second rule allow 192.168.0.0/24 subnet to access WAN2 interface (WAN2 ZONE as destination interface)

View solution in original post

qasimbashir6242 · ‎09-19-2023

Hey,

Ah, the Fortinet docs, a treasure trove of info! Good call on suggesting the Manual Selection Rule. That should definitely streamline things if you're only dealing with one preferred interface.

Thanks for sharing the link for more details. Always helpful to have the source right there. :thumbs_up:
https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/723448/manual-strategygoku.tu

Cheers,

Fortigate Route Trafic from Specific Interface to Specific WAN

Nominate a Forum Post for Knowledge Article Creation