Technical Note : Policy Based Routing example : HTTP/HTTPS redirection. Configuration and troubleshooting steps for FortiOS 4.0

rmetzger · ‎10-07-2009

Description

This article describes an example of a Policy Based routing configuration with some verification and troubleshooting steps.

The diagram for this scenario is as follows:

port 2 === LAN === [ FortiGate ] === port 1 ---- ISP1

=== port 3 ---- ISP2

The requirements are:

All HTTP and HTTPS traffic from the LAN must egress on port 3.
All other traffic from the LAN must be routed on port 1.

Solution

In this scenario, two Policy Based routes are used to force traffic with destination ports 80 and 443 to egress on port3. For all other traffic, the normal routing process will take place, looking up the routing table entries for a valid route.

Notes:

(1) The rules for Policy Based Routing are checked in the order of first to last entry, as displayed on the screen, with a stop-on-match.

(2) A firewall policy is still necessary, from input-device to output-device as defined in the policy based rules

The CLI configuration is given below. The firewall policy and router policy indexes displayed here are dependant on the existing configuration and may have to be adapted.

config firewall policy

edit 1
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set nat enable

next

edit 2

set srcintf "port2"
set dstintf "port3"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set nat enable

next
end

config router policy

edit 1
set input-device "port2"
set protocol 6 <<< PROTOCOL TCP
set start-port 80 <<<
set end-port 80 <<< TCP PORTS
set gateway 172.31.225.254 <<< ISP2 gateway
set output-device "port3"

next

edit 2
set input-device "port2"
set protocol 6
set start-port 443
set end-port 443
set gateway 172.31.225.254
set output-device "port3"

next
end

config router static

edit 1
set device "port1"
set gateway 192.168.183.254
set weight 50
next

end

Verification and troubleshooting

1. Check if the static default route is present in the routing table for port1:

FGT # get router info routing-table all

S* 0.0.0.0/0 [10/0] via 192.168.183.254, port1, [0/50]
C 10.160.0.0/23 is directly connected, port2
C 172.31.224.0/23 is directly connected, port3
C 192.168.182.0/23 is directly connected, port1

2. Make sure the gateway defined in the policy based route is reachable:

FGT# execute ping 172.31.225.254

PING 172.31.225.254 (172.31.225.254): 56 data bytes
64 bytes from 172.31.225.254: icmp_seq=0 ttl=64 time=0.2 ms

3. A sniffer trace will tell what interface is used for each traffic type:

FGT # diagnose sniffer packet any "port 53 or icmp" 4

1.033504 port2 in 10.160.0.10 -> x.39.139.53: icmp: echo request
1.033530 port1 out 192.168.182.110 -> x.39.139.53: icmp: echo request
4.100644 port2 in 10.160.0.10.2168 -> x.2.2.1.53: udp 42
4.100711 port1 out 192.168.182.110.32988 -> x.2.2.1.53: udp 42

The above example shows that ping and DNS are routed on port1.

FGT # diagnose sniffer packet any "port 80 or port 443" 4

50.378968 port2 in 10.160.0.10.2206 -> x.70.202.225.80: syn 2697527219
50.379013 port3 out 172.31.224.110.47162 -> x.70.202.225.80: syn 2697527219
50.594652 port3 in x.70.202.225.80 -> 172.31.224.110.47162: syn 3654649874 ack 2697527220
50.594698 port2 out x.70.202.225.80 -> 10.160.0.10.2206: syn 3654649874 ack 2697527220

88.275430 port2 in 10.160.0.10.2215 -> x.39.139.188.443: ack 3459018393
88.275441 port3 out 172.31.224.110.55299 -> x.39.139.188.443: ack 3459018393
88.278017 port2 in 10.160.0.10.2215 -> x.39.139.188.443: psh 1598472 ack 3459018393
88.278024 port3 out 172.31.224.110.55299 -> x.39.139.188.443: psh 1598472 ack 3459018393

The above example shows that HTTP and HTTP are egressing port3.

4. Further troubleshooting with a diagnose debug flow (example on port 80):

FGT# diagnose debug flow filter port 80

FGT# diagnose debug flow show console enable

FGT# diagnose debug flow trace start 10

FGT# diagnose debug enable

id=36870 trace_id=21 msg="vd-root received a packet(proto=6,10.160.0.10:2232 >x.115.88.31:80) from port2."
id=36870 trace_id=21 msg="allocate a new session-0000017f"
id=36870 trace_id=21 msg="Match policy routing: to 172.31.225.254 via ifindex-4"
id=36870 trace_id=21 msg="find a route: gw-172.31.225.254 via port3"
id=36870 trace_id=21 msg="find SNAT: IP-172.31.224.110, port-49180"
id=36870 trace_id=21 msg="Allowed by Policy-2: SNAT"
id=36870 trace_id=21 msg="SNAT 10.160.0.10->172.31.224.110:49180"

The above messages "Match policy routing" and "Allowed by Policy-2" show proper policy based routing behavior.

Related Articles

Technical Note : Configuration example of Policy Based Routing and VIP for SMTP services in Dual Wan...

List of most popular articles related to FortiOS Routing (ECMP, STATIC ROUTE, RIP, OSPF, BGP, BFD, ...