Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- RE: How traffic rules works if I have 2 WAN Links
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How traffic rules works if I have 2 WAN Links
I have a basic doubt!!
I have 3 WAN links and I would like to use all these 3 WAN links for separate VLAN groups.
VLAN 10 - 10.128.10.0/24 --- WAN1
VLAN 20 - 10.128.20.0/24---- WAN2
VLAN 30 - 10.128.30.0/24 ----WAN3
If I create policies like below for all subnets with different wan int , I believe it will pass the traffic for the respective subnets through the respective WAN interface.
But what will happen for the other subnets ? Will the Device drop the connections or will it find the respective policies in the firewall and does the re routing??
Src Interface - internal
Src Add - 10.128.10.0/24
Dest - 0.0.0.0/0.0.0.0
Dest interface - WAN1
Src Interface - internal
Src Add - 10.128.20.0/24
Dest - 0.0.0.0/0.0.0.0
Dest interface - WAN2
Here what will happen if 10.128.20.121( machine) try to connect internet through WAN1 ? ( If there is no policy route in place)
I know we can enforce the networks traffic through a specific int with the help of policy route, But Is there any other way to enforce the network through a specific interface?
Nihas [\b]
Nihas [\b]
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Nihas,
The way FortiGate works is that routing decisions are taken prior firewall policies are matched, so you must use policy routes to define which wan link should each lan use. If you just set all static routes with same distance and priority the FortiGate wil try to balance the traffic, so if the router layer sends the traffic for the first vlan through the wan2 and there is no policy defined for that, then it will match the implicit deny policy.
Be careful when using policy routes, as they are checked before static and connected routes, so if you define one with destination 0.0.0.0/0 it will match ALL the traffic, you must specified first rules for all other networks that you need to communicate.
Oscar Camacho
.....................................................................................
FCNSP v5
Oscar Camacho
.....................................................................................
FCNSP v5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Oscar Camacho :) Really Nice explanation.
So how would be scenario, if I need redundancy also?
For example,
What will happen if 10.128.20.121( machine) try to connect internet through WAN1 , but if the link is down ? ( policy route in place for enforcing the client to pass all traffic through WAN1)
Assumption
* I have created ECMP , gateway detection etc.
* I have created redundant firewall policy under LAN--> WAN2 for VLAN 10 users as well.
----------------------------------
In this case will it redirect the traffic through available interfaces? or
Do I need to create a second policy route with WAN 2 for redundancy?
Nihas [\b]
Nihas [\b]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Nihas,
You should always keep in mind that router layer decides where the traffic is send, and firewall determines if it has permission.
The router layer first checks policy routes in the order presented and then static routes. Policy routes can have fallback policies, for example the first one for lan1 through wan1 and a second one for lan1 through wan2, if wan1 is up the traffic will always match the first rule, if wan1 is down (physically disconnected or detected by dead gateway detection) then the rules with that outgoing interface will be ignored and the second rule will be matched. Also if no other policy route is matched then the router will use a static route based on best-match.
This way is how you handle redundancy with routing. On the firewall side you just need to have the right policies to eventually match that traffic, you could use Zones for all the wan links a single Internet destination and handle the traffic distribution and redundancy on the router layer, or you could use different sets of permissions so when the backup link is in use you could block things like streaming if it' s a low bandwidth connection.
Example:
You have 3 wan links, you want to load balanced links 1 and 2 using ECMP with regular static routes, all your company traffic is send through this two and the 3rd link has a route with higher priority so it works as a backup. But you also want to use that 3rd connection for guest access, so you could use a policy route for that exception. Assuming dead gateway detection is properly configured and you have only that policy route, if links 1 and 2 are down then all traffic will use the 3rd link because of the backup static route, or if link 3 is down then the guest access traffic will use the balanced routes on 1 and 2 because the policy route was ignored and it fallbacks to the static routes. But it doesn' t mean that this is going to be allowed by the firewall, the policies could use a zone for 1 and 2, so company traffic has full access on this zone, but limited access on wan3, and guest access traffic has full access on wan3 but no access to the 1 and 2 zone.
Hope I explain it well and didn' t confuse you ;)
Oscar Camacho
.....................................................................................
FCNSP v5
Oscar Camacho
.....................................................................................
FCNSP v5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes Buddy..:)
Thanks !
Nihas [\b]
Nihas [\b]
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,698 -
FortiClient
1,763 -
5.2
801 -
FortiManager
729 -
5.4
639 -
FortiAnalyzer
558 -
FortiSwitch
475 -
FortiAP
471 -
FortiClient EMS
432 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
245 -
FortiAuthenticator v5.5
234 -
IPsec
209 -
FortiWeb
205 -
5.0
196 -
FortiNAC
189 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
103 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiToken
92 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
Certificate
34 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
FortiGate-VM
13 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
API
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1713 | |
| 1093 | |
| 752 | |
| 447 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.