Hi Engineers,
Can you please help me on how to setup a policy based routing.It would help if you can show me some screenshots on how to setup it up to follow.
Here is the scenario:
1.)On PC (192.168.10.10) all https traffic would go to ISP1 2.)Second The Xlite applications should go to ISP2 but my problem I do not know what is the port number of the xlite applications. I already tried to used wireshark application and has no luck to capture.
Attaching the network diagram
Regards Aaron
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
First you have to find protocol and port number.
You can find it in online sessions (Policy>monitor>session monitor).
For example if it's on TCP port 2000 you should create a policy route with:
Protocol Number : 6 (TCP)
Destination port : 2000
Other parameters are source and destination IP or Interfaces.
Hello Engineers,
who can explain me how the policy routing based on one port works?
Lets imagine, that we use policy routing and route telnet (port 23) to DMZ interface while all other traffic go to wan1 (default route).
As I know, routing process is: 1. route cashe match (diag ip rtcashe list) 2. policy routes 3. routing table (FIB)
The output "diag ip rtcashe list"look like: ... family=02 tab=254 vf=0 type=01 tos=0 flag=00000200 146.66.152.12@6(wan1)->192.168.0.161@3(internal) gwy=0.0.0.0 prefsrc=0.0.0.0 ci: ref=2 lastused=4150 expire=0 err=00000000 used=0 br=0 pmtu=1500 ... Note, please, that this output doesn't contain port numbers (!) (Ok, I don't know what does mean @6 or @3, but I don't think that it is port number)
What will happen in our case? We start telnet, it will be routed to DMZ. The route cashe will get a new entry. Then we will start web browser and enter the same destination ip address. Because route cashe don't have info about port number, but a new entry present, our packet will be routed to DMZ also??? Something is wrong. I don't realise how route cashe/policy route works...
Regards, Ramunas
Thank you.
In firewall something happens before routing, which is session match.
So it will be like:
1) Session is matched using 5 tuple (source ip, destination ip, source port, destination port, protocol)
If session is matched with above criteria then route cache will be used otherwise
2) Policy route look-up
3) Route table look-up
So in your case when you start web browsing to the same address, the session will not mach (as port number is different) so it will go to step 2. Now policy route will not match as port is diffrent, so the next step, traffic will match default route and will be sent out wan1.
Hope it answers your query.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.