Created on 01-14-2015 04:28 PM Edited on 01-04-2022 01:35 PM By Anonymous
Description
FortiOS 5.2 adds a new type of interface called a virtual WAN link.
A virtual WAN link consists of two or more physical interfaces that are connected to two or more ISPs. The FortiGate unit sees the virtual WAN link as a single interface when applying security policies.
Virtual WAN service:
An optional step is to configure a service in the Virtual WAN Load Balancing menu.
How it works: The Virtual WAN service definition causes a policy route to be added.
Care should be taken in defining a Virtual WAN service, particularly if you have any inbound traffic from the Internet. The resulting policy route will apply to ALL matching traffic regardless of which interface it arrives on.
Suggested practice:
Solution
Example: Virtual WAN service to route SMTP traffic out the dmz interface
In the following example, SMTP traffic will be sent out the dmz interface but ONLY if originating from the subnet "3net" which is defined as 3.0.0.0/24. SMTP traffic from any other subnet will be routed normally.
The resulting configuration in the CLI is as follows:
config system virtual-wan-link
config members
edit 1
set interface "dmz"
set gateway 1.1.1.1
next
edit 2
set interface "wan2"
set gateway 2.2.2.2
next
end
config service
edit "smtp-outbound"
set member 1
set protocol 6
set start-port 25
set end-port 25
set dst "all"
set src "3net"
next
end
end
This assumes that the source address had previously been defined:
config firewall address
edit "3net"
set subnet 3.0.0.0 255.255.255.0
next
And after a static route is added pointing out the virtual WAN link, the following policy route shows up, reflecting the above virtual WAN service config:
FGT# diagnose firewall proute list
list route policy info(vf=root):
id=4281649408 flags=0x0 tos=0x00 tos_mask=0x00 protocol=6 dport=25:25 sport=1:65535
iif=0 src=3.0.0.0/255.255.255.0
dst=0.0.0.0/0.0.0.0 oif=6 gwy=1.1.1.1
note: The fact that iif=0 means that the incoming interface is unspecified.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.