Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Palo Alto Networks Integration

    Home FortiNAC-F 7.2.0 Palo Alto Networks Integration
    7.2.0
    7.4.0
    7.2.0

    Policy Based Routing

    Policy Based Routing

    Why it is Needed

    Because VPN client IP addresses do not change when the network access changes, it is possible for traffic between agent and FortiNAC to drop due to asymmetric routes. By default, CentOS 7 drops asymmetrically routed packets before they leave the interface. If asymmetric traffic were to be allowed to transmit, the packet would most likely be dropped within the network.

    Example 1:

    Default route = eth0

    Resulting behavior:

    • Restricted (isolated) host communication over VPN would ingress eth1 and egress eth0, resulting in an asymmetric route.

    • Non-restricted (production) host communication over VPN would ingress eth0 and egress eth0.

    Example 2:

    Default route = eth0

    Static route = eth1 for VPN network

    Resulting behavior:

    • Restricted (isolated) host communication over VPN would ingress eth1 and egress eth1

    • Non-restricted (production) host communication over VPN would ingress eth0 and egress eth1, resulting in an asymmetric route.

    Policy Based Routing is used to ensure FortiNAC responds to inbound traffic using the interface from which it was received.

    How it Does it

    Using a script, individual route tables are built for each FortiNAC interface (eth0, eth1. eth1:1, eth1:2, etc.). Each table contains routes for various networks to be used by the eth interface. If a packet is received on an interface, FortiNAC first looks for a route containing the source IP’s network in the individual table. If no route for that network is found, FortiNAC looks at the main route table. IP rules determine the order used to lookup the tables.

    Example:

    Main Route Table

    Destination

    Gateway

    Mask

    Interface

    0.0.0.0

    10.10.200.1

    0.0.0.0

    Eth0

    10.10.18.0

    10.10.201.129

    255.255.255.0

    Eth1

    10.10.19.0

    10.10.201.129

    255.255.255.0

    Eth1:1

    Eth0 Route Table

    Destination

    Gateway

    Mask

    Interface

    0.0.0.0

    10.10.200.1

    0.0.0.0

    Eth0

    10.10.18.0

    10.10.200.1

    255.255.255.0

    Eth0

    10.10.19.0

    10.10.200.1

    255.255.255.0

    Eth0

    Eth1 Route Table

    Destination

    Gateway

    Mask

    Interface

    0.0.0.0

    10.10.201.129

    0.0.0.0

    Eth1

    10.10.18.0

    10.10.201.129

    255.255.255.0

    Eth1

    10.10.19.0

    10.10.201.129

    255.255.255.0

    Eth1

    Eth1:1 Route Table

    Destination

    Gateway

    Mask

    Interface

    0.0.0.0

    10.10.201.129

    0.0.0.0

    Eth1:1

    10.10.18.0

    10.10.201.129

    255.255.255.0

    Eth1:1

    10.10.19.0

    10.10.201.129

    255.255.255.0

    Eth1:1

    The files containing the route tables and ip rules for each configured interface are written to /etc/sysconfig/network-scripts/

    Route files:

    route-eth0

    route-eth1

    route-eth1:1

    Example

    > cat route-eth0

    default via 10.10.200.1 dev eth0 src 10.10.200.147 table eth0

    10.10.200.0/24 dev eth0 proto kernel scope link src 10.10.200.147 table eth0

    Rule files:

    rule-eth0

    rule-eth1

    rule-eth1:1

    Example

    > cat rule-eth0

    from 10.10.200.147 lookup eth0 prio 10

    Other Commands

    Display IP rules in effect and the order in which route tables will be read

    ip rule show

    Display routing table for a specific interface (table name = interface name)

    ip route show table <table name>

    Example: ip route show table eth1

    Modifying or Adding Interfaces After Script Has Run

    1. Run the script. Type

      setupAdvancedRoute

    2. Type U to uninstall

    3. Once uninstalled, re-run the script. Type

      setupAdvancedRoute

    4. Type I to install

    5. Once script completes, verify configuration. Type

      ip rule show

      There should now be a rule listed for each interface and sub-interface configured:

      0: from all lookup local

      10: from <eth0 IP address> lookup eth0

      20: from <eth1 IP address> lookup eth1

      30: from <eth1:1 IP address> lookup eth1:1

      40: from <eth1:2 IP address> lookup eth1:2

      32766: from all main

      32767: from all default

      Example:

      >ip rule show

      0: from all lookup local

      10: from 10.200.20.20 lookup eth0

      20: from 10.200.5.20 lookup eth1

      30: from 10.200.5.21 lookup eth1:1

      40: from 10.200.5.22 lookup eth1:2

      32766: from all main

      32767: from all default

    6. Reboot appliance. Type

      shutdownNAC

      <wait 30 seconds>

      shutdownNAC –kill

      reboot

    7. Proceed to Authentication Server Settings.

    Previous
    Next

    Policy Based Routing

    Policy Based Routing

    Why it is Needed

    Because VPN client IP addresses do not change when the network access changes, it is possible for traffic between agent and FortiNAC to drop due to asymmetric routes. By default, CentOS 7 drops asymmetrically routed packets before they leave the interface. If asymmetric traffic were to be allowed to transmit, the packet would most likely be dropped within the network.

