Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
esunarto
New Contributor

Created on ‎01-30-2020 10:10 AM

Policy based routing

let me preface this post by saying i'm a novice on fortigate configuration, but i've been doing cisco and mikrotik config for over a decade.

 

i'm trying to do a simple policy based routing.

we have 2 gateways in our small office, 192.168.5.18 (fortigate), 192.168.5.1 (cisco)

test pc :192.168.5.128

the default gw in the pc is the fortigate (can't change this)

all i want to do is to route all traffic from pc to internet via cisco.

 

it should be very simple, i'm attaching the screenshot.

when the policy is enabled, the pc can no longer access the internet. so something got blocked somewhere in the fortigate.

i've done packet capture in the cisco and i don't see the traffic being forwarded from fortigate to cisco.

 

i've also added policy (ipv4) to allow lan to lan (no nat).

still doesn't work.

 

please help?

Thanks in advanced.

PBR.JPG
Preview file
55 KB
4770
0 Kudos
5 REPLIES 5
rwpatterson
Valued Contributor III

Created on ‎01-30-2020 12:25 PM

Not an answer, but a question. Why do you need a Fortigate AND a Cisco?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
2689
0 Kudos
esunarto
New Contributor
In response to rwpatterson

Created on ‎01-30-2020 12:51 PM

ultimately because i don't want to put all of my network basket into 1 vendor solution.

but also because i have 2 ISPs and i'm far more comfortable with cisco right now.

i can't even figure out port forwarding in fortigate. might be related to the L2 limitations that toshiesumi mention

2689
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎01-30-2020 12:34 PM

L2 design problem with a FW. I saw a similar post this month or last month in this forum. The PC's GW is the FGT, and FGT's detault route goes to the Cisco. That's the outgoing direction. But for returning, the Cisco sees the PC on the LAN and send packets directly back to the PC. The FGT only sees one direction of traffic, so must be flagging the traffic erroneous and blocking it. For L3 devices this is not a problem. But with a FW (L4 and application layer device) it's a problem.

2689
0 Kudos
esunarto
New Contributor
In response to Toshi_Esumi

Created on ‎01-30-2020 12:49 PM

thanks for the reply. "normal" routing within a subnet typically send a reply to the pc saying, contact cisco instead right? is this the difference on policy based routing?

2689
0 Kudos
rwpatterson
Valued Contributor III
In response to Toshi_Esumi

Created on ‎01-30-2020 12:58 PM

My suggestion would be to create a transit network between the FGT and the Cisco and route between the two. (Personally, I would forgo the Cisco and put the Fortigate at the edge)

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
2689
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.