Hi All,
I've recently hooked up second internet connection with the intention of testing routing all our offsite backup traffic to it. I've gone round in circles for a couple of days and had some input from a local Fortigate Engineer but yet to have success. The only way I've had any result is specifying an entire subnet which isn't what I'm after.
This person seems to have had the exact same issue: https://forum.fortinet.com/tm.aspx?m=149904
I would like to specify 1 address from within a subnet and have specific traffic from that server routed through the second WAN connection. Surely there's a way?
Edit ** I should mention this is on a par of 60E's in HA running v6.0.5 build0268 (GA) **
Thanks in advance
I thought I replied to this post already but somehow doesn't show up.
The thread you're referring to was for FQDN destination over WAN LLB setup. WAN LLB is now SD-WAN. Are you trying to specify one FQDN destination to go through the added circuit? Then you just need to create an FQDN address object and use it in an SD-WAN rule to use only the circuit.
Hey, thanks for the reply.
Yes, I'm trying to specify one FQDN destination to go through the new circuit. I think the thing I'm missing here is SD-WAN, I was hoping to avoid using it as I would have to redefine a portion of my couple hundred policies already in place. More work than I would like for a testing project. PBR routing looked like such a simple solution but I guess that is not the case.
PBR is a static route with conditions. FQDN is not allowed (I guess it's because NOT static) in static routes.
Although I haven't tried myself but as long as you set the same default routes to both wan interfaces, then set the first policy for the FQDN dst to the second wan, and the second policy for "all" destinations to the original interface, I think it would work as you intend.
Try it to see if it works. If not, you can always to go SD-WAN.
Going SD-WAN would be the best option but that means re-configuring the WAN interfaces from scratch.
You can use PBR, just use the IP instead of the FQDN. If it has multiple IP's for the FQDN just add them all as the destination.
Remember once you start using PBR you have to add routes for everything in there. Create a default policy route out on the bottom for all traffic to your prefered interface, and add policy routes above it for everything else you want to point out over the other interface
@ShawnZA: no you do not have to reconfigure your WAN interfaces when you switch to SD-WAN. You just need to add them to sdwan. This requires that you remove or change the referring internet policies before.
To the original topic: I think you could also handle this with two default routes for the two wans and an expliciit policy that allows traffic outgoing (egress) to that FQDN only via the second wan.This has to come before the other internet policies then to be able to match first.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
You can't just add configured interfaces to SD-WAN. So as I said, re-configure meaning remove all rules from the existing WAN interface. If the interface is specified in any policy, object etc all needs to be undone. So there are many config changes that need to happen if you want to move your current WAN interfaces to a SD-WAN scenario..... the only thing that you don't have to change is the IP address....
yeah that's what I meant. That is all references to the interface need to be changed or removed (except ipsec tunnels). You could enable sdwan and then change the policies that use the wan interfaces to sdwan and then move the wan into sdwan.
just your words ("reconfigure interface") to me was a bit misundertandably.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
I've just had a quick go at specifying the dest IP's but it hasn't worked but this may be due to one connection being via IP and the other PPPoE with a static gateway. Pretty sure I can see what I'm bumping up against now and it does look like it is achiveable without SD-WAN. Will continue on and report back.
"remove all rules from the existing WAN interface" Afterhours work I don't really need right now
We managed to get this working. The route to the 2nd connection's gateway was missing from the route table, the Static Route needed to be set to "Dynamic Gateway". After that we have succesfully applied a policy route using a source IP to destination FQDN. I will also test a source via FQDN and report back.
Thanks for the help, kicked us in the right direction.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.