Vous êtes sur la page 1sur 2

Articles from Plain Tutorials

Policy-based Routing on Fortigate Firewall


2012- 10- 24 11:10:32 Hao Nguyen

As a f irewall, Fort igat e must know which next -hop t o send t he t raf f ic t o. T he
rout ing inf ormat ion is maint ained by rout ing t ables in a Fort igat e box.
Basically, rout ing t able indicat es which int erf ace and next -hop IP address t o
redirect t he t raf f ic t o based on dest inat ion host or net work. As said, rout ing
t able sat isf ies you in case your rout ing is based on dest inat ion. But how about
rout ing is based on source host or net work? T he answer is t o use Policy-
based Routing. T his t ut orial is t o show you how t o conf igure Policy-based
Rout ing on Fort igat e. I will have anot her art icle about conf iguring policy-based
rout ing on a Cisco rout er. T o conf igure Policy-based Rout ing on Fort igat e, you
must know t his inf ormat ion: source net work/host (incoming int erf ace),
dest inat ion net work/host (out going int erf ace), and t he t ypes of t raf f ic t hat will
t rigger t he policy. For example, in t he f ollowing diagram, I would like t o rout e
my Of f ice net work 192.168.2.0/24 t o use t he DSL line, and t he rest of net work
t o use leased-line. On Fort igat e, I will have def ault rout e t o point t o t he
leased-line rout er, where every t raf f ic is redirect ed t o, including t he t raf f ic
generat ed by Of f ice net work. Moreover, I need t o conf igure an ent ry wit hin
Policy-based rout ing t o specif ically redirect Of f ice net work t o use DSL line.

Configuring Policy-based Routing on


Fortigate
Login t o Fort igat e under an administ rat ive account
Click Router on t he lef t side menu, select Policy Routing
On t he t op of t he right pane, click Create New t o creat e a new policy
When t he new policy conf igurat ion dialogue appears, ent er t he f ollowing
inf ormat ion

Protocol - Leave it as def ault . T his number is f ound in t he IP packet header,


or ref erence t o RFC 5237. T his number ranges f rom 0 t o 255. Incoming
Interf ace - T he int erf ace where t raf f ic is coming f rom. In t he above diagram,
t he t raf f ic comes f rom Port 10. Source Address/Mask - Source net work of
t he t raf f ic. In t his case, my source net work is t he Of f ice net work 192.168.2.0/24
Destination/Mask - Dest inat ion net work of t he t raf f ic. Since I want all t raf f ic
f rom Of f ice net work (t o everywhere) is rout ed t hrough DSL line; t heref ore, I
will leave Dest inat ion/Mask as def ault f or everyt hing. Destination Ports -
T raf f ic t ypes def ined by port s. I will leave it as def ault because I want all
t raf f ic are rout ed by t his policy. T ype of Service - Leave it as def ault
set t ings. Outgoing Interf ace - T raf f ic will exit using which port . In t his case,
my out going int erf ace is Port 6. Gateway Address - Next -hop IP. In t his case,
my next -hop is 192.168.5.254, which is t he int ernal IP address of t he DSL
rout er.

Click OK when everyt hing is f illed.

Alright , it 's done. Now, jump on any comput er in t he Of f ice net work and do a
tracert command t o 4.2.2.2, you should see t he t raf f ic is coming out using t he
DSL line. [st ext box id="grey"] C:\>tracert -d 4.2.2.2 T racing route to 4.2.2.2
over a maximum of 30 hops 1 <1 ms <1 ms <1 ms 192.168.2.254 2 <1 ms <1
ms <1 ms 192.168.100.254 3 1 ms <1 ms <1 ms 192.168.5.254 4 1 ms 1 ms 1
ms 123.249.57.49 ^C C:\> [/st ext box] [st ext box id="inf o" capt ion="Load
balancing"]By using Policy-based rout ing, you could load balance your net work
t raf f ic by spreading it t o mult iple connect ions.[/st ext box]