Hi
I have a query regarding policy routes. We have a customer whose network is connected to our firewall as in the diagram. Their network overlaps with our own internal network subnets. In order to support our customer, we need to jump onto some servers on their network, say 10.40.1.10. We are using a RDP jump box, located in our DMZ, to jump across onto the customer network. The problem is that if we try and connect to 10.40.1.10 the firewall static route sends us out our internal interface instead of the customer interface. BTW we have devices on 10.40.1.0/24 in our network too but the RDP server doesn’t need to connect to them.
I am thinking about using policy routing to get around this issue on the FortiGate 100E. IS that something I can do, will the policy rule overrule the static route? am I on the right track or will I need to use NAT?
Solved! Go to Solution.
Yes a policy route does override the routing table so would do what you want.
under Network | policy route
click create new
protocol: any
incoming interface: DMZ
source address: 172.18.26.24/255.255.255.255
destination address: 10.40.1.10/255.255.255.255 (or select address objects)
Action: forward traffic
Outgoing interface: Customer
Gateway address: 10.40.1.1
Enable: yes
You will also need to add a firewall policy to allow the traffic
from DMZ to Customer
Source Destination Service NAT
172.18.26.24 10.40.1.10 RDP No
If you need to access several hosts in the Customer newtork and the jumpbox doesn't need to access the internal 10.40.1.0/24 subnet, then add the subnet 10.40.1.0/24 as the destination in the policy route so that any traffic to that subnet is sent to the customer network.
Correct but you could fix this with a DNAT VIP using one of your address and map to the customer server. Just add a internal dns name and have your users use it.
Ken Felix
PCNSE
NSE
StrongSwan
Yes a policy route does override the routing table so would do what you want.
under Network | policy route
click create new
protocol: any
incoming interface: DMZ
source address: 172.18.26.24/255.255.255.255
destination address: 10.40.1.10/255.255.255.255 (or select address objects)
Action: forward traffic
Outgoing interface: Customer
Gateway address: 10.40.1.1
Enable: yes
You will also need to add a firewall policy to allow the traffic
from DMZ to Customer
Source Destination Service NAT
172.18.26.24 10.40.1.10 RDP No
If you need to access several hosts in the Customer newtork and the jumpbox doesn't need to access the internal 10.40.1.0/24 subnet, then add the subnet 10.40.1.0/24 as the destination in the policy route so that any traffic to that subnet is sent to the customer network.
Correct but you could fix this with a DNAT VIP using one of your address and map to the customer server. Just add a internal dns name and have your users use it.
Ken Felix
PCNSE
NSE
StrongSwan
Hi, thanks for that and the PBR example.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.