- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Policy route outbound to 0.0.0.0 and response ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Policy route outbound to 0.0.0.0 and response works fine, but inbound from 0.0.0.0 doesn't
I had a situation arise in which I need to host a service using https on a different interface than WAN1.
Typical setup with the default routing table using WAN1 and that ISP next hop router as the default gateway for 0.0.0.0/0.0.0.0, and all of that has been working fine for years.
Now I have a need to host a new https service, but through an alternate ISP that is connected to a subnet that is routed through the Internal LAN connected to the Internal switch interface on the firewall.
I created a new DMZ using a spare port and created a policy route for the server in that DMZ to send traffic through the Internal interface instead of WAN1. That server gets out fine, and can get Internet with no issues through the alternate ISP. It also shows a specific NAT address correctly that is set up for that ISP connection on whatismyip.com.
So outbound traffic for this server on the new DMZ with the policy route works perfectly. Inbound traffic is an issue.
For remote internal networks that I have defined on the firewall that come in through the Internal interface, I can connect to HTTPS on the server in the new DMZ perfectly. However, anything from 0.0.0.0/0.0.0.0 from the alternate ISP does not work. I do have the firewall rule policy set to allow from source 0.0.0.0 to the server in the new DMZ to allow all HTTPS traffic. But again, anything not defined in the firewall routing table can't connect.
I suspect that the policy route is working with traffic originating from the server in the new DMZ, but when traffic originating from 0.0.0.0, but from Internal rather than WAN1, is being received correctly, but then routed out WAN1 instead of being returned through the Internal interface.
Is this even possible? Or will traffic from undefined networks always be routed out WAN1, even if it comes from Internal and I have a policy route for that DMZ?
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is a catch with Policy Routing.
PBR does indeed direct traffic _before_ routes in the routing table are looked up. But, and that is the catch, it then relies on the routing table to prevent RPF (reverse path failure, 'anti-spoof') checking to kill that traffic.
In short, with two source networks/ISPs with unknown addresses, you need two default routes. And with Fortigates, there is only one default route per system (that is, per VDOM).
But you can get a second default route into the live routing table, with these parameters:
- create a new static route,
destination: '0.0.0.0/0',
gateway: <ISP2 next hop router address>,
distance: SAME as for your first default route, by default 10,
now 'Advanced', 'Priority': set to 10 (anything > 0).
Net effect: the second default route will be placed into the routing table because it's got the same distance as the first one. Check that in 'Monitor'>'Routing'.
As it's priority (translate: 'cost') is higher, outbound traffic will still use the first default route. But, if you've got a PBR forcing traffic out to the second ISP, RPF check will now be satisfied and reply traffic from unknown sources into the second WAN port will be allowed.
You only need an additionial matching firewall policy to allow outbound traffic.
Please try it out and post back.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is a catch with Policy Routing.
PBR does indeed direct traffic _before_ routes in the routing table are looked up. But, and that is the catch, it then relies on the routing table to prevent RPF (reverse path failure, 'anti-spoof') checking to kill that traffic.
In short, with two source networks/ISPs with unknown addresses, you need two default routes. And with Fortigates, there is only one default route per system (that is, per VDOM).
But you can get a second default route into the live routing table, with these parameters:
- create a new static route,
destination: '0.0.0.0/0',
gateway: <ISP2 next hop router address>,
distance: SAME as for your first default route, by default 10,
now 'Advanced', 'Priority': set to 10 (anything > 0).
Net effect: the second default route will be placed into the routing table because it's got the same distance as the first one. Check that in 'Monitor'>'Routing'.
As it's priority (translate: 'cost') is higher, outbound traffic will still use the first default route. But, if you've got a PBR forcing traffic out to the second ISP, RPF check will now be satisfied and reply traffic from unknown sources into the second WAN port will be allowed.
You only need an additionial matching firewall policy to allow outbound traffic.
Please try it out and post back.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the detailed info. I'll give this a shot on Monday and see how it goes.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This seems to have done the trick. It's working as intended now, and all original services are still working correctly through the original ISP.
Thanks for the help!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yay!
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a follow-up question for this.
Everything, as previously mentioned, is working smoothly, but I've noticed something. I'm sure it's just a result of the 2nd default route and it's priority, but wanted to ask if anything can be done.
When onsite and accessing the new https service from a network connected to the firewall (or defined in the routing table) the https page loads instantly as would be expected.
However, when connecting from an unknown network not defined in the routing table, it takes about 10 seconds for the page to load. I realize that this is probably from the firewall checking the routing table, looking at the default route with more priority, then looking at the route that matches the policy route, then allowing the traffic.
Is there anything that can be done to speed this up, or is that just a side effect of having to use the 2nd default route with a policy route?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Side effect? None that I know of.
10 seconds warrant that you have a look at how and where the packet/request is going, using
diag debug flow
In short:
di de flow show cons en (might be superfluous in v6)
di de flow sh fu en
di de flow sh ip en
di de flow filter saddr <IP of host where request comes from>
di de flow filter proto 6
di de flow filter dport 80 ...to just look at tcp/80 = HTTP
start tracing:
di de flow tra start 10
and initiate the HTTP request
Tracing will stop after 10 packets.
My guess is that traffic bounces between wan1 and wan2 for a while...let's see.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks again. I'll give this a shot and see what comes back.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was going to do some debugging, but when I got home to do some testing off-site, everything was moving as fast as it should be, but I haven't made any changes or done any research on the firewall at all.
So it was apparently unrelated to the 2nd default route I added. I believe the secondary ISP I'm using to host that service was having some issues that just coincidentally happened after I completed the migration of this host to that connection.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good to hear your problem is solved. With green glasses on, you see the world in green...been there, done that.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Related Posts
Labels
-
FortiGate
6,833 -
FortiClient
1,353 -
5.2
801 -
5.4
639 -
FortiManager
586 -
FortiAnalyzer
431 -
6.0
416 -
5.6
362 -
FortiAP
355 -
FortiSwitch
350 -
FortiClient EMS
277 -
FortiMail
267 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
166 -
6.4
128 -
FortiNAC
115 -
FortiGuard
108 -
IPsec
91 -
FortiSIEM
91 -
FortiGateCloud
90 -
FortiCloud Products
85 -
FortiToken
74 -
SSL-VPN
73 -
Customer Service
70 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
45 -
FortiEDR
42 -
Fortivoice
41 -
SD-WAN
36 -
FortiDNS
35 -
FortiExtender
34 -
FortiGate v5.4
34 -
FortiSandbox
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
FortiAuthenticator
25 -
High Availability
25 -
VLAN
24 -
FortiConnect
24 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
DNS
16 -
Certificate
16 -
SAML
15 -
LDAP
15 -
FortiMonitor
14 -
BGP
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
FortiDDoS
13 -
Authentication
12 -
fortilink
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
RADIUS
10 -
Virtual IP
10 -
SSO
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
SSL SSH inspection
9 -
Traffic shaping
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
Fortigate Cloud
8 -
Application control
8 -
FortiGate v4.0 MR3
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Web application firewall profile
6 -
Web profile
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiDeceptor
3 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Fabric connector
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.