Hello,
I am implementing a scenario in which I have branches connected to the headquarters through IPSec tunnels.
In my environment, I need to direct all traffic originating from the branch's local network through the IPsec tunnel so that this traffic destined for the internet uses the headquarters' WAN.
For other services at the branch, I need to use the local WAN link.
For example, branch office ether1, network 192.168.56.0/24, all traffic must be routed through the IPsec tunnel.
As for ether2, network 172.16.56.0/24, traffic must be directed through the local WAN.
I already have this working environment, I am using IPsec SDWAN to close the tunnels, make them redundant across different WANs and my question/problem is the following.
For traffic originating from the branch network, 192.168.56.0/24 and destined for the internet to work, I must have a static default route created in the headquarters firewall, with gateway to the WAN 10.100.100.2, without this, navigation will not be possible. It doesn't works, even using an SDWAN rule to route, only navigation through the tunnel works if I have this default route active.
The problem is that, for this WAN, 10.100.100.2, I need to direct ONLY the traffic originating from the units' remote networks, other traffic I cannot direct to it, that is, the default route becomes a problem in my case.
I have been researching, but so far I have not been successful in finding a configuration recommendation for this environment, in which I need to be able to somehow use WAN1 (10.100.100.2) as the default route only for specific source networks, in practice, I would like to use SDWAN for this, but it didn't work in my environment.
I would like to know what the community recommends in this case.
Thank you very much in advance.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Created on 07-31-2024 12:57 PM Edited on 07-31-2024 12:59 PM
Hello @TSTelecom
In this case, You can use policy route: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-the-firewall-Policy-Routes/ta-...
So you can send the traffic for specific remote network to wan2.
Created on 07-31-2024 02:13 PM Edited on 07-31-2024 02:13 PM
You can use any other options listed previously, for the return traffic initiated from HQ to the Branch. SD-WAN, Policy Route, or a Static Route will do the job.
Hello,
To my understanding, you are trying to route all the internet traffic from the branches to the HQ connected via IPSec Tunnel.
In simple terms theoretically, you have 3 options:
1. Create an SD-WAN rule on the branches with source to their local networks and destination set to all; while destination interface should be the HQ IPSec Tunnel interface.
2. Create a static route with 0.0.0.0/0.0.0.0 and the outgoing interface set to the HQ IPsec Tunnel, as long as you have static IP assigned to branch WAN ports.
3. Create a policy route and enable Outgoing interface as HQ IPSec Tunnel:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-the-firewall-Policy-Routes/ta-...
If any of these options do not work, then probably needs to be troubleshoot.
Hello,
Today the scenario already works, but for it to work, it is mandatory that I have a static route with 0.0.0.0/0.0.0.0 and gateway 10.100.100.2, to precisely direct traffic through the WAN2 of the headquarters.
However, this static route impacts my other accesses, such as traffic originating from Fortinet itself, for example.
My goal is to ensure that only traffic originating from remote networks uses the default route with gateway 10.100.100.2.
For this, I created SDWAN rules, but if I simply disable the 0.0.0.0/0.0.0.0 route, the branch traffic is not directed to WAN2 through the SDWAN rule.
Created on 07-31-2024 12:57 PM Edited on 07-31-2024 12:59 PM
Hello @TSTelecom
In this case, You can use policy route: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-the-firewall-Policy-Routes/ta-...
So you can send the traffic for specific remote network to wan2.
I believe it will really resolve the issue. Thanks!!!
Another question, the policy-based route solves my problem in the branch -> head office -> wan -> internet direction.
But the return traffic, head office -> branch, is it an error to follow using a static route or SDWAN? Do I need to use policy-based too?
what do you suggest?
Created on 07-31-2024 02:13 PM Edited on 07-31-2024 02:13 PM
You can use any other options listed previously, for the return traffic initiated from HQ to the Branch. SD-WAN, Policy Route, or a Static Route will do the job.
Hello,
If that is the scenario you are going for policy route would be the best option. A policy route in FortiGate is a routing rule that directs traffic based on criteria such as source IP, destination IP, and other attributes, rather than just the destination IP address. It allows for more granular control over traffic routing by defining specific conditions under which traffic should follow a particular path or use a specific gateway.
https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/144044/policy-routes
Hello!
Thanks for your suggestion.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.