Hi to All,
I need a recommendation to the Routing Topic of a fortigate 100D with 5.2.3.
Customer has three WAN Connections and some internal LANs like WLAN, Client LAN, Server LAN etc.
He will force the traffic by the following way:
Clients --> WAN1
Server --> WAN2
WLAN --> WAN3
I created default routes for every three connections.
I created security policies
Client Rule - Incoming Interface and Client Network to WAN1 and ALL --> works fine
Server Rule - Incoming Interface (same than Clients) and Server Network to WAN2 --> no Internet access
WLAN Rule - Incoming Interface (another than the other ones) and WLAN Network --> no Internet Access
Until today I assumed, if the costs and Priority are equal, I can force this by creating only the security policies for the example above, but it failed, because if I create the default routes and the security policies, only one connection is possible.
It looks like the policies were not applied for the second and third WAN connection.
If I changed the priority of the routes for testing purposes, only the connection with lowest priority works.
I think I understand now what the systems does, but how can I match the customer requirements, without to create hundrets of policy based routes?
Thanks for any advice or recommendation!
Sven
FCNSA 5, FCNSP 5, NSE 4
Sounds like an easy job, but it doesn't work as easy as I assumed. [&:]
I tried now recommended policy based routing, but here I have to handle about 50 Networks (IPSec and internal Networks).
Because if I create a policy based route with 0.0.0.0/0.0.0.0 as target (its impossible to told the system take only Public networks here, like other appliances do this), all traffic will be routed to this interface. So I have to create all my Static Routes as Policy based Routes above the needed Policy based Routes for the required WAN Access. Really unlike this...
FCNSA 5, FCNSP 5, NSE 4
You can create a policy rule:
Incoming interface (all that apply)
source address / mask 0.0.0.0/0.0.0.0
desination address / mask your internal networks (may need to create multiple)
Then: Action Stop Policy Routing to fall back on your normal/default routes
Here I found an entry that points me to new features:
The "negate" switch is really interesting for me, but it will be more powerful if I could combine "negate" with "multiple src-addresses". If this should work, I could decrease the configuration to only 3 Policy Based Routes!
Has anybody already configured multiple source/destination subnets?
If yes, how can I add more than one src-address in a Policy Based Route?
I tried with CLI by comma separated and with space between the addresses but nothing will work.
Or did they mean the Policy that depends on the Policy Based Route?
FCNSA 5, FCNSP 5, NSE 4
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1738 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.