Policy routing configuration in Fortigate

  • I have an scenario where a Fortigate firewall is used to separate internal networks from the Internet (FortiOS Version 4.0 MR3 patch 11). Right now there is a single Internet connection attached to the firewall and a default static route is used to get all Internet traffic through it. I would like to attach a second Internet connection to the firewall and then route only certain traffic through it, for example web browsing traffic.

    For this setup, I keep the current static default route through the first link and then configure policy routing options in order to route traffic with destination port TCP/80 and TCP/443 through the second Internet link. As expected, policy routing is evaluated before routing table and all traffic destined to TCP/80 and TCP/443 is sent through to second link, including traffic between subnets directly connected to the Fortigate, what breaks communication between them.

    In a Cisco environment I would adjust the ACL used to match traffic for policy routing, denying traffic between internal networks at the beginning of the ACL and adding a "permit any" statement at the end. However, I can not find the way to instruct the Fortigate to work in a similar manner.

    Do you know how to make this scenario working with Fortigate?

  • Since policy routes are evaluated top-down, you can work around this limit by placing a more specific entry matching traffic from internal subnet A to internal subnet B.

    However, this should be less than comfortable if you have many different networks attached to your internal interface.

    In this case, I would recommend you a trick I once used: since Fortigate devices ignore QoS marks, you should sign your "internet" packets on the firewall-facing port of your Cisco switch with a specific TOS and then use that mark in your policy-route.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM