Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fortimaster
Contributor

Created on ‎03-03-2023 01:46 PM Edited on ‎03-04-2023 06:02 AM

Policy Route not working with connected route.

 

Hi all,

 

I edit my previous message. I have 2 paths to same network:

1º)One path using a static route to network A.

2º)One path to network A cause, im directly connected.

 

In some cases I would like to route traffic using the static route, but if I try to route traffic to network A using Policy Route (so that it not goes trough the directly connected interface), the Policy route not works. I think it not works cause the connected route take preference over the estatic route and its administrative distance . I think the policy routes only works when you have 2 equal routes to the same destination (same administrative distance and same priority).

 

I can't change the connected route AD and I can't change de AD of static route to 0. 

 

How can I route traffic to network A, trough the static route, If I'm connected to network A. Could you help me?

Thanks

 

 

 

 

 

Labels:
2330
0 Kudos
14 REPLIES 14
fortimaster
Contributor
In response to srajeswaran

Created on ‎03-11-2023 11:14 AM Edited on ‎03-11-2023 11:15 AM

Thanks all for your help and messages.

Capture.JPG

As you can see in the attached diagram, Firewall is connected to network 10.127.1.0/24 but he can reach it using 10.127.3.0 link. I need to route some traffic using red links and some traffic using black links.

The only way than i can do it, since the connected network has 0 of administrative distance, is to create more small routes (/25 , /26 etc) to each one of the 10.127.1.0 L3 switches that I want to reach using red links. I dont know another way to do it and inicially I tried to do it using PBR... But I think PBR can only be used when you have the same routes to the same destination (exactly AD). If the routes are not equal you cant use them.

Thanks.

543
0 Kudos
gfleming
Staff
Staff
In response to fortimaster

Created on ‎03-11-2023 12:21 PM

Does the Firewall need to have a link to the CORE on 10.127.1.0/24 during this migration? 

 

Why can't you route relevant migrated traffic to the FW (after removing the 10.127.1.0/24 link) using PBR on the DC Switch or CORE router?

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-disable-source-NAT-to-enable-a-hair...

 

Can you also explain your migration? Is the FW going to be replacing the CORE router eventually?

Cheers,
Graham
540
fortimaster
Contributor
In response to gfleming

Created on ‎03-12-2023 12:22 AM

Hi gfleming. Traffic is going currently trough red link but in the future I want to pass all traffic trought black link and the red link between Core and Datacenter is going to be removed. But I need to change step by step and I need for some time, a mixed scenario.

534
0 Kudos
gfleming
Staff
Staff
In response to fortimaster

Created on ‎03-11-2023 12:43 PM

Or, alternatively, can you create a new link between the FW and the CORE router using a different subnet? Like a transit network? And you can route over this network to get to 10.127.1.0/24

Cheers,
Graham
537
fortimaster
Contributor
In response to gfleming

Created on ‎03-12-2023 12:29 AM Edited on ‎03-12-2023 12:31 AM

Yes, is another way to do it. Is a good idea...

But now using the closed masks I can do it using the closed networks masks. I need to put a lot of static routes (around 40), but I have already create them :)

532
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.