Hot!URL Based Routing??

Author
theG
Bronze Member
  • Total Posts : 32
  • Scores: 0
  • Reward points: 0
  • Joined: 2013/04/14 09:34:02
  • Location: South Africa
  • Status: offline
2015/04/17 05:31:56 (permalink)
0

URL Based Routing??

Hey Guys,
 
Is there a way to do URL based routing on the FGT? FortiOS v5....
 
We have two ISP lines and would like traffic to certain websites to only go via the one line.
 
Thanks in advance!
 
theG
#1

10 Replies Related Threads

    BrUz
    Gold Member
    • Total Posts : 399
    • Scores: 8
    • Reward points: 0
    • Joined: 2011/09/30 01:26:25
    • Location: Norway
    • Status: offline
    Re: URL Based Routing?? 2015/04/17 05:49:17 (permalink)
    0
    theG
    Hey Guys,
     
    Is there a way to do URL based routing on the FGT? FortiOS v5....
     
    We have two ISP lines and would like traffic to certain websites to only go via the one line.
     
    Thanks in advance!
     
    theG


    You can use Policy routes

    Fortigate <3
    #2
    theG
    Bronze Member
    • Total Posts : 32
    • Scores: 0
    • Reward points: 0
    • Joined: 2013/04/14 09:34:02
    • Location: South Africa
    • Status: offline
    Re: URL Based Routing?? 2015/04/17 06:08:03 (permalink)
    0
    BrUz

    You can use Policy routes




    Hi BrUz,
    Policy routes only allows me to add destination IP's...or am I missing something? I need to be able to use the URL instead....?
    #3
    emnoc
    Expert Member
    • Total Posts : 5209
    • Scores: 339
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: URL Based Routing?? 2015/04/17 08:27:58 (permalink)
    0
    FWIW: There's not such thing as URL based routing. A URL has to be resolved and then routed at a layer3 address by a layer3 device ( router/firewall )

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #4
    arshadm
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/11/19 08:52:42
    • Status: offline
    Re: URL Based Routing?? 2015/04/17 10:59:48 (permalink)
    0
    1. Create a FQDN object for the URL
    2. Create a policy using the previously created FQDN and choose the required WAN interface.
    #5
    Christopher McMullan_FTNT
    Gold Member
    • Total Posts : 415
    • Scores: 34
    • Reward points: 0
    • Joined: 2014/09/08 08:00:33
    • Status: offline
    Re: URL Based Routing?? 2015/04/17 11:37:33 (permalink)
    0
    In general, the process for web-based traffic is the following, assuming one step for the entire DNS exchange:
     
    1. Client resolves the web server IP via DNS
    2. FortiGate receives client SYN packet
    3. A session is allocated
    4. A routing lookup is performed based on the routing table (connected, static, and dynamic routes based on destination), in addition and subsequent to policy routes (policy routes are applied before the rest of the routing table)
    5. Based on the source and destination interface and address, service, time of day, and optionally, user or device, a policy is matched, and logging, WANOpt, web cache, NAT, UTM, and disclaimer rules are applied.
     
    Step #4 always happens before policy matching, so crafting a policy on its own will not guarantee egress out a certain port, only that traffic choosing that port already can be blocked. In this manner, though, it is theoretically possible, if you have perfect 50/50 non-random, alternating packet load balancing, that half the requests would exit the right port when they weren't denied by the policy created, or alternately, that didn't hit the implicit deny, but were allowed by the policy you mentioned.
     
    The FortiGate doesn't load balance in this fashion, unfortunately, so a policy wouldn't work.

    Regards,
    Chris McMullan
    Fortinet Ottawa
    #6
    Dave Hall
    Expert Member
    • Total Posts : 1457
    • Scores: 160
    • Reward points: 0
    • Joined: 2012/05/11 07:55:58
    • Location: Canada
    • Status: offline
    Re: URL Based Routing?? 2015/04/17 12:48:32 (permalink)
    0
    theG
    Policy routes only allows me to add destination IP's...or am I missing something? I need to be able to use the URL instead....?



    Static or Policy routing is likely the closest thing to crafting something close to what you want, though you'll have to convert the FQDN of those urls into their IP address equivalent.
     
    If you are adamant about a possible "work-around" solution, maybe designate a TCP port outside the normal standard range, say something like 65480 and 65443, set a policy route that routes that traffic out the desired port, then create a VIP (inside->WAN) that "converts" those ports back into the normal expect ports.  So in theory, accessing http://www.google.com:85480 should be directed out the correct WAN port on port 80.  Very hackish. lol.
     
    Note I haven't tried the above and don't even know if it will work. 
     
    Personally, if the original purpose of the request is to access certain websites on the faster WAN connection, you may be better off just setting up ECMP Load Balancing (weighted Load Balance) favouring the faster connection.

    NSE4/FMG-VM64/FortiAnalyzer-VM/5.4/6.0 (FWF40C/FW92D/FGT200D/FGT101E)/ FAP220B/221C
    #7
    Dirty_Wizard
    Bronze Member
    • Total Posts : 48
    • Scores: 4
    • Reward points: 0
    • Joined: 2014/05/23 07:32:52
    • Status: offline
    Re: URL Based Routing?? 2016/03/08 17:50:00 (permalink)
    5 (1)
    Yes, URL-based routing exists.
     
    http://kb.fortinet.com/kb/documentLink.do?externalID=FD36819
     
    In my testing step 6 is not required, I am unsure of the need for that. 
    #8
    theG
    Bronze Member
    • Total Posts : 32
    • Scores: 0
    • Reward points: 0
    • Joined: 2013/04/14 09:34:02
    • Location: South Africa
    • Status: offline
    Re: URL Based Routing?? 2016/03/08 22:09:52 (permalink)
    0
    awesome :) will def give this a look for future setups.
     
    Thanks Dirty_Wizard!
    #9
    Myth
    New Member
    • Total Posts : 12
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/09/07 15:54:00
    • Status: offline
    Re: URL Based Routing?? 2019/04/16 19:17:42 (permalink)
    #10
    boneyard
    Gold Member
    • Total Posts : 144
    • Scores: 8
    • Reward points: 0
    • Joined: 2014/07/30 11:15:18
    • Status: offline
    Re: URL Based Routing?? 2019/04/20 02:02:33 (permalink)
    0
    never tried, feels pretty hacky and i wonder about this line
     
    Defined URL needs to be unique and non-existing on the real server otherwise users will be served by replacement block message.
     
    that feels, like it is still only hostname routing and translating to IP, which you can do with policy routes and FQDN addresses
    #11
    Jump to:
    © 2019 APG vNext Commercial Version 5.5