Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Vurdalag
New Contributor II

Created on ‎08-28-2023 07:53 AM Edited on ‎02-26-2024 07:01 AM By Community Manager

Fortigate Route Trafic from Specific Interface to Specific WAN

Hi, I have Fortigate 60F and two ISP added to SD-WAN:

WAN1

WAN2

 

 

I would like always to route traffic from Interface "3" (Subnet 192.168.0.0/24) to ISP "WAN2" and never failover to ISP "WAN1". If "WAN2" is down then clients on Interface "3" will be offline (that is OK). When other interfaces can use WAN2 as primary ISP and failover to WAN1 ISP. 

If I will create below SD-WAN RULE then won't Interface "3" (192.168.0.0/24) failover to WAN1 in case of WAN2 is offline?

SD-WAN RuleSD-WAN Rule

 

Labels:
4230
0 Kudos
1 Solution
Vurdalag
New Contributor II
In response to Vurdalag

Created on ‎09-03-2023 01:29 PM Edited on ‎09-07-2023 12:03 AM

For the time being found three options how to block traffic originated from subnet 192.168.0.0 (port3) to be routed via WAN1 port even if WAN2 is physically down (cable unplugged):

 

1) Found on this resource absolutely the same issue what I have:

https://www.reddit.com/r/fortinet/comments/p7j1zl/restrict_certain_subnetinterface_from_using/

 

On port3 (subnet 192.168.0.0), I created secondray IP 100.64.0.1/24

Secondary IP addressSecondary IP address

 

Created two policy routes. First routing policy is to route always traffic from 192.168.0.0/24 subnet (port3) via WAN2 (Starlink):

Policy Route Nr. 1Policy Route Nr. 1

 

Second policy to route traffic from port3 to port3 with gateway as this port's secondary IP which is 100.64.0.1. Once WAN2 link is down (cable unplugged for example) then first routing policy is skipped and below is taking care of 192.168.0.0 traffic since will match:

Policy Route Nr. 2Policy Route Nr. 2

 

2) Another option, is two remove SD-WAN zone and make WAN1 and WAN2 as the separate interfaces. 

Configure failover between WAN1 and WAN2 using link-monitor as per below resource:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Redundant-Internet-connection-without-load...

 

Configure Policy to block traffic from 192.168.0.0 to WAN1

 

Not sure how practical is first approach but it is working without removing SD-WAN zone. Was tested and found working. 
2nd option was tested as well.

 

3) Under SD-WAN create two new zones:

WAN1 ZONE

WAN2 ZONE

 

Add WAN1 and WAN2 interfaces to respective zone. 

Create two SD-WAN rules:

- Rule1: Source Address specify subnet what you want to route via WAN2 only. Manual mode -> Interface Preference: WAN2

- Rule2: Source Address specify all remaining subnets what can access WAN2 and WAN1.  Manual mode -> Interface Preference: WAN2, WAN1 (order of interfaces is important)

Go to Routes -> Static Routes -> Add both new SD-WAN zones to Static Route Device fields

 

Configure SLA under SD-WAN

Configure Policy Firewall:

Top rule Block subnet 192.168.0.0/24 from accessing WAN1 (WAN1 ZONE as destination interface)

Second rule allow 192.168.0.0/24 subnet to access WAN2 interface (WAN2 ZONE as destination interface)

 

View solution in original post

3987
0 Kudos
10 REPLIES 10
qasimbashir6242
New Contributor III
In response to xsilver_FTNT

Created on ‎09-19-2023 01:03 AM

Hey,

Ah, the Fortinet docs, a treasure trove of info! Good call on suggesting the Manual Selection Rule. That should definitely streamline things if you're only dealing with one preferred interface.

Thanks for sharing the link for more details. Always helpful to have the source right there. :thumbs_up:
https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/723448/manual-strategygoku.tu

Cheers,

372
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.