Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
qqh452821000
New Contributor

Created on ‎07-22-2019 09:08 PM

How to do route-policy with VPN?

Hi everyone,

 

We have a fortigate-200d running V5.4.5 here.

And we have two default-route.

  

We also have some VPNs. 

Here is what I want to do :

corp vlan5 's traffic go wan2 ,other traffic except VPN go wan1, How to do that ?

 

Here are my route-policy:

 I can't do a route-policy like this :

!

set input-device "corp vlan1" set src "0.0.0.0/0.0.0.0" set dst "0.0.0.0/0.0.0.0" set gateway wan1_IP set output-device "wan1" next

!

Because all the VPN traffic will down...

 

 

Thank you for any answers..

Preview file
12 KB
4307
0 Kudos
4 REPLIES 4
scan
New Contributor

Created on ‎07-22-2019 10:48 PM

Hi 

 

The easiest solution will be an upgrade to Version > 5.6.0 . In the newer versions has an SD-WAN option which you can configure your requirement and the Fortigate do the stuff in the background:

 

https://docs.fortinet.com/document/fortigate/5.6.0/cookbook/597321/redundant-internet-with-sd-wan

 

Otherwise I would try the following:

1. Create a default route as static route which is the gateway for the most of your subnets

2. Create dedicated policy based routing entries for the exceptions

 

Remember: Policy based routing should be an exception. and befor use it think clearly about it! It makes the troubleshooting more complex.

 

Cheers

2596
0 Kudos
qqh452821000
New Contributor
In response to scan

Created on ‎07-22-2019 10:58 PM

Thank you for your reply.

 

I have tried that before.

If that it is only one default-route in the routing table. And I created a policy-route for the exceptions but it didn't work..I think that the exception need the other default-route ,but that route is not in the table..

2596
0 Kudos
scan
New Contributor
In response to qqh452821000

Created on ‎07-22-2019 11:14 PM

Ok, the following should work:

 

config router static

edit 1

  set gateway wan2_IP

  set device "wan2"

 

config router policy

edit 1

  set input-device "corp1_vlan"

  set src "10.64.0.0/255.255.255.0"

  set dstaddr "all"

  set gateway "wan1_IP"

  set output-device "wan1"

 

Afterwards you can check with the debug flow command with route and firewall Policy match the traffic:

diagnose debug flow filter addr <client_IP>

diagnose debug enable

diagnose debug flow start 5 # record first 5 sessions

 

If the traffic allowed you can use the packnet sniffer to get the outgoing device:

diagnose sniffer packet any 'host <client_IP>' 4

 

 

2596
0 Kudos
qqh452821000
New Contributor
In response to scan

Created on ‎07-22-2019 11:50 PM

Thank you for your reply..

 

I knew that should work . and I have tested it before.....That would interrupt all of the VPN traffic...

 

Because VPN next-hop should VPN's interface not wan1, that what is bothering me 

2596
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.