Description
This article describes how to have remote branch to route all internet traffic to HQ on a specific schedule only and utilize own default route when outside of that schedule
Solution
Note: Both static route and policy route do not support schedule option, however using a Policy-Based VPN and “Schedule” feature with an IPSec firewall policy on the FortiGate at the branch and an IPSec Interface mode on FortiGate at HQ will enable this solution.
This article describes how to have remote branch to route all internet traffic to HQ on a specific schedule only and utilize own default route when outside of that schedule
Solution
Note: Both static route and policy route do not support schedule option, however using a Policy-Based VPN and “Schedule” feature with an IPSec firewall policy on the FortiGate at the branch and an IPSec Interface mode on FortiGate at HQ will enable this solution.
Configuration example:
HQ
1. Configure IPsec VPN (Interface mode) Phase1 and Phase 2 settings on FortiGate at HQconfig vpn ipsec phase1-interface
edit "vpn"
set interface "wan1"
set peertype any
set remote-gw 10.47.0.109
set psksecret ENC wZsGLei0…………………
next
endconfig vpn ipsec phase2-interfaceedit "vpn"
set phase1name "vpn"
set dst-subnet 10.128.0.0 255.255.254.0
next
end
2. Configure IPSec security policy on FortiGate at HQconfig firewall policy
edit 1
set name "to remote vpn" < ------- to allow local segment to access remove vpn segment
set srcintf "port1"
set dstintf "vpn"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 2
set name "vpn to internet" < ------- to allow remote vpn segment to access internet
set srcintf "vpn"
set dstintf "wan2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
next
end
3. Configure routing table for FortiGate at HQconfig router staticBranch
edit 1 < ------- route for internet access via wan2
set gateway x.x.x.x
set device "wan2"
next
edit 2 < ------- route to remote vpn segment
set dst 10.128.0.0 255.255.254.0
set device "vpn"
next
end
4. Configure IPsec VPN (Policy-Based) Phase1 and Phase 2 settings on FortiGate at Branchconfig vpn ipsec phase1
edit "PolicyVPn"
set interface "wan1"
set peertype any
set remote-gw 10.47.0.2
set psksecret ENC A3Aeo6SH+UF………..
next
endconfig vpn ipsec phase2edit "PolicyVPn"5. Create Schedule on FortiGate at Branch
set phase1name "PolicyVPn"
set src-subnet 10.128.0.0 255.255.254.0
next
endconfig firewall schedule recurring
edit "Working hours"
set start 09:00
set end 18:00
set day sunday monday tuesday wednesday thursday friday saturday
next
end
6. Configure IPSec security policy on FortiGate at Branchconfig firewall policy7. To further fine tune “Schedule expiration”
edit 1
set name "vpnpolicy" < --- to allow & forwardBranch local segment to access internet via HQ
set srcintf "port25"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action ipsec
set schedule "Working hours" < ------- effective only during “Working hours”
set schedule-timeout enable < ------- to enable schedule expiration
set service "ALL"
set logtraffic all
set inbound enable
set vpntunnel "remotePolicyVPn"
next
edit 2
set name "to_internet" < -- to allow Branch local segment to access internet via default route
set srcintf "port25"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
next
endconfig firewall policyVerification:
edit 1
set firewall-session-dirty check-new
end
config system settings
set firewall-session-dirty check-policy-option
end# diag sys session list
session info: proto=1 proto_state=00 duration=4 expire=59 timeout=0 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255 < ------- not via VPN Tunnel
state=log may_dirty f00
statistic(bytes/packets/allow_err): org=300/5/1 reply=300/5/1 tuples=2
tx speed(Bps/kbps): 71/0 rx speed(Bps/kbps): 71/0
orgin->sink: org pre->post, reply pre->post dev=39->3/3->39 gwy=10.47.3.254/10.128.0.111
hook=post dir=org act=snat 10.128.0.111:1->8.8.8.8:8(10.47.0.109:62464)
hook=pre dir=reply act=dnat 8.8.8.8:62464->10.47.0.109:0(10.128.0.111:1)
misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=0
serial=000050b1 tos=ff/ff app_list=0 app=0 url_cat=0
dd_type=0 dd_mode=0
npu_state=0x040000
no_ofld_reason: non-npu-intf# diag sys session list
session info: proto=1 proto_state=00 duration=4 expire=59 timeout=0 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 policy_dir=0 tunnel=PolicyVPn/ vlan_cos=0/255 < ------- via VPN Tunnel
state=log oe f00 hlife persistent
statistic(bytes/packets/allow_err): org=300/5/1 reply=300/5/1 tuples=2
tx speed(Bps/kbps): 68/0 rx speed(Bps/kbps): 68/0
orgin->sink: org pre->post, reply pre->post dev=39->3/3->39 gwy=10.47.3.254/10.128.0.111
hook=pre dir=org act=noop 10.128.0.111:1->8.8.8.8:8(0.0.0.0:0)
hook=post dir=reply act=noop 8.8.8.8:1->10.128.0.111:0(0.0.0.0:0)
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0
serial=00005151 tos=ff/ff app_list=0 app=0 url_cat=0
dd_type=0 dd_mode=0
npu_state=0x1040000
no_ofld_reason: non-npu-intf
