There's a good chance that I'm going about this the wrong way, but it feels like I'm close to the solution.
I have a 60D running FortiOS 5.4. WAN1 is connected to my modem router and WAN2 is connected to a VPN router, which is connected to the Modem Router.
Both interfaces are configured identically other than the IP Address.
There's then two IPV4 policies
[ul]However, the named address is still going out on WAN1, although I can access the VPN router connected to WAN2. If I change Policy ID #9 to deny and WAN1 then internet access is denied to that box.
What have I missed?
Did you try creating a policy route for the named source? Here you can define the incoming interface, source, outgoing interface, destination and various protocol options. This should do the trick.
HTH
d
I've created a policy route with:
Protocol: Any
Incoming Interface: internal
Source addres/mask: 192.168.3.23/255.255.255.255
Destination address/mask: 0.0.0.0/0.0.0.0
Action: Forward Tradffic
Outgoing interface: Wan2
Gateway address: 0.0.0.0
Still going through WAN1 :\
Policy routes take precedence over static. You should have a static default route set and use a policy route where necessary. Looks like you are missing the gateway. Set this to the WAN2 interface next hop (ISP router address).
HTH
d
As @dmcquade already posted this is a routing issue.
Routing comes first, and then policies further delimit the allowed traffic.
A regular static route only looks at the destination address to decide to which interface traffic is routed to. If you want to base the routing decision on different criteria, such as the source address, then you need to use a Policy Route.
There are some differences between regular routes and PRs. PRs do not show up in the Routing monitor, and are not deleted if the target interface goes down. Apart from that, a PR is the perfect tool for your goal.
Thanks Ede.
So the Fortigate evaluates routing before policies? Therefore are you saying I should remove my static routes and create two policy routes? One to direct traffic from the named address to WAN2, and a second with a lower priority for all traffic to go out on WAN1.
I'd like the ability to add and remove devices from going out on WAN2. Is there a way with PR to assign a group, or will I need to move devices to a different subnet to achieve this?
Thanks for your help Ede and D - It's working now, but I'd like more dynamic control if possible.
Things we learnt:
[ul]So what I now have is:
[ul]What I'd really like is to have a policy route where I can easily add or remove additional devices to the WAN2 group. IPv4 Policy looks the most likely candidate to allow me to do that unless I shuffle devices between subnets for the first policy route.
Static Routes are evaluated before Policy Routes
I believe that's wrong, PBR and most specific are always evaluated 1st.
Ken
PCNSE
NSE
StrongSwan
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.