- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- How traffic rules works if I have 2 WAN Links
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How traffic rules works if I have 2 WAN Links
I have a basic doubt!!
I have 3 WAN links and I would like to use all these 3 WAN links for separate VLAN groups.
VLAN 10 - 10.128.10.0/24 --- WAN1
VLAN 20 - 10.128.20.0/24---- WAN2
VLAN 30 - 10.128.30.0/24 ----WAN3
If I create policies like below for all subnets with different wan int , I believe it will pass the traffic for the respective subnets through the respective WAN interface.
But what will happen for the other subnets ? Will the Device drop the connections or will it find the respective policies in the firewall and does the re routing??
Src Interface - internal
Src Add - 10.128.10.0/24
Dest - 0.0.0.0/0.0.0.0
Dest interface - WAN1
Src Interface - internal
Src Add - 10.128.20.0/24
Dest - 0.0.0.0/0.0.0.0
Dest interface - WAN2
Here what will happen if 10.128.20.121( machine) try to connect internet through WAN1 ? ( If there is no policy route in place)
I know we can enforce the networks traffic through a specific int with the help of policy route, But Is there any other way to enforce the network through a specific interface?
Nihas [\b]
Nihas [\b]
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Nihas,
The way FortiGate works is that routing decisions are taken prior firewall policies are matched, so you must use policy routes to define which wan link should each lan use. If you just set all static routes with same distance and priority the FortiGate wil try to balance the traffic, so if the router layer sends the traffic for the first vlan through the wan2 and there is no policy defined for that, then it will match the implicit deny policy.
Be careful when using policy routes, as they are checked before static and connected routes, so if you define one with destination 0.0.0.0/0 it will match ALL the traffic, you must specified first rules for all other networks that you need to communicate.
Oscar Camacho
.....................................................................................
FCNSP v5
Oscar Camacho
.....................................................................................
FCNSP v5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Oscar Camacho :) Really Nice explanation.
So how would be scenario, if I need redundancy also?
For example,
What will happen if 10.128.20.121( machine) try to connect internet through WAN1 , but if the link is down ? ( policy route in place for enforcing the client to pass all traffic through WAN1)
Assumption
* I have created ECMP , gateway detection etc.
* I have created redundant firewall policy under LAN--> WAN2 for VLAN 10 users as well.
----------------------------------
In this case will it redirect the traffic through available interfaces? or
Do I need to create a second policy route with WAN 2 for redundancy?
Nihas [\b]
Nihas [\b]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Nihas,
You should always keep in mind that router layer decides where the traffic is send, and firewall determines if it has permission.
The router layer first checks policy routes in the order presented and then static routes. Policy routes can have fallback policies, for example the first one for lan1 through wan1 and a second one for lan1 through wan2, if wan1 is up the traffic will always match the first rule, if wan1 is down (physically disconnected or detected by dead gateway detection) then the rules with that outgoing interface will be ignored and the second rule will be matched. Also if no other policy route is matched then the router will use a static route based on best-match.
This way is how you handle redundancy with routing. On the firewall side you just need to have the right policies to eventually match that traffic, you could use Zones for all the wan links a single Internet destination and handle the traffic distribution and redundancy on the router layer, or you could use different sets of permissions so when the backup link is in use you could block things like streaming if it' s a low bandwidth connection.
Example:
You have 3 wan links, you want to load balanced links 1 and 2 using ECMP with regular static routes, all your company traffic is send through this two and the 3rd link has a route with higher priority so it works as a backup. But you also want to use that 3rd connection for guest access, so you could use a policy route for that exception. Assuming dead gateway detection is properly configured and you have only that policy route, if links 1 and 2 are down then all traffic will use the 3rd link because of the backup static route, or if link 3 is down then the guest access traffic will use the balanced routes on 1 and 2 because the policy route was ignored and it fallbacks to the static routes. But it doesn' t mean that this is going to be allowed by the firewall, the policies could use a zone for 1 and 2, so company traffic has full access on this zone, but limited access on wan3, and guest access traffic has full access on wan3 but no access to the 1 and 2 zone.
Hope I explain it well and didn' t confuse you ;)
Oscar Camacho
.....................................................................................
FCNSP v5
Oscar Camacho
.....................................................................................
FCNSP v5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes Buddy..:)
Thanks !
Nihas [\b]
Nihas [\b]
Related Posts
- Cisco Trunk port to Fortiswitch 366 Views
- Packet duplication not done in session... 129 Views
- Connecting Two SIP Trunks with Different... 239 Views
- Web Page Blocked - No UTM... 423 Views
- IPsec Azure 237 Views
Labels
-
FortiGate
6,459 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
High Availability
21 -
FortiConverter
21 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.