Fortinet black logo

FortiGate VPN Integration

Home FortiNAC 9.4.0 FortiGate VPN Integration
9.4.0
9.4.0

Policy Based Routing

Policy Based Routing

Why it is Needed

Because VPN client IP addresses do not change when the network access changes, it is possible for traffic between agent and FortiNAC to drop due to asymmetric routes. By default, CentOS 7 drops asymmetrically routed packets before they leave the interface. If asymmetric traffic were to be allowed to transmit, the packet would most likely be dropped within the network.

Example 1:

Default route = eth0

Resulting behavior:

  • Restricted (isolated) host communication over VPN would ingress eth1 and egress eth0, resulting in an asymmetric route.

  • Non-restricted (production) host communication over VPN would ingress eth0 and egress eth0.

Example 2:

Default route = eth0

Static route = eth1 for VPN network

Resulting behavior:

  • Restricted (isolated) host communication over VPN would ingress eth1 and egress eth1

  • Non-restricted (production) host communication over VPN would ingress eth0 and egress eth1, resulting in an asymmetric route.

Policy Based Routing is used to ensure FortiNAC responds to inbound traffic using the interface from which it was received.

How it Does it

Using a script, individual route tables are built for each FortiNAC interface (eth0, eth1. eth1:1, eth1:2, etc.). Each table contains routes for various networks to be used by the eth interface. If a packet is received on an interface, FortiNAC first looks for a route containing the source IP’s network in the individual table. If no route for that network is found, FortiNAC looks at the main route table. IP rules determine the order used to lookup the tables.

Example:

Main Route Table

Destination

Gateway

Mask

Interface

0.0.0.0

10.10.200.1

0.0.0.0

Eth0

10.10.18.0

10.10.201.129

255.255.255.0

Eth1

10.10.19.0

10.10.201.129

255.255.255.0

Eth1:1

Eth0 Route Table

Destination

Gateway

Mask

Interface

0.0.0.0

10.10.200.1

0.0.0.0

Eth0

10.10.18.0

10.10.200.1

255.255.255.0

Eth0

10.10.19.0

10.10.200.1

255.255.255.0

Eth0

Eth1 Route Table

Destination

Gateway

Mask

Interface

0.0.0.0

10.10.201.129

0.0.0.0

Eth1

10.10.18.0

10.10.201.129

255.255.255.0

Eth1

10.10.19.0

10.10.201.129

255.255.255.0

Eth1

Eth1:1 Route Table

Destination

Gateway

Mask

Interface

0.0.0.0

10.10.201.129

0.0.0.0

Eth1:1

10.10.18.0

10.10.201.129

255.255.255.0

Eth1:1

10.10.19.0

10.10.201.129

255.255.255.0

Eth1:1

The files containing the route tables and ip rules for each configured interface are written to /etc/sysconfig/network-scripts/

Route files:

route-eth0

route-eth1

route-eth1:1

Example

> cat route-eth0

default via 10.10.200.1 dev eth0 src 10.10.200.147 table eth0

10.10.200.0/24 dev eth0 proto kernel scope link src 10.10.200.147 table eth0

Rule files:

rule-eth0

rule-eth1

rule-eth1:1

Example

> cat rule-eth0

from 10.10.200.147 lookup eth0 prio 10

Other Commands

Display IP rules in effect and the order in which route tables will be read

ip rule show

Display routing table for a specific interface (table name = interface name)

ip route show table <table name>

Example: ip route show table eth1

Modifying or Adding Interfaces After Script Has Run

  1. Run the script. Type

    setupAdvancedRoute

  2. Type U to uninstall

  3. Once uninstalled, re-run the script. Type

    setupAdvancedRoute

  4. Type I to install

  5. Once script completes, verify configuration. Type

    ip rule show

    There should now be a rule listed for each interface and sub-interface configured:

    0: from all lookup local

    10: from <eth0 IP address> lookup eth0

    20: from <eth1 IP address> lookup eth1

    30: from <eth1:1 IP address> lookup eth1:1

    40: from <eth1:2 IP address> lookup eth1:2

    32766: from all main

    32767: from all default

    Example:

    >ip rule show

    0: from all lookup local

    10: from 10.200.20.20 lookup eth0

    20: from 10.200.5.20 lookup eth1

    30: from 10.200.5.21 lookup eth1:1

    40: from 10.200.5.22 lookup eth1:2

    32766: from all main

    32767: from all default

  6. Reboot appliance. Type

    shutdownNAC

    <wait 30 seconds>

    shutdownNAC –kill

    reboot

  7. Proceed to Authentication Server Settings.

Previous
Next

Policy Based Routing

Why it is Needed

Because VPN client IP addresses do not change when the network access changes, it is possible for traffic between agent and FortiNAC to drop due to asymmetric routes. By default, CentOS 7 drops asymmetrically routed packets before they leave the interface. If asymmetric traffic were to be allowed to transmit, the packet would most likely be dropped within the network.

