Hi all,
I edit my previous message. I have 2 paths to same network:
1º)One path using a static route to network A.
2º)One path to network A cause, im directly connected.
In some cases I would like to route traffic using the static route, but if I try to route traffic to network A using Policy Route (so that it not goes trough the directly connected interface), the Policy route not works. I think it not works cause the connected route take preference over the estatic route and its administrative distance . I think the policy routes only works when you have 2 equal routes to the same destination (same administrative distance and same priority).
I can't change the connected route AD and I can't change de AD of static route to 0.
How can I route traffic to network A, trough the static route, If I'm connected to network A. Could you help me?
Thanks
Hello,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Can you try splitting the static route? For example, if it is a /24 route split into two /25 subnets and that way these routes will be active (more specific than /24).
192.168.0.0/24 can be 192.168.0.0/25 and 192.168.0.128/25.
The idea is to get more specific routes , if it is only few IPs, then add them as /32 routes or more smaller subnets.
Thanks for your help srajeswaran. Yes, is the only way I can think of to control it. I don't see a way to do it with PBR since from the tests I've done, PBR is only valid when there are 2 equal routes to a destination...
Can you share some more details on the requirement, for example which traffic should select the connected route and which one should select the alternate route? Is it specific to source or any specific service/application?
I can think of a few other ways of doing this. Really depends on why you want to do this though. Can you shed some more light onto the reason behind this?
One example of how you could accomplish this is setting up some DNAT entries and have traffic to network A use a different IP address. Depends again on your use case. If you are doing this because you need extra inspection for specific hosts, this might be a good way of doing it.
The other way is sticking the Network A in a VDOM and then route the VDOM either using your alternate path as option 1 or route to it direclty using the NPU VDOM link (connected route) as option 2.
Lots of ways to skin a cat. Give us some more insight into your use case and we can be more helpful.
Created on 03-07-2023 12:09 AM Edited on 03-07-2023 12:10 AM
Thanks for your help ¡¡
I'm in a migration process. Actually I have a static route to can reach network A and its routers.
I need some routers from network A, to continue sending traffic and receiving traffic to the FW trough the current static route and, when I go to connect the firewall to network A directly, I need this to keep happening for some IPs on that network.
Firewall needs to:
-Route some traffic to network A hosts, using a static route and port X.
-Route some traffic to network A hosts, trought his connected port Y to network A.
Network A is /24 subnet.
Thanks.
Can you perhaps show a topology diagram as well?
It seems to me the most sensible thing to do here is keep your router inline with the endpoints and the Firewall until the migration is complete? If you need some endpoints to route through the firewall then the policy routing should happen on the router.
hi @fortimaster ,
Please be informed, Policy route will override normal routing table.
I will give you the general idea.
Static route:
192.168.1.0/24 GW A
192.168.2.0/24 GW B
192.168.3.0/24 GW C
Traffic will route accordingly to the GW A,B or C.
Policy route
192.168.1.0/24(destination) GW D
Means, forced this subnet to go to GW D only.
If traffic arrive to Fortigate on GW A, Fortigate respond using GW D.
Coming GW A, Respond back GW D.
This create asymmetric routing issue and traffic will not work.
You can specify "source" and "destination" to make it more strict routing.
However, policy route mostly use because of network design issue.
if the network design is correct, policy route should be avoided.
How are we differentiating the traffic that is supposed to go via portX from traffic expected to go out via portY.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1759 | |
1116 | |
766 | |
447 | |
242 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.