Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
esunarto
New Contributor

Policy based routing

let me preface this post by saying i'm a novice on fortigate configuration, but i've been doing cisco and mikrotik config for over a decade.

 

i'm trying to do a simple policy based routing.

we have 2 gateways in our small office, 192.168.5.18 (fortigate), 192.168.5.1 (cisco)

test pc :192.168.5.128

the default gw in the pc is the fortigate (can't change this)

all i want to do is to route all traffic from pc to internet via cisco.

 

it should be very simple, i'm attaching the screenshot.

when the policy is enabled, the pc can no longer access the internet. so something got blocked somewhere in the fortigate.

i've done packet capture in the cisco and i don't see the traffic being forwarded from fortigate to cisco.

 

i've also added policy (ipv4) to allow lan to lan (no nat).

still doesn't work.

 

please help?

Thanks in advanced.

5 REPLIES 5
rwpatterson
Valued Contributor III

Not an answer, but a question. Why do you need a Fortigate AND a Cisco?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
esunarto

ultimately because i don't want to put all of my network basket into 1 vendor solution.

but also because i have 2 ISPs and i'm far more comfortable with cisco right now.

i can't even figure out port forwarding in fortigate. might be related to the L2 limitations that toshiesumi mention

Toshi_Esumi
Esteemed Contributor III

L2 design problem with a FW. I saw a similar post this month or last month in this forum. The PC's GW is the FGT, and FGT's detault route goes to the Cisco. That's the outgoing direction. But for returning, the Cisco sees the PC on the LAN and send packets directly back to the PC. The FGT only sees one direction of traffic, so must be flagging the traffic erroneous and blocking it. For L3 devices this is not a problem. But with a FW (L4 and application layer device) it's a problem.

esunarto

thanks for the reply. "normal" routing within a subnet typically send a reply to the pc saying, contact cisco instead right? is this the difference on policy based routing?

rwpatterson
Valued Contributor III

My suggestion would be to create a transit network between the FGT and the Cisco and route between the two. (Personally, I would forgo the Cisco and put the Fortigate at the edge)

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Labels
Top Kudoed Authors