Hi everyone,
We have a fortigate-200d running V5.4.5 here.
And we have two default-route.
We also have some VPNs.
Here is what I want to do :
corp vlan5 's traffic go wan2 ,other traffic except VPN go wan1, How to do that ?
Here are my route-policy:
I can't do a route-policy like this :
!
set input-device "corp vlan1" set src "0.0.0.0/0.0.0.0" set dst "0.0.0.0/0.0.0.0" set gateway wan1_IP set output-device "wan1" next
!
Because all the VPN traffic will down...
Thank you for any answers..
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi
The easiest solution will be an upgrade to Version > 5.6.0 . In the newer versions has an SD-WAN option which you can configure your requirement and the Fortigate do the stuff in the background:
https://docs.fortinet.com/document/fortigate/5.6.0/cookbook/597321/redundant-internet-with-sd-wan
Otherwise I would try the following:
1. Create a default route as static route which is the gateway for the most of your subnets
2. Create dedicated policy based routing entries for the exceptions
Remember: Policy based routing should be an exception. and befor use it think clearly about it! It makes the troubleshooting more complex.
Cheers
Thank you for your reply.
I have tried that before.
If that it is only one default-route in the routing table. And I created a policy-route for the exceptions but it didn't work..I think that the exception need the other default-route ,but that route is not in the table..
Ok, the following should work:
config router static
edit 1
set gateway wan2_IP
set device "wan2"
config router policy
edit 1
set input-device "corp1_vlan"
set src "10.64.0.0/255.255.255.0"
set dstaddr "all"
set gateway "wan1_IP"
set output-device "wan1"
Afterwards you can check with the debug flow command with route and firewall Policy match the traffic:
diagnose debug flow filter addr <client_IP>
diagnose debug enable
diagnose debug flow start 5 # record first 5 sessions
If the traffic allowed you can use the packnet sniffer to get the outgoing device:
diagnose sniffer packet any 'host <client_IP>' 4
Thank you for your reply..
I knew that should work . and I have tested it before.....That would interrupt all of the VPN traffic...
Because VPN next-hop should VPN's interface not wan1, that what is bothering me
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.