Friday, December 23, 2016

Fortigate - How to configure Policy Routing using for HO to Branch communication

Policy routing enables you to redirect traffic away from a static route. This can be useful if you want to route certain types of network traffic differently. You can use incoming traffic’s protocol, source address or interface, destination address, or port number to determine where to send the traffic. For example, generally network traffic would go to the router of a subnet, but you might want to direct SMTP or POP3 traffic directly to the mail server on that subnet.

If you have configured the FortiGate unit with routing policies and a packet arrives at the FortiGate unit, the FortiGate unit starts at the top of the Policy Route list and attempts to match the packet with a policy. If a match is found and the policy contains enough information to route the packet (a minimum of the IP address of the next-hop router and the FortiGate interface for forwarding packets to it), the FortiGate unit routes the packet using the information in the policy. If no policy route matches the packet, the FortiGate unit routes the packet using the routing table.


Step 1 - To create a new policy route, Click on "Create New".
Step 2 - Configure the Policy route, check the below example. Port1(Internal) to h2(VPN).

        Protocol => We can define which is we want to route.
        Incoming Interface => Local / Internal network port
        Source Address => Local / Internal network IP
        Destination Address => Remote IP or which network we want access.
        Outgoing Interface => Remote network accessing through this port. 
        Gateway Address => Outgoing interface Gateway, we can specify or not.
Step 3 - Configure the Policy route for reverse.  h2(VPN) to Port1(Internal).


Step 4 - After creating Policy route, check it is working by using ping command.

That's it...

1 comment: