FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
chall_FTNT
Staff
Staff
Article Id 189686

Description
FortiOS 5.2 adds a new type of interface called a virtual WAN link. 

A virtual WAN link consists of two or more physical interfaces that are connected to two or more ISPs.  The FortiGate unit sees the virtual WAN link as a single interface when applying security policies.

Virtual WAN service:
An optional step is to configure a service in the Virtual WAN Load Balancing menu. 

  • It is not necessary to define ANY virtual WAN service in order to send traffic out a virtual WAN link.
  • This is intended to allow specific outbound traffic to be routed out a specific member of the virtual WAN link.

How it works: The Virtual WAN service definition causes a policy route to be added.

Care should be taken in defining a Virtual WAN service, particularly if you have any inbound traffic from the Internet.  The resulting policy route will apply to ALL matching traffic regardless of which interface it arrives on.

Suggested practice:

  • A safe practice is to specify a source address when defining the service. 
  • This is particularly important if you have inbound traffic (for example, using a Virtual IP).


Solution
Example: Virtual WAN service to route SMTP traffic out the dmz interface

In the following example, SMTP traffic will be sent out the dmz interface but ONLY if originating from the subnet "3net" which is defined as 3.0.0.0/24.  SMTP traffic from any other subnet will be routed normally.

chall_FD36030_vwl-config.PNG

The resulting configuration in the CLI is as follows:

config system virtual-wan-link
        config members
            edit 1
                set interface "dmz"
                set gateway 1.1.1.1
            next
            edit 2
                set interface "wan2"
                set gateway 2.2.2.2
            next
        end
        config service
            edit "smtp-outbound"
                set member 1
                set protocol 6
                set start-port 25
                set end-port 25
                set dst "all"
                set src "3net"
            next
        end
end

This assumes that the source address had previously been defined:

config firewall address
    edit "3net"
        set subnet 3.0.0.0 255.255.255.0
    next

And after a static route is added pointing out the virtual WAN link, the following policy route shows up, reflecting the above virtual WAN service config:

FGT# diagnose firewall proute list
list route policy info(vf=root):
id=4281649408 flags=0x0 tos=0x00 tos_mask=0x00 protocol=6 dport=25:25 sport=1:65535
        iif=0 src=3.0.0.0/255.255.255.0
        dst=0.0.0.0/0.0.0.0 oif=6 gwy=1.1.1.1

note: The fact that iif=0 means that the incoming interface is unspecified.

Contributors