FortiWAN How to set up routing rules for Tunnel Routing

How to set up routing rules for Tunnel Routing

To perform Tunnel Routing, symmetric FortiWAN deployment is a basic requirement. Therefore, symmetric routing rules are also required for two-way data transmission. A routing rule here contains three basic elements that are

What is the traffic to be transferred by Tunnel Routing? Tunnel Routing filter traffic by Source, Destination and Service.

Which Tunnel Group is employed to transfer the traffic? Apply a predefined tunnel group to the specified traffic, then it will be transferred according to the how the tunnel group is defined; the balancing algorithm, the tunnels, the weight, the encryption and DSCP.

What to do if the Tunnel Group fails? A failed tunnel group means all the tunnels defined in the tunnel group are disconnected (detected by Tunnel Routing’s tunnel healthy detection mechanism). Therefore, it is necessary to specify another way for the traffic. Note that as long as one tunnel in a tunnel group remains connected, Tunnel Routing keeps employing the tunnel group for transmission.

Next we introduce the two ways, Routing Rule and Default Rule, to establish the routing rules for Tunnel Routing.

Routing Rules

This is the general way to set routing rules for Tunnel Routing. A routing rule contains the three basic elements above, which evaluates traffic by Source, Destination, Service, (Tunnel) Group and Fail-Over. Note that a routing rule sat on a FortiWAN site is required symmetrically for the opposite FortiWAN site, so that the bidirectional transmission is achieved.

Add Click the Add button to add a new rule.
Source The source of the connection (See “Using the web UI”).

IPv4 Address, IPv4 Range and IPv4 Subnet: To filter out the traffic coming from the specified IPv4 Address, IPv4 Range or IPv4 Subnet. LAN: To filter out the traffic coming from LAN area.

DMZ: To filter out the traffic coming from DMZ area.

Any Address: To filter out the traffic coming from any IP address

Destination The destination of the connection (See “Using the web UI”).

IPv4 Address, IPv4 Range and IPv4 Subnet: To filter out the traffic going to the specified IPv4 Address, IPv4 Range or IPv4 Subnet.

WAN: To filter out the traffic going to WAN area.

Service The TCP/UDP service type to be matched. The default is “Any”. Administrators can select from the publicly known service types (e.g. FTP), or can choose the port number in TCP/UDP packet. To specify a range of port numbers, type starting port number plus hyphen “-” and then end port number. e.g. “TCP@123-234” (See “Using the web UI”).
Group The tunnel group used to transfer the specified traffic (filtered by Source, Destination and Service). The balancing algorithm and tunnels for distributing the traffic are defined in the tunnel group.
Fail-Over This field defines the fail-over policy for situation that all the WAN links (tunnels) of the specified tunnel group in the routing rule fail. Possible options are:

NO-ACTION: Traffic will not be diverted when the tunnel group get failed, and transmission will get failed.

Auto Routing: Traffic will be re-evaluated against Auto Routing’s rules and transferred according to the Auto Routing policies. Transmission gets failed if there is no rule matches.

Tunnel: [Group Name]: All the defined tunnel groups are listed for options. Traffic will be diverted to the specified tunnel group here, however, the diverted traffic will not be diverted again if the beck-up tunnel group is also failed. Note: it takes the same action as “NO-ACTION” if a tunnel group that is the same as what specified in field “Group” is selected as back-up for fail-over here.

If your TR network deployment requires more than 100 TR routing rules, replacing the TR routing rules with TR default rules will be suggested for better performance.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiWAN on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.