Policy routing examples, Routing a service to an external network – Fortinet FortiGate-800 User Manual
Page 55
NAT/Route mode installation
Configuration example: Multiple connections to the Internet
FortiGate-800 Installation and Configuration Guide
55
Policy routing examples
Adding policy routing increases your control over how packets are routed. Policy
routing works on top of destination-based routing. To increase the control provided by
destination-based routing, configure destination-based routing first and then build
policy routing on top.
For example, if you use destination-based routing to configure routing for dual Internet
connections, you can use policy routing to better control which traffic is sent to which
destination route. This section describes the following policy routing examples, based
on topology similar to that shown in
Figure 9 on page 51
. Differences are noted in
each example.
The policy routes described in these examples work only if you have already defined
destination routes similar to those described in the previous section.
•
Routing traffic from internal subnets to different external networks
•
Routing a service to an external network
For more information about policy routing, see
Routing traffic from internal subnets to different external networks
If the FortiGate unit provides Internet access for multiple internal subnets, you can use
policy routing to control the route that traffic from each network takes to the Internet.
For example, if the internal network includes the subnets 192.168.10.0 and
192.168.20.0 you can enter the following policy routes:
1
Enter the following command to route traffic from the 192.168.10.0 subnet to the
100.100.100.0 external network:
set system route policy 1 src 192.168.10.0 255.255.255.0 dst
100.100.100.0 255.255.255.0 gw 1.1.1.1
2
Enter the following command to route traffic from the 192.168.20.0 subnet to the
200.200.200.0 external network:
set system route policy 2 src 192.168.20.0 255.255.255.0 dst
200.200.200.0 255.255.255.0 gw 2.2.2.1
Routing a service to an external network
You can use the following policy routes to direct all HTTP traffic (using port 80) to one
external network and all other traffic to the other external network.
1
Enter the following command to route all HTTP traffic using port 80 to the next hop
gateway with IP address 1.1.1.1.
set system route policy 1 src 0.0.0.0 0.0.0.0 dst 0.0.0.0
0.0.0.0 protocol 6 port 80 80 gw 1.1.1.1
2
Enter the following command to route all other traffic to the next hop gateway with IP
address 2.2.2.1.
Set system route policy 2 src 0.0.0.0 0.0.0.0 dst 0.0.0.0
0.0.0.0 gw 2.2.2.1