Example 1:

Default route = eth0

Resulting behavior:

  • Restricted (isolated) host communication over VPN would ingress eth1 and egress eth0, resulting in an asymmetric route.

  • Non-restricted (production) host communication over VPN would ingress eth0 and egress eth0.

Example 2:

Default route = eth0

Static route = eth1 for VPN network

Resulting behavior:

  • Restricted (isolated) host communication over VPN would ingress eth1 and egress eth1

  • Non-restricted (production) host communication over VPN would ingress eth0 and egress eth1, resulting in an asymmetric route.

Policy Based Routing is used to ensure FortiNAC responds to inbound traffic using the interface from which it was received.

How it Does it

Using a script, individual route tables are built for each FortiNAC interface (eth0, eth1. eth1:1, eth1:2, etc.). Each table contains routes for various networks to be used by the eth interface. If a packet is received on an interface, FortiNAC first looks for a route containing the source IP’s network in the individual table. If no route for that network is found, FortiNAC looks at the main route table. IP rules determine the order used to lookup the tables.

Example:

Main Route Table

Destination

Gateway

Mask

Interface

0.0.0.0

10.10.200.1

0.0.0.0

Eth0

10.10.18.0

10.10.201.129

255.255.255.0

Eth1

10.10.19.0

10.10.201.129

255.255.255.0

Eth1:1

Eth0 Route Table

Destination

Gateway

Mask

Interface

0.0.0.0

10.10.200.1

0.0.0.0

Eth0

10.10.18.0

10.10.200.1

255.255.255.0

Eth0

10.10.19.0

10.10.200.1

255.255.255.0

Eth0

Eth1 Route Table

Destination

Gateway

Mask

Interface

0.0.0.0

10.10.201.129

0.0.0.0

Eth1

10.10.18.0

10.10.201.129

255.255.255.0

Eth1

10.10.19.0

10.10.201.129

255.255.255.0

Eth1

Eth1:1 Route Table

Destination

Gateway

Mask

Interface

0.0.0.0

10.10.201.129

0.0.0.0

Eth1:1

10.10.18.0

10.10.201.129

255.255.255.0

Eth1:1

10.10.19.0

10.10.201.129

255.255.255.0

Eth1:1

The files containing the route tables and ip rules for each configured interface are written to /etc/sysconfig/network-scripts/

Route files:

route-eth0

route-eth1

route-eth1:1

Example

> cat route-eth0

default via 10.10.200.1 dev eth0 src 10.10.200.147 table eth0

10.10.200.0/24 dev eth0 proto kernel scope link src 10.10.200.147 table eth0

Rule files:

rule-eth0

rule-eth1

rule-eth1:1

Example

> cat rule-eth0

from 10.10.200.147 lookup eth0 prio 10

Other Commands

Display IP rules in effect and the order in which route tables will be read

ip rule show

Display routing table for a specific interface (table name = interface name)

ip route show table <table name>

Example: ip route show table eth1

Modifying or Adding Interfaces After Script Has Run

  1. Run the script. Type

    setupAdvancedRoute

  2. Type U to uninstall

  3. Once uninstalled, re-run the script. Type

    setupAdvancedRoute

  4. Type I to install

  5. Once script completes, verify configuration. Type

    ip rule show

    There should now be a rule listed for each interface and sub-interface configured:

    0: from all lookup local

    10: from <eth0 IP address> lookup eth0

    20: from <eth1 IP address> lookup eth1

    30: from <eth1:1 IP address> lookup eth1:1

    40: from <eth1:2 IP address> lookup eth1:2

    32766: from all main

    32767: from all default

    Example:

    >ip rule show

    0: from all lookup local

    10: from 10.200.20.20 lookup eth0

    20: from 10.200.5.20 lookup eth1

    30: from 10.200.5.21 lookup eth1:1

    40: from 10.200.5.22 lookup eth1:2

    32766: from all main

    32767: from all default

  6. Reboot appliance. Type

    shutdownNAC

    <wait 30 seconds>

    shutdownNAC –kill

    reboot

  7. Proceed to Authentication Server Settings.

Previous
Next