Policy Routing on a FortiGate Firewall

Source: http://blog.webernetz.net/2015/07/20/policy-routing-on-a-fortigate-firewall/

his is a small example on how to configure policy routes (also known as policy-based forwarding or policy-based routing) on a Fortinet firewall, which is really simple at all. Only one single configuration page and you’re done. 😉

(Compared to my other PBR/PBF tutorials from Juniper ScreenOS and Palo Alto Networks, there is only one screenshot needed to explain the policy route. Ok, it is not that flexible, but easy.)

In my lab, I have a static default route to the wan1 interface. On the wan2 interface, there is a simple DSL connection to the Internet which shall be used for http/https traffic from the users. That is: Everything from the users IP segment (192.168.161.0/24) to the destination ports 80 and 443 shall be forwarded to this DSL connection. But an exemption is still needed: If the destination is on the internal LAN, the connection should not be policy routed. (Of course, appropriate policies must be in place, too.) The configuration is done under Router -> Static -> Policy Routes:

That’s it. In the Forward Traffic Log, it is easy to see which destination interface is used, dependent on the destination port:

Forward Traffic Log with Destination Interface.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s