Hi All, An overview of the situation: 10.x.x.x DMZ:10.x.x.x | WAN1 [ WIFI ] ==========[ FortiGate ] == 18x.x.x.x | | |Internal | | | WAN2 | == 19x.x.x VIP Webmail ============ | VIP Website SSL VPN We' ve placed AP(Meraki) in the DMZ. The AP service the wireless clients and NAT the traffic to DMZ DMZ routes internet traffic to WAN1 The AP on the DMZ must go out through WAN1 and not WAN2 Internal traffic goes through WAN2 and not WAN1. Default WAN2 route has a distance route of 10 Default WAN1 route has a distance route of 20 Their used to be a policy route from DMZ to go to WAN1. DMZ must never go to Internal (only VIPS and with SSL VPN they can access internal resources). Situation: With the policy route the wireless clients couldn' t access the Website /webmail After removing the Policy route users could access webmail and the Website(because it' s routed to WAN2 instead of WAN1). Clients still can' t use the SSL VPN, not access the portal if needed. mail-> mail.website.com portal->mail.website.com:10443 website->www.website.com All three have the public DNS of WAN2 IP registered to it. Solution: I thought it would be easy, DMZ Req DNS and routes to the internet and then it comes back in and uses the VIP. So to set the following policies: policy 1: incoming interface: DMZ source address: DMZ range destination interface: WAN1 destination address: ALL service:ALL policy 2: ingoing interface: DMZ source address: DMZ range destination interface: internal destination address: VIPS Service: Https/http/smtp This works for Webmail and the Website but what needs to be set that SSL will work as well? Opening a ticket at Fortinet resulted in no can' t be done and remove the policy route (they troubleshooted 4 hours on this issue and the solution isn' t the right one) What i want: DMZ to WAN1 Internal to WAN2 DMZ needs to go through WAN1 and come back in on WAN2 (is that possible), if for Webmail/Website/SSL DMZ needs to go to WAN2 i don' t mind at least that other traffic will go through WAN1