question

stylus avatar image
0 Likes"
stylus asked

Is it possible to do policy-based routing based on other attributes of the session, such as FQDN destination or application control?

As of FortiOS 5.x, our policy-based routing supports matching the following attributes to determine which output-device to use when starting a session and routing packets:

  • input-device
  • src ip and mask
  • dst ip and mask
  • protocol, and if set, src and dst port ranges
  • tos bit and mask

However, in practical situations, it seems that it would be very valuable to be able to do policy-based routing based on other attributes of the session, such as FQDN destination (exch-cas.fortinet.com) or Application Control (Dropbox, Netflix, Skype).

For example, in many newer types of typologies, business have an unmetered connection such as T1, MPLS, DSL or Cable Modem coupled with a metered mobile connection such as 3G, 4G/LTE or other metro wireless connection. In these topologies, users may want to prefer certain types of traffic go over the unmetered connection when possible, and then when not possible, optionally go over the metered connection. One example: large retail chains who offer guest wifi to make certain bandwidth-excessive applications go over unmetered links and not incur extra costs on metered links.

Is there a technology reason why policy based routing and FQDN or app control isn't supported? For example, I can guess that it takes a few packets to determine what the application is, and some applications might break if the connection gets established and starts off on dmz port and then policy routing somehow takes over and says it needs to go over wan1.

FortiOS
10 |600

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

0 Answers

·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Welcome to FortiAnswers

FortiAnswers is the space dedicated to FortiSASE and FortiOS questions and suggestions.

  • Please review the Community guidelines
  • If you are a moderator, please refer to the Moderation guidelines
  • If something in the above guidelines is unclear, please post your question to the Community Feedback space or the Moderators' space