I'm stuck with a problem that seems to be above my head because I don't have a lot of experience with complex routing. It looks like maybe the more recently added auxiliary session feature might be helpful but it's not clear to me.
So we have two ISP's and then upper management signed a contract with Comcast for IPTV not really knowing what it was until after the fact. It requires that we get all Comcast routes within their autonomous system via BGP such that everything Comcast related goes in and out that IPTV interface. Our external IP range has to also be advertised over there to make this work. The trouble is that includes all Comcast broadband customers which creates a variety of headaches because they are so big. Most of our employees end up getting to our VPN and websites via this link that is intended for IPTV and 1/4 the size of everything else. The documentation I have from them only says that I can prevent advertisements outside of their AS with community codes but not differentiate within it. And they are less than helpful.
I can't see a way to solve the problem without turning on asymmetric routing. IPTV is just ports 80 and 443 so the only hook is the Fortinet application signatures which, as far as I can tell, can't be used for policy routing and probably wouldn't be reliable enough if it could be. I could subnet our range so that Comcast customers see our services on different routes but then the routing table would still send Comcast traffic back out the IPTV interface.
Is there a way on the Fortinet to force traffic back out the same interface it comes in regardless of the routing table or some other fix I am not aware of? I need to get comcast ISP costumers to use our ISP to get to us but still get other Comcast traffic to go out the IPTV circuit. Any ideas on anything else that I might be missing or should look for?