How to set up routing rules for Tunnel Routing
To perform Tunnel Routing, symmetric FortiWAN deployment is a basic requirement. Therefore, symmetric routing rules are also required for two-way data transmission. A routing rule here contains three basic elements that are
What is the traffic to be transferred by Tunnel Routing? Tunnel Routing filter traffic by Source, Destination and Service.
Which Tunnel Group is employed to transfer the traffic? Apply a predefined tunnel group to the specified traffic, then it will be transferred according to the how the tunnel group is defined; the balancing algorithm, the tunnels, the weight, the encryption and DSCP.
What to do if the Tunnel Group fails? A failed tunnel group means all the tunnels defined in the tunnel group are disconnected (detected by Tunnel Routing’s tunnel healthy detection mechanism). Therefore, it is necessary to specify another way for the traffic. Note that as long as one tunnel in a tunnel group remains connected, Tunnel Routing keeps employing the tunnel group for transmission.
Next we introduce the two ways, Routing Rule and Default Rule, to establish the routing rules for Tunnel Routing.
This is the general way to set routing rules for Tunnel Routing. A routing rule contains the three basic elements above, which evaluates traffic by Source, Destination, Service, (Tunnel) Group and Fail-Over. Note that a routing rule sat on a FortiWAN site is required symmetrically for the opposite FortiWAN site, so that the bidirectional transmission is achieved.
|Add||Click the Add button to add a new rule.|
|Source||The source of the connection (See “Using the web UI”).
IPv4 Address, IPv4 Range and IPv4 Subnet: To filter out the traffic coming from the specified IPv4 Address, IPv4 Range or IPv4 Subnet. LAN: To filter out the traffic coming from LAN area.
DMZ: To filter out the traffic coming from DMZ area.
Any Address: To filter out the traffic coming from any IP address
|Destination||The destination of the connection (See “Using the web UI”).
IPv4 Address, IPv4 Range and IPv4 Subnet: To filter out the traffic going to the specified IPv4 Address, IPv4 Range or IPv4 Subnet.
WAN: To filter out the traffic going to WAN area.
|Service||The TCP/UDP service type to be matched. The default is “Any”. Administrators can select from the publicly known service types (e.g. FTP), or can choose the port number in TCP/UDP packet. To specify a range of port numbers, type starting port number plus hyphen “-” and then end port number. e.g. “TCP@123-234” (See “Using the web UI”).|
|Group||The tunnel group used to transfer the specified traffic (filtered by Source, Destination and Service). The balancing algorithm and tunnels for distributing the traffic are defined in the tunnel group.|
|Fail-Over||This field defines the fail-over policy for situation that all the WAN links (tunnels) of the specified tunnel group in the routing rule fail. Possible options are:
NO-ACTION: Traffic will not be diverted when the tunnel group get failed, and transmission will get failed.
Auto Routing: Traffic will be re-evaluated against Auto Routing’s rules and transferred according to the Auto Routing policies. Transmission gets failed if there is no rule matches.
Tunnel: [Group Name]: All the defined tunnel groups are listed for options. Traffic will be diverted to the specified tunnel group here, however, the diverted traffic will not be diverted again if the beck-up tunnel group is also failed. Note: it takes the same action as “NO-ACTION” if a tunnel group that is the same as what specified in field “Group” is selected as back-up for fail-over here.
If your TR network deployment requires more than 100 TR routing rules, replacing the TR routing rules with TR default rules will be suggested for better performance.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!