Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Aaron_Abrincia_Meimb
New Contributor II

Created on ‎10-25-2014 11:17 PM

Policy Based Routing based on port number

Hi Engineers,

Can you please help me on how to setup a policy based routing.It would help if you can show me some screenshots on how to setup it up to follow.

Here is the scenario:

1.)On PC (192.168.10.10) all https traffic would go to ISP1 2.)Second The Xlite applications should go to ISP2 but my problem I do not know what is the port number of the xlite applications. I already tried to used wireshark application and has no luck to capture.

 

Attaching the network diagram

 

Regards Aaron

Network Engineer
Network Engineer
6635
0 Kudos
4 REPLIES 4
norouzi
Contributor

Created on ‎10-29-2014 03:43 AM

First you have to find protocol and port number.

You can find it in online sessions (Policy>monitor>session monitor).

For example if it's on TCP port 2000 you should create a policy route with:

 

Protocol Number : 6 (TCP)

Destination port : 2000

Other parameters are source and destination IP or Interfaces.

 

2088
0 Kudos
ramunas
New Contributor II

Created on ‎02-20-2015 04:52 AM

Hello Engineers,

who can explain me how the policy routing based on one port works?

Lets imagine, that we use policy routing and route telnet (port 23) to DMZ interface while all other traffic go to wan1 (default route).

As I know, routing process is: 1. route cashe match (diag ip rtcashe list) 2. policy routes 3. routing table (FIB)

The output "diag ip rtcashe list"look like: ... family=02 tab=254 vf=0 type=01 tos=0 flag=00000200 146.66.152.12@6(wan1)->192.168.0.161@3(internal) gwy=0.0.0.0 prefsrc=0.0.0.0 ci: ref=2 lastused=4150 expire=0 err=00000000 used=0 br=0 pmtu=1500 ... Note, please, that this output doesn't contain port numbers (!) (Ok, I don't know what does mean @6 or @3, but I don't think that it is port number)

What will happen in our case? We start telnet, it will be routed to DMZ. The route cashe will get a new entry. Then we will start web browser and enter the same destination ip address. Because route cashe don't have info about port number, but a new entry present, our packet will be routed to DMZ also??? Something is wrong. I don't realise how route cashe/policy route works...

Regards, Ramunas

2099
0 Kudos
ramunas
New Contributor II
In response to ramunas

Created on ‎02-23-2015 06:19 AM

Thank you. 

2099
0 Kudos
ashukla_FTNT
Staff
Staff

Created on ‎02-20-2015 11:36 AM

In firewall something happens before routing, which is session match.

So it will be like:

1) Session is matched using 5 tuple (source ip, destination ip, source port, destination port, protocol)

   If session is matched with above criteria then route cache will be used otherwise

2) Policy route look-up

3) Route table look-up

 

So in your case when you start web browsing to the same address, the session will not mach (as port number is different) so it will go to step 2. Now policy route will not match as port is diffrent, so the next step, traffic will match default route and will be sent out wan1.

 

Hope it answers your query.

 

2099
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.