Policy-based Routing on Fortigate Firewall

As a firewall, Fortigate must know which next-hop to send the traffic to. The routing information is maintained by routing tables in a Fortigate box. Basically, routing table indicates which interface and next-hop IP address to redirect the traffic to based on destination host or network. As said, routing table satisfies you in case your routing is based on destination. But how about routing is based on source host or network? The answer is to use Policy-based Routing.

This tutorial is to show you how to configure Policy-based Routing on Fortigate. I will have another article about configuring policy-based routing on a Cisco router.

To configure Policy-based Routing on Fortigate, you must know this information: source network/host (incoming interface), destination network/host (outgoing interface), and the types of traffic that will trigger the policy. For example, in the following diagram, I would like to route my Office network 192.168.2.0/24 to use the DSL line, and the rest of network to use leased-line. On Fortigate, I will have default route to point to the leased-line router, where every traffic is redirected to, including the traffic generated by Office network. Moreover, I need to configure an entry within Policy-based routing to specifically redirect Office network to use DSL line.

Policy-based Routing on Fortigate

Configuring Policy-based Routing on Fortigate

  • Login to Fortigate under an administrative account
  • Click Router on the left side menu, select Policy Routing
  • On the top of the right pane, click Create New to create a new policy
  • When the new policy configuration dialogue appears, enter the following information

Protocol – Leave it as default. This number is found in the IP packet header, or reference to RFC 5237. This number ranges from 0 to 255.

Incoming Interface – The interface where traffic is coming from. In the above diagram, the traffic comes from Port 10.

Source Address/Mask – Source network of the traffic. In this case, my source network is the Office network 192.168.2.0/24

Destination/Mask – Destination network of the traffic. Since I want all traffic from Office network (to everywhere) is routed through DSL line; therefore, I will leave Destination/Mask as default for everything.

Destination Ports – Traffic types defined by ports. I will leave it as default because I want all traffic are routed by this policy.

Type of Service – Leave it as default settings.

Outgoing Interface – Traffic will exit using which port. In this case, my outgoing interface is Port 6.

Gateway Address – Next-hop IP. In this case, my next-hop is 192.168.5.254, which is the internal IP address of the DSL router.

  • Click OK when everything is filled.

Alright, it’s done. Now, jump on any computer in the Office network and do a tracert command to 4.2.2.2, you should see the traffic is coming out using the DSL line.


C:\>tracert -d 4.2.2.2

Tracing route to 4.2.2.2 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 192.168.2.254
2 <1 ms <1 ms <1 ms 192.168.100.254
3 1 ms <1 ms <1 ms 192.168.5.254
4 1 ms 1 ms 1 ms 123.249.57.49

^C
C:\>

 

Load balancing
By using Policy-based routing, you could load balance your network traffic by spreading it to multiple connections.

About The Author

Hao Nguyen

Hao Nguyen

Hello! I'm Hao Nguyen and I'm currently working as a Network Engineer for a small firm in Houston. I enjoy writing technical documents and blog, such as PlanTutorials.com

8 Comments

  1. vinod says:

    How i access my fortigate 50b firewall via internet browser

    • Hao Nguyen says:

      Hi Vinod,

      You should reference your document for the default IP address/username/password of the box. Importantly, you must know the default IP address is set to which port for initial configuration.

  2. Ray Camo says:

    Hi Hao,

    Im new on using fortigate and i got this scenario which my knowledge cannot reach as of the moment, ill be very glad if you can give me some advice solving the issue.

    i have a network 40.0 which is routed to 10.0 using VPN and i place my fortigate on 10.0 planning to route 40.0 to 70.0 using the internet. im quite confuse how will it work.

    40.0 -> 10.0 via VPN(fortigate ip is 192.168.10.254) then to 70.0 using internet with the use of fortigate.

  3. Ferdinand MEMEVEGNY says:

    Hi Hao,
    I have the following problem and I think you can help me. I have a Fortigate 600C with the ISP1 router connected to the WAN1 interface. But I have a second ISP2 and want to connect his router to WAN2 interface, that will be dedicated to a certain type of user on a specific subnet. Could you tell me how to do this configuration please. Because on my Fortigate, I already have a default route to ISP1 router. How to have a second default route on the same firewall?
    Thank you for your help

    Regards
    Ferdinand

    • Hao Nguyen says:

      Hi Ferdinand,

      That problem is easy to solve if you have enough information of the source traffic.
      See the attached picture at this link
      Policy based routing on Fortigate

      Follow these few steps to configure your firewall to add 2nd, 3rd gateways:
      1/ Identify source network subnets or IP addresses
      2/ Create Router –> Static –> Policy Routing, and enter the appropriate information as in the picture above.
      3/ Do tracert command to test from a computer within the source networks, you will see which gateway it comes out.

      If you are still not clear, let me know.
      Hao

  4. john says:

    Hello,
    I have a Fortigate 60C, with 2 Wan’s connected.
    all internet traffic is routed to WAN1.
    I wanted to know if it possible to force specific URL’s to go out from WAN2?
    for example, when a user types in his browser facebook.com it will go out from WAN2.

    Cheers,
    John

Trackbacks / Pingbacks

  1. Policy-based Routing in Cisco Routers | Plain Tutorials

Leave a Reply