Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPhish
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiVoice
- FortiToken
- FortiWAN
- FortiWeb
- Lacework
- FortiAppSec Cloud
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- RE: SSL VPN and dual WAN / default routes
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 09-13-2007 03:27 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSL VPN and dual WAN / default routes
I' ve got a problem with my SSL VPN connections...
I' m running a Fortigate 500A, with two WAN links (T1, DSL) and one internal network link.
SSL VPN worked fine until I added the 2nd WAN link, and added a 2nd default route to allow web load sharing between it and the pre-existing T1.
Both static routes are:
0.0.0.0/0.0.0.0 > T1 router IP
0.0.0.0/0.0.0.0 > DSL router IP
After tweaking route order and priority, I was able to get web traffic to prefer the DSL route as I wanted, without having to use any policy routes.
But why is this breaking the return traffic to my SSL VPN tunnel clients? They can connect via the browser interface, but then are dropped within 30 secs, with no traffic ever received back from the firewall. Obviously, it' s being routed out the wrong gateway (DSL).
Any ideas?
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After tweaking route order and priority, I was able to get web traffic to prefer the DSL route as I wanted, without having to use any policy routes. But why is this breaking the return traffic to my SSL VPN tunnel clients? They can connect via the browser interface, but then are dropped within 30 secs, with no traffic ever received back from the firewall. Obviously, it' s being routed out the wrong gateway (DSL). Any ideas?" Re-tweak" again to ensure that: . T1 priority static route parameter is greater (lower value) than dsl, to ensure SSLVPN going to and back through T1 . use policy routes to route webtraffic throughout DSL Protocol = 6 (TCP) Incoming IF = internal Source = as required Destination= as required Destination Ports = 80 Force traffic to ->DSL iface You' ll need policies routes to manage traffic in a dual-wan scenario.
regards
/ Abel
regards
/ Abel
Not applicable
Created on 09-14-2007 07:40 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
" Re-tweak" again to ensure that: . T1 priority static route parameter is greater (lower value) than dsl, to ensure SSLVPN going to and back through T1There is my problem...I HAVE given route priority to the DSL gateway, which is what is re-routing return VPN traffic. Can I assume then ALL return traffic (ie FTP server or web server traffic) will return down the highest priority (lower value) gateway as well?
. use policy routes to route webtraffic throughout DSL Protocol = 6 (TCP) Incoming IF = internal Source = as required Destination= as required Destination Ports = 80 Force traffic to ->DSL ifaceI was leaving the ' Protocol' field blank, but was using dest port ' 80' to try and redirect web traffic to the DSL gateway, but for some reason it interferes with my users (10.1.1.0) routing correctly to my VOIP server / subnet (10.2.1.0) , which is defined as static route on the Fortigate.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is my problem...I HAVE given route priority to the DSL gateway, which is what is re-routing return VPN traffic.The important thing here is distinguish between the two wans with the priority parameter and establish the VPNSSL choosing the one with higher priority (lower value), dsl or T1 ( you choose).
Can I assume then ALL return traffic (ie FTP server or web server traffic) will return down the highest priority (lower value) gateway as well?only if you don' t set route policies to manage that traffic
I was leaving the ' Protocol' field blank,Don' t; work with 6 for TCP traffic, 17 for UDP traffic ans so on.
but for some reason it interferes with my users (10.1.1.0) routing correctly to my VOIP server / subnet (10.2.1.0) , which is defined as static route on the Fortigate.In my experience, policies routes supersedes static routes settings. Define a specific new policy route for that VOIP device and re-try Hope it helps.
regards
/ Abel
regards
/ Abel
Not applicable
Created on 09-14-2007 08:53 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The important thing here is distinguish between the two wans with the priority parameter and establish the VPNSSL choosing the one with higher priority (lower value), dsl or T1 ( you choose).I cleared out all static routes, and recreated them in the CLI. The T1 was the default route (" edit1" ), and the DSL was secondary (" edit2" ). I did not apply ' priority' because the edit order seems to accomplish the same thing---therefore I am now doubly confused about the function of the ' priority' parameter. Then, I created two policy routes: Protocol 6 internal interface internal subnet dest IP anywhere dest port 80 to 80 force to DSL gateway Protocol 6 internal interface internal subnet dest IP anywhere dest port 443 to 443 force to DSL gateway ...to route all http and https traffic to the DSL gateway. It works. Somehow, my 10.2.1.0 VOIP subnet routing issues seem to have vanished. Perhaps it was leaving the protocol field blank on my initial web traffic policy routes which was rerouting EVERYTHING out the DSL gateway? Thanks very much for your help Abel---your insight gave me the confidence boost I needed to know I was going about this the more-or-less correct way. Still, I' d like a better understanding of the use of setting static route ' priority' .
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I cleared out all static routes, and recreated them in the CLI. The T1 was the default route (" edit1" ), and the DSL was secondary (" edit2" ). I did not apply ' priority' because the edit order seems to accomplish the same thing---therefore I am now doubly confused about the function of the ' priority' parameter.extracted from Release Notes pdf fortios 3.0 version: " Prior to FortiOS v3.00 MR1, if two equal cost static routes to a destination were configured, the FortiGate made a routing decision based on the sequence number - the order in which they were entered in the CLI or Web UI. FortiOS v3.00 MR1 removes this restriction by adding a priority argument to static routes. The priority argument now is responsible for breaking a tie between two equal cost routes - the lower the priority the higher the preference"
Still, I' d like a better understanding of the use of setting static route ' priority' .check also this forum thread, there' s a good paragraph from TAC' s guy named Stephane: http://support.fortinet.com/forum/tm.asp?m=31599&appid=&p=&mpage=1&key=&language=single&tmode=&smode=&s=#31670
regards
/ Abel
regards
/ Abel
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,776 -
FortiClient
1,783 -
5.2
801 -
FortiManager
739 -
5.4
639 -
FortiAnalyzer
565 -
FortiSwitch
479 -
Fortiap
475 -
FortiClient EMS
438 -
6.0
416 -
5.6
362 -
FortiMail
323 -
SSL-VPN
253 -
6.2
251 -
FortiAuthenticator v5.5
234 -
IPsec
214 -
FortiWeb
210 -
5.0
196 -
FortiNAC
193 -
FortiGuard
139 -
6.4
128 -
SD-WAN
118 -
FortiAuthenticator
108 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
98 -
FortiToken
92 -
Firewall policy
86 -
Wireless Controller
81 -
Customer Service
80 -
4.0MR3
64 -
FortiProxy
61 -
Fortivoice
57 -
High Availability
57 -
FortiADC
54 -
VLAN
53 -
FortiEDR
52 -
ZTNA
50 -
Routing
49 -
FortiExtender
45 -
DNS
45 -
FortiSandbox
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
NAT
36 -
Certificate
36 -
FortiGate v5.4
35 -
RADIUS
35 -
SAML
35 -
FortiSwitch v6.4
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
Virtual IP
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiGate-VM
22 -
FortiPAM
22 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
Fortigate Cloud
19 -
FortiMonitor
18 -
Traffic shaping
17 -
SSID
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
API
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Service
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1741 | |
| 1109 | |
| 755 | |
| 447 | |
| 240 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.