Hot!Policy based route for all outbound traffic

Author
atsak
New Member
  • Total Posts : 20
  • Scores: 2
  • Reward points: 0
  • Joined: 2017/07/21 11:13:47
  • Status: offline
2020/06/30 08:31:02 (permalink)
0

Policy based route for all outbound traffic

Scenario - FG200E on datcenter side, FG60E on branch side
 
Using a policy based route I'd like a particular source IP on the branch side to route all traffic via the tunnel to the datacenter then out on the internet via the outbound interface IP.
 
Running 6.2.1
 
Followed this article:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD38790
 
Route is selected but does not actually pass traffic (hit count increments).   Both sides configured with opposite IP on the tunnel, can ping the IP of the local tunnel assigned address but not remote.   Tried also just configuring only the branch side of the private IP, but that also doesn't work.
 
Tunnel is up and working.
Policies are in place and working (tested using a Juniper firewall which does not require the IP be assigned to the interface for policy based routing, traffic flows as expected on that equipment)
 
Anyone have this working?  What did you do or what does the configuration look like on both sides?
 
#1

8 Replies Related Threads

    Toshi Esumi
    Expert Member
    • Total Posts : 2160
    • Scores: 208
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Policy based route for all outbound traffic 2020/06/30 09:37:53 (permalink)
    0
    You still need to have a default route into the tunnel in addition to the default route via the local internet. Then the policy route can choose the one into the tunnel based on the source.
    I recommend you use two static default routes then put higher number of priority (lower priority) on the one toward the tunnel so that all the other traffic prefer the local internet.
    #2
    atsak
    New Member
    • Total Posts : 20
    • Scores: 2
    • Reward points: 0
    • Joined: 2017/07/21 11:13:47
    • Status: offline
    Re: Policy based route for all outbound traffic 2020/06/30 09:45:29 (permalink)
    0
    So static route 0.0.0.0/0.0.0.0 interface TUNNELNAME distance 100 or does it need to be the same distance as the WAN1 link and just a lower priority (but higher number in the actual priority field)
     
     
    #3
    Toshi Esumi
    Expert Member
    • Total Posts : 2160
    • Scores: 208
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Policy based route for all outbound traffic 2020/06/30 09:53:56 (permalink)
    0
    Not a distance, which is a different matric. Leave the default value (10?) for distance for both. You might need to expand "Advanced Options" in GUI to see Priority setting. I regularly use CLI so I'm not familiar how it would look like.
    #4
    atsak
    New Member
    • Total Posts : 20
    • Scores: 2
    • Reward points: 0
    • Joined: 2017/07/21 11:13:47
    • Status: offline
    Re: Policy based route for all outbound traffic 2020/06/30 21:38:55 (permalink)
    0
    Right, made those changes, but the traffic still does not pass.    It selects the policy fine for routing but the traffic never hits the permit rule nor the remote site, the firewall rule shows a hit for traffic from the policy selected IP hitting the rule to permit the traffic outbound to the VPN interface but no traffic passes back, even though on another firewall at the branch end (the Juniper) it does. . . 
     
    I'm going to open a TAC case but if you have any other suggestions I'd appreciate them.
    #5
    Toshi Esumi
    Expert Member
    • Total Posts : 2160
    • Scores: 208
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Policy based route for all outbound traffic 2020/06/30 23:28:35 (permalink)
    0
    Do the VPN's phase2 network selectors include the source IP <-> 0/0?
    #6
    emnoc
    Expert Member
    • Total Posts : 5732
    • Scores: 371
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Policy based route for all outbound traffic 2020/07/02 20:31:58 (permalink)
    0
    The "diag debug flow" is your best friend for analyzing flow issues. It is your 1st step in  trouble-shooting. Did you do that ?
     
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #7
    atsak
    New Member
    • Total Posts : 20
    • Scores: 2
    • Reward points: 0
    • Joined: 2017/07/21 11:13:47
    • Status: offline
    Re: Policy based route for all outbound traffic 2020/07/11 15:47:16 (permalink)
    0
    For anyone who needs to do this in the future, most of the steps are now captured upthread, but in summary:
     
    Follow this article as described:   https://kb.fortinet.com/kb/documentLink.do?externalID=FD38790
    Then add 0.0.0.0/0 to the phase 2 of the tunnel you intend to route the traffic over
    Then add a static route for 0.0.0.0 with a lower priority (ie higher priority number)
    Then add the policy route for the source IP
    Then add a policy to the firewall policies to permit from the source IP to 0.0.0.0 via the IPSec tunnel

    On the far end firewall of the tunnel you just need a policy to permit from the near end IP address block to all.
     
     
     
     
     
     
     
     
    #8
    Toshi Esumi
    Expert Member
    • Total Posts : 2160
    • Scores: 208
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Policy based route for all outbound traffic 2020/07/11 19:24:07 (permalink)
    0
    I didn't know a policy route into a tunnel required an GW IP. I guess I need to test various variations.
    #9
    Jump to:
    © 2020 APG vNext Commercial Version 5.5