Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ronnie_jorgensen
New Contributor

Created on ‎10-04-2018 12:03 PM

Help on policy based routing vs static routes

Hi all,

 

I just want to ask if policy based routing replaces static routes? We have 12 or so remote sites on IPSEC site to site VPN's and we have recently had done so ALL traffic goes up via the VPN to our data centre and out through our main firewall. but we also want to do so all remote sites can get to all the other 11 remote VPN sites. 

 

Now for ALL traffic to go out via the VPN up to our main firewall we used policy based routes that is configured like the attached picture shows. But i am sure i had a firewall about a month ago when i could not get to another remote VPN site that i had to add a static route in as well. can someone please confirm/deny this behaviour? I do not really want to add in all our 26 networks into each remote VPN site into static routes if i dont have to.

 

Thank you in advance

 

 

 

policy routes.jpg
Preview file
141 KB
15473
0 Kudos
1 Solution
Toshi_Esumi
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎10-05-2018 11:23 AM

My statement was based on what I've learned from the sentence in 5.6.2 NSE4 infrastructure study-guide below. Folks from FTNT, please tell me if not appropriate to share sentences in this forum directly from the NSE material. Then, I'll never do it again.

 

"Remember, for a policy route to forward traffic out a specific interface, there should be an active route for that destination using that interface in the routing table. Otherwise the policy route will not work."

 

View solution in original post

9922
0 Kudos
4 REPLIES 4
Toshi_Esumi
SuperUser
SuperUser

Created on ‎10-04-2018 03:07 PM

You have to have proper routes in routing-table. PBR just choose one of them if mulitiple routes are available for a particular type (source, destination, service, and so on) of traffic you specify. PBRs never go into the routing-table.

 

9291
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎10-04-2018 03:11 PM

If you don't want to touch all remove FGTs when a new subnet is added to the hub side, user a routing protocol, like OSPf or BGP, over VPNs.

9290
0 Kudos
emnoc
Esteemed Contributor III
In response to Toshi_Esumi

Created on ‎10-04-2018 04:59 PM

PBR just choose one of them if mulitiple routes are available for a particular type (source, destination, service, and so on) of traffic you specif

 

That's not correct.Policy routes has no dependencies on anything in the kernel route-table

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
9291
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎10-05-2018 11:23 AM

My statement was based on what I've learned from the sentence in 5.6.2 NSE4 infrastructure study-guide below. Folks from FTNT, please tell me if not appropriate to share sentences in this forum directly from the NSE material. Then, I'll never do it again.

 

"Remember, for a policy route to forward traffic out a specific interface, there should be an active route for that destination using that interface in the routing table. Otherwise the policy route will not work."

 

9923
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.