Fortinet Documentation

Expand all | Collapse all

Re-route traffic via secondary static route

  • 1.  Re-route traffic via secondary static route

    Posted Nov 12, 2019 03:29 AM

    Hello,
    I have situation, where I have one primary static route for subnet X via interface A.

    And I created secondary static with worse priority for same subnet X via interface B.


    My goal is to use only interface B for traffic and that change has to be done with smallest possible impact on current production.
    Can you advise me the best way to do it ?

    I was thinking mainly about session table on firewall. Disabling primary static route - forcing routing engine to choose secondary static route will lead to also change outgoing interface - will it clear the session table ?

    Thanks a lot for answers & ideas.

    Br
    Pavel Ficek



  • 2.  RE: Re-route traffic via secondary static route

    2
    Posted Nov 12, 2019 04:43 AM
    Hello Pavel,

    Please either contact Fortinet Support at https://support.fortinet.com about this question or post it on a technical forum.

    Bill


  • 3.  RE: Re-route traffic via secondary static route

    Posted Nov 15, 2019 05:55 AM
    Hi Pavel,

    The way I would do this is create a policy route to force new traffic out the Interface B route.  It should only impact newly established sessions through the firewall meaning that any previous sessions established with the old Interface A routes will continue to work.

    Does this make sense?


  • 4.  RE: Re-route traffic via secondary static route

    Posted Nov 15, 2019 06:08 AM
    Hi Johnatan,
    Those interfaces lead to router.
    That would make sense, if we look only to outgoing traffic. But for reply traffic, I can choose only one interface (on the router).
    I suppose antispoofing would be dropping backwards traffic coming to different interface ?


  • 5.  RE: Re-route traffic via secondary static route

    Posted Nov 15, 2019 06:35 AM
    Hi Pavel,

    I do think I am clear on what exactly you are asking then.  Can you provide a network diagram of what you are referring to for clarification?

    Antispoofing/Reverse Path Forwarding does not drop traffic on the FortiGate when there is a valid route going out of the interface the traffic is received on.