Skip to main content

POLICY ROUTES FORTIGATE

 Policy routes also referred to as policy based routing is a very popular technique that routes the incoming packets based on the set of policy defined. The policy usually defines that the packet from particular source are routed to particular gateway. 

Simply not trying to make it theoretically lengthy lets try this feature out in Fortigate.



In our particular scenario there are 2 fortigate boxes residing in HA (Active/Passive) mode. There are two upstream ISP connected with the fortigate box one named after port 1 SUBISU and the other being port 2  WEBSURFER. We have two internal gateways which contains subnet of 172.16.0.0/28 and the other one being 172.16.0.16/28. We will be leveraging the privilege of policy route and send the packet incoming from 172.16.0.0/28 subnet towards Websurfer upstream and the packet coming from 172.16.0.16/28 subnet towards SUBISU upstream which will help us on utilizing both the links making it more efficient usage of bandwidth.

We will need to create two default routes towards our upstream ISP's .For the redundant Internet connections, both the default static routes have to be active in the routing table.So, in order to achieve it, set the distance of both the routes the same and also be aware that priority must be equal.

Example : 

wan1 has a distance of 10 and a priority of 0.

wan2 has a distance of 10 and a priority of 0.

This is very important in our scenario as we are going to utilize both the links which will provide us maximum utilization of both the ISP's bandwidth rather than setting up making the other link idle waiting for the primary link to fail.

In case of active failover scenario, if wan1 is to be the primary link [active link], then set the lowest priority to that link.And highest priority to the other wan interface. When there are multiple routes to the same destination with the same distance then the priority will be checked. And the route with the least priority will be given the preference.

Example:

wan1 has a distance of 10 and a priority of 0.

wan2 has a distance of 10 and a priority of 10.

Here wan1 will be a selected route, as it has the least priority compared to wan2.

So, all the traffic will be handled by wan1. If wan1 goes down then the traffic will be shifted to wan2.

Let's now begin our configuration for policy route.

1. Creating a static route ( Active/ Active) 

The image above displays a default route towards 103.232.152.81 being the gateway of the upstream ISP SUBISU with an administrative distance value of 10 and priority being 0.

The image above displays a default route towards 118.91.170.241 being the gateway of the upstream ISP WEBSURFER with an administrative distance value of 10 and priority being 0.

We will now need to verify whether both the routes exists in the routing table or not. We can simply check using get router info routing-table all command in the cli of the firewall.

We can see that both the route does exists on the routing table of the firewall.

2. Creating a policy route 

We will need to create a policy route for the subnet 172.16.0.0/28 IP being 172.16.0.2. The end host from 172.16.0.2 will simply go towards the websurfer ISP by checking the policy routes made on the firewall. Under Network tab click on Policy Routes.


We can match the incoming traffic based on protocol, incoming interface, source address, destination address etc. Finally, we will need to create a policy for the those two subnet.

3. Creating a Policy

Policy for SSF subnet (172.16.0.0/28) needs  to be created where my outgoing interface should be port2 WEBSURFER. Services and NAT has been allowed accordingly.


The other policy would be for SSF subnet and its outgoing interface being port 1 SUBISU upstream.


4. Verification
We can simply verify this going under Fortiview > Policies. As you can see in the below image that SOSYS is routing packets from WAN-SUBISU (port1) and SSF Subnet is routing packets from WAN-WEBSURFER (port2)


Relentless growth of cloud computing, mobility, and Web-based applications requires that the network know each application traffic type traversing the network. Policy route can also handles each application type separately to effectively prioritize, segregate, and route traffic without compromising performance or availability.













Labels:

Comments

Post a Comment

Popular posts from this blog

High Availability Palo Alto (Active/Standby)

 High Availability is usually performed in most of the data centers networks today which ensures application availability . High Availability is usually achieved in case one of the appliance goes down or have some physical or logical connectivity issues.  Achieving high availability in Palo Alto firewall is relatively very easy. Palo Alto firewall can work in both Active/Standby mode or in Active/Active. We will basically be talking about Active/Standby mode in this article. There are basically two links that needs to be configure in Palo Alto for HA. 1. Control Links Control Links are associated with control plane traffic which is mainly used for heartbeat exchanged, configuration synchronization. Dedicate HA ports are available in higher series of Palo Alto or even a HA interface can be created for some inband ports.   2. Data Links Data Links are mainly used for session synchronization, forwarding table synchronization. Dedicated HSCI Ports are available for highe...
Post a Comment
Read more

SSL Decryption FortiGate

  We have pretty much heard about SSL decryption and of malware hiding inside an encrypted traffic. A large amount of traffic in the internet is pretty much encrypted which basically means that bad things like malware, virus, ransomware can hide inside this encrypted traffic. If majority of these traffic are encrypted our Firewalls are not able to analyze these traffic which can easily infect our organization and the investment which we have done in these firewalls are wasted. There does come around a solution for this and as my topic suggest SSL Decryption also know as Deep Packet Inspection as by some IT folks. The image that I have attached down below clearly suggest about what I am trying to explain. Using deep packet inspection, the firewall simply decrypts the encrypted traffic happening  between client and server, inspects the content to find the threats and block them , then forwards it to the destination re-encrypting it . We will need to first setup the SSL/SSH in...
Post a Comment
Read more

Virtual Chassis Juniper EX 3400 (PREPROVISONED)

Juniper has always been an technology that I have always liked right from the beginning of my career when I was working as an Jr Network Administrator. The logical command as well as the hierarchy based Juniper devices has always made me love the device. Let me today talk about a very useful and an interesting topic which we usually called stack in the world of Cisco and virtual chassis in the world of Juniper, both of them mean the same thing logically make two or more than two switch as a one and configure and manage the device as a single unity. High Availability, managed configuration and maintenance are few of the benefits that a virtual chassis can provide. The configuration for virtual chassis can be found easily in the juniper sites but my objective about writing this is making it more simpler in context to Juniper's document. There are basically two ways of configuring virtual chassis in Juniper. 1.   Nonprovisioned configuration  :  The master switch assig...
Post a Comment
Read more