FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
snowman_FTNT
Staff
Staff
Article Id 194455

Description

This article describes the steps to configure a FortiGate to perform routing based on specific URLs.

As an example general internet traffic should use port1 but specific site www.fortinet.com should be accessed only over port2. The benefit of this setup is that URL is dynamically resolved so this can be used for various cloud based applications where standard policy based routing is not efficient.

jjuracka_FD36819_tn_FD36819.jpg

To achieve this dual internet line connectivity needs to be already in place. Instructions and steps can be found in the related KB article "Technical Note: Configuring link redundancy - Traffic load-balancing / load-sharing - ECMP (Equal Cost Multiple Path) - Dual Internet or WAN scenario".


Solution

Configuration

1. Configure DNS servers which should be used for ips-url filter resolution.
config system ips-urlfilter-dns 
    edit 208.91.112.53
    next
    edit 208.91.112.52
end
2. Configure how often and for how long the DNS resolution should be remembered by the FortiGate.
config webfilter ips-urlfilter-cache-setting
    set dns-retry-interval 1800
    set extended-ttl 432000
end
3. For wanted URLs specify the outgoing interface, gateway address and distance which will be used in automatically populated static route entries.
config webfilter ips-urlfilter-setting 
       set device "port2"
    set gateway 192.168.1.2
    set distance 1
end
4. Create filter list for all URLs which needs to be send over port2, to activate this feature action needs to be set to block. Defined URL needs to be unique and non-existing on the real server otherwise users will be served by replacement block message.
config webfilter urlfilter  
                                      edit 1
        set name "UrlList"
        set one-arm-ips-urlfilter enable
            config entries
                edit 1
                    set url "fortinet.com/FakeURLforWebfilter"
                    set action block
                next
                 edit 2
                    set url "forti.net/FakeURLforWebfilter" 
                    set action block
                next
           end
    next
end
5. Create webfilter profile where created urlfilter will be used.
config webfilter profile
             edit "URLsOverPort2"
            config web
                set urlfilter-table 1
            end
    next
end
6. Create firewall policy where the specific webfilter profile will be used.
config firewall policy
    edit 10
        set srcintf "internal1"
        set dstintf "port1" "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "HTTP"
        set utm-status enable
        set webfilter-profile " URLsOverPort2"
        set profile-protocol-options "default"
        set nat enable
    next
end
Verification of configuration and troubleshooting

1. Check DNS resolution for www.fortinet.com
$ nslookup fortinet.com
Non-authoritative answer:
Server:  UnKnown
Address:  192.168.198.65
Name:    www.fortinet.com
Addresses:  2620:101:9005:100::80
            66.171.121.44
2. Check if automatically generated static route for 66.171.121.44 was added to firewall routing table.
FGT60D (root) # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2,
              * - candidate default

S*      0.0.0.0/0 [10/0] via 10.108.19.254, port1
                  [10/0] via 192.168.1.2, port2
C       10.108.16.0/22 is directly connected, port1
C       192.168.1.0/24 is directly connected, port2
C       10.158.0.0/22 is directly connected, internal1
S       66.171.121.44/32 [1/0] via 192.168.1.2, port2, [254/0]
3. Check by sniffer if traffic is leaving over port2 for destination 66.171.121.44.
FGT60D (root) # diagnose sniffer packet any "host 66.171.121.44" 4 10
interfaces=[any]
filters=[host 66.171.121.44]
4.621420 internal1 in 10.158.2.66.50405 -> 66.171.121.44.80: syn 3734828542
4.621724 internal1 out 66.171.121.44.80 -> 10.158.2.66.50405: syn 4262438317 ack 3734828543
4.622091 internal1 in 10.158.2.66.50405 -> 66.171.121.44.80: ack 4262438318
4.622681 internal1 in 10.158.2.66.50405 -> 66.171.121.44.80: psh 3734828543 ack
4.622824 internal1 out 66.171.121.44.80 -> 10.158.2.66.50405: ack 3734829576
4.625467 port2 out 10.108.18.9.50405 -> 66.171.121.44.80: syn 28282687
4.817876 port2 in 66.171.121.44.80 -> 10.108.18.9.50405: syn 3871582676 ack
4.818094 port2 out 10.108.18.9.50405 -> 66.171.121.44.80: ack 3871582677
4.819637 port2 out 10.108.18.9.50405 -> 66.171.121.44.80: psh 28282688 ack
5.014052 port2 in 66.171.121.44.80 -> 10.108.18.9.50405: ack 28283721

10 packets received by filter
0 packets dropped by kernel

Related Articles

Technical Note: Configuring link redundancy - Traffic load-balancing / load-sharing - ECMP (Equal Co...

Contributors