- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Redirect specific traffic to VPN connection
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Redirect specific traffic to VPN connection
We have some problems when connecting to a certain website, tabs are loading intermittently but is loading fine to one of our office overseas. We have Fortigate firewalls on both location and a VPN configured to link both offices.
Now, from Office A (where I am now) we can' t access the website (WW.XX.YY.ZZ-WW.XX.YY.ZZ subnet range) completely and I want to redirect every connections made to that subnet range to our overseas office thru the existing VPN.
Firewall objects and Policy were already in place but when I tried to tracert the site, I am still connected locally and traffic are not even passing thru the VPN link.
What am I missing here?
24 REPLIES 24
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What type of VPN?
If the interface mode, the router did you write?
Tuncay BAS RZK Muhendislik Turkey NSE 4 5 6 FCESP v5
Tuncay BAS RZK Muhendislik Turkey NSE 4 5 6 FCESP v5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi as well,
you will need a static route pointing that subrange to the tunnel interface. All policies between your host and that website must allow traffic for that range.
This will work without changes in the VPN setup if you are using wildcard Quick Mode selectors (' 0.0.0.0/0' ) otherwise just create a second phase2 for this subnet.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Both offices have static IP' s with a VPN tunnel already in place w/c enables both offices for AD/DFS syncing.
Type of VPN: IPSec
-----
you will need a static route pointing that subrange to the tunnel interface. All policies between your host and that website must allow traffic for that range.
This will work without changes in the VPN setup if you are using wildcard Quick Mode selectors (' 0.0.0.0/0' ) otherwise just create a second phase2 for this subnet.
-----
Kindly tell me how to do this as I' m not sure on how to do it myself. What will I put on the Firewall Objects (Addresses) and so as the Policy.
For sample, lets say my location, office A has a static IP of: ZZZ.XXX.CCC.VVV and remote office has AAA.SSS.DDD.FFF.
Do I need to configure both Fortigate firewall?
Thanks again.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not policies...the redirection will take place at the point where the FortiGate performs a routing lookup. Policies are basically Access Control Lists (on steroids, because of the UTM, NAT, shaping, etc.).
Assuming the website' s IP is 66.171.121.34 (using fortinet.com as an example), a sample static route would be:
config router static
edit 0
set dst 66.171.121.34 255.255.255.255
set dev tunnel_name
end
Regards, Chris McMullan Fortinet Ottawa
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply Chris. But wow, CLI? Is there a way I can do this with Fortinet' s web interface? Instead of a single IP, could I do with IP range?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Of course!
Enable Advanced Routing as a feature under System > Config > Features, or else go to Routing under System > Network.
Create a new static route. Make the destination the IP of the website you want to visit via the VPN. Make the interface the Phase 1 tunnel name. Distance and metric won' t matter in this case, so click OK, and you' re done.
If you want a range, it' ll have to be on subnet mask boundaries.
You have to remember I spend more time in the CLI these days than the GUI, so it comes more naturally to list the commands than describe a GUI walk-through in the forums.
Regards, Chris McMullan Fortinet Ottawa
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Chris,
Thanks again for the reply. Under System-> Network, I can only see Interface, DNS, DNS Server, Explicit Proxy, and Capture Packet - nothing w/c says Routing. Advance routing is also enabled on Config->Features.
Using Fortigate 100D.
Regards.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Then there should be a complete section down the left-hand side called Router.
The path would be Router > Static > Static Routes, Create New, specify the destination subnet and interface, then click OK.
Regards, Chris McMullan Fortinet Ottawa
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The only problem with the options Static Route presents is that I cannot see anything related to our existing IPSec tunnel to point the traffic into.
Destination IP/Mask:
Device:
Gateway:
Distance:
Priority:
Comments:
Nothing stated under Gateway with our existing VPN connectivity.
What am I missing here?
Thanks.
Related Posts
Labels
-
FortiGate
6,655 -
FortiClient
1,327 -
5.2
801 -
5.4
639 -
FortiManager
576 -
FortiAnalyzer
421 -
6.0
416 -
5.6
362 -
FortiSwitch
342 -
FortiAP
339 -
FortiClient EMS
271 -
FortiMail
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
158 -
6.4
128 -
FortiNAC
109 -
FortiGuard
106 -
FortiSIEM
91 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
76 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
65 -
4.0MR3
64 -
Wireless Controller
58 -
FortiProxy
46 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
40 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
29 -
Firewall policy
29 -
SD-WAN
29 -
FortiConnect
24 -
High Availability
23 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
FortiAuthenticator
20 -
ZTNA
19 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
Interface
13 -
FortiDDoS
13 -
Logging
13 -
Routing
12 -
FortiCASB
12 -
LDAP
11 -
VDOM
11 -
fortilink
10 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSL SSH inspection
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
SSO
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
4.0MR1
1 -
Users
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.