Policy Based Routing (PBR) in Fortigate Firewall [Explained]

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

thank you for tuning in guys um in this tutorial i'm going to demonstrate how you can use policy based routing on the fortigate firewall in different scenarios so on the screen as you can see i have a situation whereas in the traffic from most of my clients pc one pc two pc three pc five okay all the traffic for the dns 8.8.8 is actually diverted towards an external dns proxy where i have a lot of restrictions on the dns traffic and i do the dns structuring on the dns traffic well as of now the traffic from the administrative device is also going through the same way as in the entire traffic from all the network below is uh forwarded to the dns proxy device or the dns proxy server and i just have a static route configured on the fortigate firewall which states that any traffic towards the dns ip forwarded to the dns proxy server well in my situation in my network i don't want the administrative traffic or the dns traffic from the administrator device to go to the dns proxy server okay i want the traffic to directly go to internet so that is the condition here the traffic from the administrative devices should go to the fortigate firewall and from there it should go directly to internet and i can achieve that using the policy based routing which i'm going to demonstrate in in the next step so the network topology is pretty simple port one connects to internet port to again connects to internet but it goes through a series of devices one among them is the dns proxy and both three connects my internal network okay so this is the 48 firewall i have port 1.2.3 port 3 is connecting my internal network and it is in the network 10 10 10 see strength and then dot 2 is the ip address configure on port 3 and the network is wide open 10 0 0 0 eight port one connects to internet port two you know goes through the proxy devices and the static route as you can see the default route pointing to 192.168.01 and the traffic for 8.8.8 is diverted towards the dns proxy for all the devices and i have to you know override this particular situation here so if you click on policy route which is policy based route and if you try to create an entry that will take preference over the conventional static routing table so anything that you define here will take priority over your static routing table let me delete and create a new one okay so let's create an entry so my incoming interface is both three as per our situation as per our network topology o3 is the incoming interface port one is the outgoing interface and the source ip is this particular machine's ip which is 10.10.10.1 let's take it slash 32 and the destination is going to be 8.8.8.8 and if you have multiple addresses you can specify here by clicking on the plus sign and i am not selecting any internet service i'm selecting the protocol as any which means i want to forward all the traffic any kind of traffic for the destination 8.8.8 towards internet so in in this scenario i am forwarding the traffic you can click on outgoing interface enable this button click on port two i'm sorry click on port one port one is the outgoing interface with the ip19216 l0108 as per our network topology and our gateway is okay this is my external external firewall which allows the internet access and you can enable and disable this particular policy based routing entry so once again incoming interfaces both three outgoing interfaces port one i can define the gateway and it can be different from what you have in your conventional routing table which is again an advantage while fine tuning the routing i have the source as my administrative device ip 10 10 10 1 protocol is any if you want you can click udp but then i do a lot of testing with the dns traffic with all kind of protocols like tcp udp i'm not checking those option i'm going with any let's try to click ok so now that i have entry one and whenever the traffic from the source 10 10 10 1 towards the ipa.8.8 it comes into the fortigate firewall instead of taking the route this one it is going to check this entry first and forward the traffic as you can see i already have entry hit count is increasing with one let's try to see you can see here being 8.8.8 is successful through the 40 gate firewall so these are the traffic these are the entries for these sessions that that were created when the traffic was actually hitting the firewall and you can see the source as 10 10 10 1 going towards 8.8 and this might be the entry from the last session okay you can see here previously it was going towards 14 140 40 190 gateway which is my dns proxy server and now that the latest uh session entry as you can see 10 10 10 1 is actually going to my external perimeter firewall interface 192.168.0.108. let's try to clear the session and recheck this now you can see clearly that the traffic is going from code three to port one where our gateway 191601 and we can check this as well with the help of this command you can see here there's nothing going on on port one and the traffic well to confirm that the policy based routing is working fine now what i'm going to do is i'm going to disable this entry okay now it is graying out means that the entry is disabled and the traffic should take the static route table entry now that i have that in the configuration the traffic should should fall i mean should fail to the destination 8.8.8 from this particular machine before that let's try to clear the session as you can see we already have the session so traffic might take the existing session and go out as per the session entry okay so now let's try to initiate a ping you can see here it is failing because i have disabled the policy based routing entry you can see here the traffic from the source for the destination 8.8.8 is going towards dns proxy so well if i go to this entry and enable this first of all i have to remove this session entry and let's try to do it again boom so that is actually a confirmation that whatever configuration we have on the fortigate firewall is working fine and our policy based routing is kicking in you can see the in interface and out interface as well along with the gateway information and the session details so that's all in this video friends uh if you have any questions do leave them in the comment section i'll try to answer them and uh please do subscribe to my channel hit the like button if you really enjoyed this video see you in the next video bye

Info

Channel: TechTalkSecurity

Views: 11,072

Rating: undefined out of 5

Keywords: firewall, fortigate, Fortigate, fortinet, Fortinet, how, to, configure, policy, based, routing, route, policy-based, table, override, preference, tutorial, in, configuration, explained, complete, guide, cmd, cmds, cli, GUI, scenario, security, ngfw, steps, 7.0.0, 6.4.0, vm, networking, network, pbr, PBR, firmware, version

Id: 9SFVXYa4iCM

Channel Id: undefined

Length: 13min 15sec (795 seconds)

Published: Sat Jan 15 2022