Advice on Fortigate firewall

[ch@rge]

Hi All,

Just a query - can anyone point me in the right direction to correctly config a FortiGate firewall. I've used it for 3 years now and it runs beautifully. However, we've had a new ADSL line installed and want to route traffic per Active Directory group (e.g. One group of users runs on one line (WAN1), the other on the next line (WAN2))

We've had authentication on the firewall since implementation however, I've tried (and failed) to get the two lines to run at the same time without hassles (I can route all traffic on one line, or the other, but not split concurrently). We make use of the dmz for our servers and is running without any issues after I reconfig'd the firewall.

Any assistance/advice would immensely help

 

[The Abyss]

Just a question about the Active Directory group's, do they have their own subnet ?
Also does wan1/2 have their own gateway addresses you could supply to the different subnets ?

Surely with a route between the two subnets they can then communicate also find their way through the individual gateways.
Or if the fortigate has the ability to mark packets, connection and routing then define the wan1/2 with their routing marks. I know this works with mikrotik. cant be sure for fortigate. Hope any of this helps.

 

[irBosOtter]

(I'm assuming the Fortigate dials the ADSL connections with dynamic IP's, if not then the policy route screenshots below might be giving you the wrong info... if you have static business adsl accounts with static IP's you need to specify next hop gateway ip in the policy routing rules)

I'm not sure you can route traffic per group, or username, or anything but a form IP or subnet ie route traffic from IP range 192.168.2.0/24 over WAN2

Once you add a 2nd (or 3rd, 4th etc) WAN link to your Fortigate you will have to start using Policy Routes (as far as I'm aware)

I was told years ago that you need to set the "Distance" and "Priorities" correctly under the routes. Priorities should stay 0, and then just change your Distance of the second line to anything higher than 10, ie 40 like below.


Then create a default Policy route rule to route ALL traffic over the default line to start with:




After that default rule you can then add more ABOVE it (always move it above the default rule, rules are processed from top to bottom) Lets say you have a few people on a range of 192.168.1.0/24 and some on 192.168.2.0/24.
you want to route 192.168.2.0/24 over the new adsl on WAN2.

Add a policy route:

 

[irBosOtter]

You will have to add a policy route to your DMZ network as well if that network is on one of the fortigate ports...

Let say port 3 here is the DMZ network. That will also have to be in there, and if you want vpn users to be able to access it also add that route.



You could also just route HTTP or HTTPS traffic, or whatever...

 

[Clarotech]

Just one thing I'll throw in here, just because it's easy to miss especially if you have inbound services is the asymmetrical routing setting. It makes sure that if traffic comes in over wan1 the response is sent back out over wan1.

Your outbound routing based on AD is an interesting one. Perhaps try it with just the correct static routes setup as per irBosOtter and no policy routes along with the firewall policies.

 

[ch@rge]

Thanks irBosOtter & Clarotech for the assistance. It seems I'm struggling here with the Policy Routing.

Basically, our servers on static IP's are set to route on the DMZ & all other authenticated users run to either WAN1 or WAN2, based upon their AD Organisational Group. I've got the servers running nicely (In the screenshot below, i've only added a static route for our Mail server to test the environment), and can choose ALL traffic to go to either WAN1 or WAN2 (Depending on the order of the policy rule (Thanks irBosOtter - you reminded me of that one)...



If I remove the Policy Rule for WAN1 & 2, then traffic will only go to WAN1 (irrespective if the firewall policy is active on WAN2).
Any further help will be appreciated

P.S. - We make use of the FSSO to apply our Firewall policies for filtering, etc.

 

[ch@rge]

Just a question about the Active Directory group's, do they have their own subnet ?
Also does wan1/2 have their own gateway addresses you could supply to the different subnets ?

Each AD group is on the same subnet & server - Our network is connected to the firewall which, in turn, has the 3 WANS connected to it.

 

[ch@rge]

Here's a screenshot of our Firewall rules, over the two ADSL lines

 

[irBosOtter]

Thanks irBosOtter & Clarotech for the assistance. It seems I'm struggling here with the Policy Routing.

Basically, our servers on static IP's are set to route on the DMZ & all other authenticated users run to either WAN1 or WAN2, based upon their AD Organisational Group. I've got the servers running nicely (In the screenshot below, i've only added a static route for our Mail server to test the environment), and can choose ALL traffic to go to either WAN1 or WAN2 (Depending on the order of the policy rule (Thanks irBosOtter - you reminded me of that one)...

View attachment 133083

If I remove the Policy Rule for WAN1 & 2, then traffic will only go to WAN1 (irrespective if the firewall policy is active on WAN2).
Any further help will be appreciated

P.S. - We make use of the FSSO to apply our Firewall policies for filtering, etc.

