Hi all,
I just want to ask if policy based routing replaces static routes? We have 12 or so remote sites on IPSEC site to site VPN's and we have recently had done so ALL traffic goes up via the VPN to our data centre and out through our main firewall. but we also want to do so all remote sites can get to all the other 11 remote VPN sites.
Now for ALL traffic to go out via the VPN up to our main firewall we used policy based routes that is configured like the attached picture shows. But i am sure i had a firewall about a month ago when i could not get to another remote VPN site that i had to add a static route in as well. can someone please confirm/deny this behaviour? I do not really want to add in all our 26 networks into each remote VPN site into static routes if i dont have to.
Thank you in advance
Solved! Go to Solution.
My statement was based on what I've learned from the sentence in 5.6.2 NSE4 infrastructure study-guide below. Folks from FTNT, please tell me if not appropriate to share sentences in this forum directly from the NSE material. Then, I'll never do it again.
"Remember, for a policy route to forward traffic out a specific interface, there should be an active route for that destination using that interface in the routing table. Otherwise the policy route will not work."
You have to have proper routes in routing-table. PBR just choose one of them if mulitiple routes are available for a particular type (source, destination, service, and so on) of traffic you specify. PBRs never go into the routing-table.
If you don't want to touch all remove FGTs when a new subnet is added to the hub side, user a routing protocol, like OSPf or BGP, over VPNs.
PBR just choose one of them if mulitiple routes are available for a particular type (source, destination, service, and so on) of traffic you specif
That's not correct.Policy routes has no dependencies on anything in the kernel route-table
PCNSE
NSE
StrongSwan
My statement was based on what I've learned from the sentence in 5.6.2 NSE4 infrastructure study-guide below. Folks from FTNT, please tell me if not appropriate to share sentences in this forum directly from the NSE material. Then, I'll never do it again.
"Remember, for a policy route to forward traffic out a specific interface, there should be an active route for that destination using that interface in the routing table. Otherwise the policy route will not work."
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.