Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
KalleCloud
New Contributor

Created on ‎08-20-2025 04:02 AM

redirect internet traffic over IPSec tunnel for only one vm

Hi, I have this situation:
an on-premise network that connects to the internet via the local Fortigate through the local ISP. I have a single VM that I need to force to use the tunnel from the on-premise Fortigate to a Fortigate in the cloud and connect to the internet using the VPN. I have tried all possible configurations, but via PBR, the VM continues to use the local ISP and does not use the VPN. I can't figure it out.

odg is the signle ip of the vm Screenshot 2025-08-20 130009.png

Labels:
184
0 Kudos
4 REPLIES 4
funkylicious
SuperUser
SuperUser

Created on ‎08-20-2025 04:15 AM Edited on ‎08-20-2025 04:27 AM

hi,

a PBR should do the trick but i think that on the IPsec tunnel interfaces selected as Outgoing interface you would need to assign IP addresse on both ends in order for the action Forward Traffic to work -https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-the-Firewall-Policy-Routes/ta-... 

then, of course firewall rules on local FGT and remote end to allow traffic.

 

L.E. i would also make an exempt of internal/RFC1918 subnets if any are needed for this VM to communicate with a higher position in the PBR table.

"jack of all trades, master of none"
"jack of all trades, master of none"
181
Toshi_Esumi
SuperUser
SuperUser

Created on ‎08-20-2025 07:59 AM

The most common misunderstanding when someone tries using policy routes on FGT is both paths still need to have a proper route for the traffic to go out. In your case the default route needs to be in place for both local internet interface and over the VPN. The priority can be lower for one of them. That's likely the problem it didn't work. 

Toshi 

139
KalleCloud
New Contributor
In response to Toshi_Esumi

Created on ‎08-21-2025 11:03 AM

I did it but not working, i have also sd-wan in place with wan1 and modem4g, so it seems it takes precedence, but cannot add vpn ipsec interface as sd-wan member but my version 7.6.1 has a bug and I can't upgrade the firmware, which is absurd. At least the firmware should be able to be done without support for lab use.how can i do?

120
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to KalleCloud

Created on ‎08-21-2025 10:49 PM

I keep hearing VM FGT has limitations/restrictions without proper/valid license. Maybe that's one of them you can't upgrade.

Toshi

91
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.