The firewall policies itself does not tell the firewall to route users over different WAN interfaces. That just allows the access out if the traffic is told to route out over that interface.
So back to policy routing it is

The bottom two rules looks the same (or are you routing different protocols with those two?) Also, I don't see a default policy route to route all traffic out, the one that should be at the bottom. ie incoming internal source 0.0.0.0/0.0.0.0 destination 0.0.0.0/0.0.0.0 outgoing interface WAN1, or WAN2, depends which link you want as your main link.
So the rules are processed from the top, the WAN1 gets hit before the WAN2 rule, so ALL traffic is routed over WAN1
Both sources are the same (10.3.11.0/24), so the first rule matches it will not even bother to look at your last one (again, unless you route different protocols which the default screen does not show.)

What you need to do is either place users on a different subnet, ie 10.3.12.0/24 and route them over WAN2

Or, lots of work:

Reserve the user's IP's in DHCP so that they will always get the same IP.
Then you can create policy routes per IP.

So if you want user with IP 10.3.11.120 to route over WAN2 you will specify source as 10.3.11.120/32 and outgoing WAN2

Look at no 21 here on this screenshot. It's routing all traffic from that one PC, IP 10.1.5.64 over WAN2 (port 7 in this case)






I suppose your default policy route can be one of those you have, just decide which you want your main link to be.

Then add policy routes per IP ABOVE it, so when traffic comes from those pc's their rules gets hit first and they get routed out over WAN2. If there is no rule then it will take the last default rule to route all traffic over WAN1

 

[Clarotech]

What do your static routes look like?

 

[ch@rge]

Reserve the user's IP's in DHCP so that they will always get the same IP.
Then you can create policy routes per IP.

Was worried that I needed to do this - I figured that I'll be able to reserve the commonly used devices to use WAN2 and then the rest on WAN1 (Its a bit messy, but I can't seem to find any alternatives at this point).

Only problem will arise when someone brings their own device onto the network - can't guarantee which WAN they will use...

I set the bottom two rules to try and allow access from the LAN over both WANS - hoping that I'd then be able to set the AD groups to use the specific WAN in the firewall policies. (Our network stays in the same subnet, at this point)

 

[ch@rge]

What do your static routes look like?

IP blacked out due to it being a static IP. I could, in theory - assign my server range exclusively to the DMZ. However, during this initial setup, I wanted to get the system working ASAP.

 

[Clarotech]

Do you just want to spread the load or are you trying to give some people better contention? If you just want to split the load there is load balancing as well.

 

[ch@rge]

Again - irBosOtter & ClaroTech, thanks for the help, its really appreciated

 

[ch@rge]

Do you just want to spread the load or are you trying to give some people better contention? If you just want to split the load there is load balancing as well.

Basically, I want to have more relaxed rules for the one group of users (WAN1) - and assign them to one line exclusively. The rest will be shunted to the other line (WAN2). It will also mean that I can use WAN1 for updates (WSUS) when that small group are not using the line (e.g. - Evenings)

 

[irBosOtter]

Was worried that I needed to do this - I figured that I'll be able to reserve the commonly used devices to use WAN2 and then the rest on WAN1 (Its a bit messy, but I can't seem to find any alternatives at this point).

Only problem will arise when someone brings their own device onto the network - can't guarantee which WAN they will use...

I set the bottom two rules to try and allow access from the LAN over both WANS - hoping that I'd then be able to set the AD groups to use the specific WAN in the firewall policies. (Our network stays in the same subnet, at this point)

Well, if all IP's are reserved and you created a few policy routes for some pc's/devices (or all of them) and they guy brings in a new device it will use the last default policy route rule as you will not have setup a policy route rule for that device. So it will use whatever the default rule is, say over WAN1

 

[irBosOtter]

Sorry, or maybe create policy route rules for 5 devices at a time ie
10.3.11.10-10.3.11.15 route over WAN2
10.3.11.20-10.3.11.25 route over WAN2

So the IP's before (10.3.11.1-9) between (10.3.11.16-10.3.11.19) and after (10.3.11.26-254) will go over default WAN1..

Just a suggestion, will be less policy route rules to create

 

[ch@rge]

I also thought of splitting the subnet 'in-half'. Set all IP's from 10.3.11.15-140 on WAN1 and then 10.3.11.141-250 on WAN 2.

Then statically assign the allocations on our DHCP server. It will mean constantly performing admin for new devices, etc.
Alternatively, I could use the load balancing feature of the firewall, and then just shape the groups accordingly.

 

[irBosOtter]

I also thought of splitting the subnet 'in-half'. Set all IP's from 10.3.11.15-140 on WAN1 and then 10.3.11.141-250 on WAN 2.

Then statically assign the allocations on our DHCP server. It will mean constantly performing admin for new devices, etc.
Alternatively, I could use the load balancing feature of the firewall, and then just shape the groups accordingly.

Jip, you can also do that, up to you

 

[Clarotech]

I've done some fiddling and I can't see a way to do this other than with policy routes as irBosOtter has suggested. I have however fired a mail at another FG techie to see if he has any other thoughts.