    Example 1:

    Default route = eth0

    Resulting behavior:

    • Restricted (isolated) host communication over VPN would ingress eth1 and egress eth0, resulting in an asymmetric route.

    • Non-restricted (production) host communication over VPN would ingress eth0 and egress eth0.

    Example 2:

    Default route = eth0

    Static route = eth1 for VPN network

    Resulting behavior:

    • Restricted (isolated) host communication over VPN would ingress eth1 and egress eth1

    • Non-restricted (production) host communication over VPN would ingress eth0 and egress eth1, resulting in an asymmetric route.

    Policy Based Routing is used to ensure FortiNAC responds to inbound traffic using the interface from which it was received.

    How it Does it

    Using a script, individual route tables are built for each FortiNAC interface (eth0, eth1. eth1:1, eth1:2, etc.). Each table contains routes for various networks to be used by the eth interface. If a packet is received on an interface, FortiNAC first looks for a route containing the source IP’s network in the individual table. If no route for that network is found, FortiNAC looks at the main route table. IP rules determine the order used to lookup the tables.

    Example:

    Main Route Table

    Destination

    Gateway

    Mask

    Interface

    0.0.0.0

    10.10.200.1

    0.0.0.0

    Eth0

    10.10.18.0

    10.10.201.129

    255.255.255.0

    Eth1

    10.10.19.0

    10.10.201.129

    255.255.255.0

    Eth1:1

    Eth0 Route Table

    Destination

    Gateway

    Mask

    Interface

    0.0.0.0

    10.10.200.1

    0.0.0.0

    Eth0

    10.10.18.0

    10.10.200.1

    255.255.255.0

    Eth0

    10.10.19.0

    10.10.200.1

    255.255.255.0

    Eth0

    Eth1 Route Table

    Destination

    Gateway

    Mask

    Interface

    0.0.0.0

    10.10.201.129

    0.0.0.0

    Eth1

    10.10.18.0

    10.10.201.129

    255.255.255.0

    Eth1

    10.10.19.0

    10.10.201.129

    255.255.255.0

    Eth1

    Eth1:1 Route Table

    Destination

    Gateway

    Mask

    Interface

    0.0.0.0

    10.10.201.129

    0.0.0.0

    Eth1:1

    10.10.18.0

    10.10.201.129

    255.255.255.0

    Eth1:1

    10.10.19.0

    10.10.201.129

    255.255.255.0

    Eth1:1

    The files containing the route tables and ip rules for each configured interface are written to /etc/sysconfig/network-scripts/

    Route files:

    route-eth0

    route-eth1

    route-eth1:1

    Example

    > cat route-eth0

    default via 10.10.200.1 dev eth0 src 10.10.200.147 table eth0

    10.10.200.0/24 dev eth0 proto kernel scope link src 10.10.200.147 table eth0

    Rule files:

    rule-eth0

    rule-eth1

    rule-eth1:1

    Example

    > cat rule-eth0

    from 10.10.200.147 lookup eth0 prio 10

    Other Commands

    Display IP rules in effect and the order in which route tables will be read

    ip rule show

    Display routing table for a specific interface (table name = interface name)

    ip route show table <table name>

    Example: ip route show table eth1

    Modifying or Adding Interfaces After Script Has Run

    1. Run the script. Type

      setupAdvancedRoute

    2. Type U to uninstall

    3. Once uninstalled, re-run the script. Type

      setupAdvancedRoute

    4. Type I to install

    5. Once script completes, verify configuration. Type

      ip rule show

      There should now be a rule listed for each interface and sub-interface configured:

      0: from all lookup local

      10: from <eth0 IP address> lookup eth0

      20: from <eth1 IP address> lookup eth1

      30: from <eth1:1 IP address> lookup eth1:1

      40: from <eth1:2 IP address> lookup eth1:2

      32766: from all main

      32767: from all default

      Example:

      >ip rule show

      0: from all lookup local

      10: from 10.200.20.20 lookup eth0

      20: from 10.200.5.20 lookup eth1

      30: from 10.200.5.21 lookup eth1:1

      40: from 10.200.5.22 lookup eth1:2

      32766: from all main

      32767: from all default

    6. Reboot appliance. Type

      shutdownNAC

      <wait 30 seconds>

      shutdownNAC –kill

      reboot

    7. Proceed to Authentication Server Settings.

    Previous
    Next