Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Alimov
New Contributor II

Created on ‎09-22-2014 06:28 AM

policy routes

Hello. Please help in solving my problem. So, I have 2 FGT devices. Between devices constructed VPN tunnel (site to site). If WAN1(on FGT100D) is fals , active route is reconstructed through WAN2 and 192.168.50.110 again becomes available. That' s fine, but there was task of all traffic from network 192.168.50.0 pass back into vpn tunnel. For this I used the policy routs. Create a policy - and all work fine. Created a policy-and everything works-all requests to 192.168.50.110 go to FGT100D and then to the external network. But now no longer reconstructed route in case of failure on the WAN1 FGT100D. That is, if WAN1 is not available - traffic is not redirected to WAN2. Even if I create one more policy rout. Please tell me how can I save resiliency fall WAN1 and implement wrapping all traffic back to FGT100D? Here are the settings of my equipment. Network diagram: Configuring interfaces FGT100D: Table of static routes 100D: FW Policy 100d: VPN tunnel 1 on the 100D: VPN tunnel 2 on the 100D: Configuring interfaces FGT80C: static routes: Policy routes 80C: FW Policy 80C VPN tunnel 1 on the 80C: VPN tunnel 2 on the 80C:
4615
0 Kudos
2 REPLIES 2
ede_pfau
SuperUser
SuperUser

Created on ‎09-22-2014 07:02 AM

Hi, I don' t think you have to use Policy Routing at all. The problem with PBR is that they won' t be deactivated/disabled if the interface goes down. Static routes will do just that - they vanish from the Routing Table if the IF fails. On the 80C, configure 2 static routes to the 192.168.254.0/24 subnet, with both having the same distance but different priorities. Both will show up in the Routing Table but only one will be used. You did the same on the 100D side but used different distances. So, you will only have one route in the Routing Table, wan1 by default or wan2 if wan1 fails. BTW, you could compact your policy table by putting both VPN interfaces into a zone, and configure policy from ' internal' to ' zone' instead of duplicating every policy. The added benefit of VPN interfaces in a zone is that session failover is enabled.

Ede


"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
1051
0 Kudos
Alimov
New Contributor II
In response to ede_pfau

Created on ‎09-29-2014 05:03 AM

Thank you for helping me. The fact is that I need to ALL traffic from passing through FGT80S FGT100D That is, if I' m on a computer 192.168.50.110 (Branch office PC) I run internet explorer and bring - google.com - the request was not through FGT80C -> Google.com, and FGT80C -> FGT100D -> Google. com.
1051
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.