Policy-based Routing on Fortigate Firewall | Plain Tutorials

1 of 5

http://www.plaintutorials.com/policy-based-routing-on-fortigate-firewall/

Categories: Home >> Networking

October 24, 2012 | Posted by Hao Nguyen

bookmarks
Like

Share

Tweet

Share

As a firewall, Fortigate must know which next-hop to send the traffic to. The routing information is maintained
by routing tables in a Fortigate box. Basically, routing table indicates which interface and next-hop IP address
to redirect the traffic to based on destination host or network. As said, routing table satisfies you in case your
routing is based on destination. But how about routing is based on source host or network? The answer is to
use Policy-based Routing.

This tutorial is to show you how to configure Policy-based Routing on Fortigate. I will have another article
about configuring policy-based routing on a Cisco router.
To configure Policy-based Routing on Fortigate, you must know this information: source network/host
(incoming interface), destination network/host (outgoing interface), and the types of traffic that will trigger
the policy. For example, in the following diagram, I would like to route my Office network 192.168.2.0/24 to
use the DSL line, and the rest of network to use leased-line. On Fortigate, I will have default route to point to
the leased-line router, where every traffic is redirected to, including the traffic generated by Office network.
Moreover, I need to configure an entry within Policy-based routing to specifically redirect Office network to
use DSL line.

Login to Fortigate under an administrative account

Click Router on the left side menu, select Policy Routing
On the top of the right pane, click Create New to create a new policy
When the new policy configuration dialogue appears, enter the following information

Protocol Leave it as default. This number is found in the IP packet header, or reference to RFC 5237. This
number ranges from 0 to 255.

Incoming Interface The interface where traffic is coming from. In the above diagram, the traffic comes
from Port 10.
Source Address/Mask Source network of the traffic. In this case, my source network is the Office network
192.168.2.0/24
Destination/Mask Destination network of the traffic. Since I want all traffic from Office network (to
everywhere) is routed through DSL line; therefore, I will leave Destination/Mask as default for everything.
Destination Ports Traffic types defined by ports. I will leave it as default because I want all traffic are

7/4/2015 2:25 PM

Policy-based Routing on Fortigate Firewall | Plain Tutorials

2 of 5

http://www.plaintutorials.com/policy-based-routing-on-fortigate-firewall/

routed by this policy.

Type of Service Leave it as default settings.
Outgoing Interface Traffic will exit using which port. In this case, my outgoing interface is Port 6.
Gateway Address Next-hop IP. In this case, my next-hop is 192.168.5.254, which is the internal IP
address of the DSL router.
Click OK when everything is filled.

Alright, its done. Now, jump on any computer in the Office network and do a tracert command to 4.2.2.2,
you should see the traffic is coming out using the DSL line.

Validate Your
Protection
Will your DDoS protection
work? Find out before a DDoS
attack!

Related posts:
Basic Fortigate Firewall Configuration
Free demo Fortigate 310B firewall
Create a new routing VLAN for Dell PowerConnect 6248 switch
Connect to Fortigate firewall using serial console cable
Install and configure Routing and Remote Access on Windows Server 2008 R2
Change Fortigate hostname
Error: Fortigate SSL VPN Problems
Fortigate Configure IPTrust for Spam Filter
Tags: fortigate firewall, fortigate routing, policy routing, policy-based routing
Leave a reply

Hao Nguyen
Hello! I'm Hao Nguyen and I'm currently working as a Network Engineer for a small firm in
Houston. I enjoy writing technical documents and blog, such as PlanTutorials.com Contact me
on Google+

7/4/2015 2:25 PM

Policy-based Routing on Fortigate Firewall | Plain Tutorials

3 of 5

http://www.plaintutorials.com/policy-based-routing-on-fortigate-firewall/

vinod says:
November 28, 2012 at 1:34 am

How i access my fortigate 50b firewall via internet browser

Reply

Hao Nguyen says:

January 31, 2013 at 10:40 am

Hi Vinod,
You should reference your document for the default IP address/username/password of the box.
Importantly, you must know the default IP address is set to which port for initial configuration.
Reply

Ray Camo says:

February 25, 2013 at 8:30 pm

Hi Hao,
Im new on using fortigate and i got this scenario which my knowledge cannot reach as of the moment, ill
be very glad if you can give me some advice solving the issue.
i have a network 40.0 which is routed to 10.0 using VPN and i place my fortigate on 10.0 planning to route
40.0 to 70.0 using the internet. im quite confuse how will it work.
40.0 -> 10.0 via VPN(fortigate ip is 192.168.10.254) then to 70.0 using internet with the use of fortigate.
Reply

Ferdinand MEMEVEGNY says:

March 26, 2013 at 8:03 am

Hi Hao,
I have the following problem and I think you can help me. I have a Fortigate 600C with the ISP1 router
connected to the WAN1 interface. But I have a second ISP2 and want to connect his router to WAN2
interface, that will be dedicated to a certain type of user on a specific subnet. Could you tell me how to do
this configuration please. Because on my Fortigate, I already have a default route to ISP1 router. How to
have a second default route on the same firewall?
Thank you for your help
Regards
Ferdinand
Reply

Hao Nguyen says:

March 26, 2013 at 8:19 am

Hi Ferdinand,
That problem is easy to solve if you have enough information of the source traffic.
See the attached picture at this link

7/4/2015 2:25 PM

Policy-based Routing on Fortigate Firewall | Plain Tutorials

4 of 5

http://www.plaintutorials.com/policy-based-routing-on-fortigate-firewall/

Follow these few steps to configure your firewall to add 2nd, 3rd gateways:
1/ Identify source network subnets or IP addresses
2/ Create Router > Static > Policy Routing, and enter the appropriate information as in the picture
above.
3/ Do tracert command to test from a computer within the source networks, you will see which gateway
it comes out.
If you are still not clear, let me know.
Hao
Reply

john says:
July 7, 2013 at 8:46 am

Hello,
I have a Fortigate 60C, with 2 Wans connected.
all internet traffic is routed to WAN1.
I wanted to know if it possible to force specific URLs to go out from WAN2?
for example, when a user types in his browser facebook.com it will go out from WAN2.
Cheers,
John
Reply

Hao Nguyen says:

August 9, 2013 at 3:15 pm

Hi John,
If you want to force traffic to and from specific subnets, you can use ROUTING POLICY. Please see this
article for more information
http://www.plaintutorials.com/policy-based-routing-on-fortigate-firewall/
Thanks,
Hao Nguyen
Reply

Policy-based Routing in Cisco Routers | Plain Tutorials

Name (required)
Mail (will not be published) (required)
Website

7/4/2015 2:25 PM

Policy-based Routing on Fortigate Firewall | Plain Tutorials

5 of 5

http://www.plaintutorials.com/policy-based-routing-on-fortigate-firewall/

Submit Comment

About me | Terms of use | Privacy Policy | Sitemap

2012 Plain Tutorials - Free resources and tips for Networking and Computing

7/4/2015 2:25 PM