Policy Routing on a FortiGate Firewall

This is a small example on how to configure policy routes (also known as policy-based forwarding or policy-based routing) on a Fortinet firewall, which is really simple at all. Only one single configuration page and you’re done. 😉

(Compared to my other PBR/PBF tutorials from Juniper ScreenOS and Palo Alto Networks, there is only one screenshot needed to explain the policy route. Ok, it is not that flexible, but easy.)

In my lab, I have a static default route to the wan1 interface. On the wan2 interface, there is a simple DSL connection to the Internet which shall be used for http/https traffic from the users. That is: Everything from the users IP segment (192.168.161.0/24) to the destination ports 80 and 443 shall be forwarded to this DSL connection. But an exemption is still needed: If the destination is on the internal LAN, the connection should not be policy routed. (Of course, appropriate policies must be in place, too.) The configuration is done under Router -> Static -> Policy Routes:

That’s it. In the Forward Traffic Log, it is easy to see which destination interface is used, dependent on the destination port:

Forward Traffic Log with Destination Interface.

5 thoughts on “Policy Routing on a FortiGate Firewall

  1. Hello,
    Thanks a lot for your tuto but where is this option in V5.4 ?
    Router doesn’t exist …

    1. Hi Nicit,
      you probably have not enabled the feature under System -> Config -> Features -> Advanced Routing. Note that these settings only enable/disable the GUI sections while the actual features are enabled everytime.
      After that your “Router” sections should be present again.

  2. if i use switch mode for internal / lan, then i create vlan on that, how to create routing from vlan to internal ?

    1. Hi djoun,
      I can’t see what you mean. If you have local configured networks (regardless of which kind, vlan, lan, internal, whatever) NO additional routing must be created since all networks are in the routing table automatically. You should see all the attached networks in the routing table.
      (Don’t forget the security policies prior to send traffic.)

      1. Hi,

        Can I use policy routes to “override” the internal routing table?

        I’ve got a server that needs to talk to a network (over vpn)

        The ip-space on that network overlaps with that of a local vlan (not the one that the server is on)

        The server does not need to talk to the local vlan, so I figured I could just use a policy that looks like this:

        x.x.x.10(server) -> y.y.y.0(remote network) via. vpn-interface.

        Flow Trace shows that it is still trying the local vlan interface for traffic destined to the ipsec interface.

        Any thoughts?

Leave a Reply

Your email address will not be published. Required fields are marked *