FortiWAN Persistent Routing

Persistent Routing

Persistent routing is used to secure subsequent connections of source and destination pairs that are first determined by Auto-Routing in FortiWAN. It is useful for applications require secure connection between the server and client whereby client connection will be dropped if server detects different source IP addresses for the same client during an authenticated and certified session. PR ensures that the source IP address remains unchanged in the same session.

Timeout: For every session (pair of source and destination), if there is no packets occured during the timeout period, records of persistent route of the session will be cleared. That means the next coming connection of the session will be routed by the auto-routing rules first.

FortiWAN provides mechanisms to record, notify and analysis on events refer to the Persistent Routing service, see “Log” and “Statistics: Persistent Routing”.

IPv4/IPv6 Web Service Rules

Sets persistent routing rules on Web services. Enable this function, and all the http and https connections established from source IP specified below to destination port 80 and port 443 are governed by Web Service Rules.

E : Check the box to enable the rule.
When : Options: Busy hour, Idle hour, and All-Time (See “Busyhour Settings”).
Source : Established connections from the specified source will be matched (See “Using the web UI”).
Action : Do PR: the matched connections will be routed persistently.

No PR: the matched connections will NOT be routed persistently. (The Default)

L : Check to enable logging: Whenever the rule is matched, system will record the event to log file.

IPv4/IPv6 IP Pair Rules

Sets persistent routing rules on IPv4/IPv6 addresses. Enable this function, and all connections established from the source IPv4/IPv6 to destination IPv4/IPv6 specified below are governed by IPv4/IPv6 IP Pair Rules.

E    :   Check the box to enable the rule.

When    :   Options: Busy hour, Idle hour, and All-Time (See “Busyhour Settings”).

Source    :  Established connections from the specified source will be matched (See “Using the web UI”).

Persistent Routing

Destination : The connections to the specified destination will be matched. This field is the same as the “Source” field, except it matches packets with the specified destination (See “Using the web

UI”).

Action : Do PR: the matched connections will be routed persistently. (The Default) No PR: the matched connections will NOT be routed persistently.
L : Check to enable logging: Whenever the rule is matched, system will record the event to log file.

Persistent routing is often used when destination servers check source IP. The function is performed on most secure connections (e.g. HTTPS and SSH). To prevent the connections from being dispatched over a diverse range of WAN links, persistent routing serves the best solution for maintaining connections over a fixed WAN link.

See below for how auto-routing is related to persistent-routing:

Once a connection is established, auto-routing rules are applied to determine the WAN link to be used.

Subsequent connections with the same destination and source pair obey the rules formulated in the persistent routing table. Note that the device will consult the rule table whenever established connections are to be sent to new destinations.

Auto-routing will be reactivated once in persistent routing the interval between two successive connections are longer than timeout period. A second connection will be considered as a “new” one. Then auto-routing will secure the connection to go through a different WAN link.

Example 1

The persistent routing policies to be established accordingly:

  • In LAN, established connections from IP address 192.168.0.100 to 192.168.10.100 are NOT to be routed persistently. l Established connections from DMZ to LAN are NOT to be routed persistently.
  • Established connections from LAN to the host IP ranging from 10.10.1.1 ~ 10.10.1.10 are NOT to be routed persistently. l Since the default action by IP Pair rules is Do PR, if no rule is added, all connections will use persistent routing.

Then persistent routing table will look like:

Source Destination Action
192.168.0.100 192.192.10.100 No PR
DMZ WAN No PR
LAN 10.10.1.1-10.10.1.10 No PR

Example 2

The persistent routing policies to be established accordingly:

HTTP and HTTPs connections from the subnet 192.168.0.0/24 in LAN use persistent routing.

HTTP and HTTPs connections from WAN use persistent routing.

Persistent Routing

As there is no default action set by Web Service Rules, if no rule is added, all connections will be based on IP Pair Rules to determine whether to use persistent routing.

The persistent routing table should look like:

Source Action
192.168.0.0/255.255.255.0 Do PR
WAN Do PR

Example 3

The persistent routing policies to be established accordingly:

HTTP and HTTPs connections from LAN hosts with IP range 192.168.0.10~192.168.0.20 use persistent routing, but this does not apply to other services except IP address 192.168.0.15.

HTTP and HTTPs connections from subnet 192.168.10.0/24 to 192.192.10.100 use persistent routing. But this does not apply to other connections.

Connections from IP address 211.21.48.196 in DMZ to the WAN subnet 10.10.1.0/24 in WAN do NOT use persistent routing.

Since the default action by IP Pair Ruels is Do PR, if no rule is added, all connections will use persistent routing.

Then persistent routing table will look like:

Source Action  
192.168.0.10-192.168.0.20 Do PR  
192.168.10.0/255.255.255.0 Do PR  
Source Destination Action
192.168.0.15 WAN Do PR
192.168.0.10-192.168.0.20 WAN No PR
192.168.10.0/255.255.255.0 ANY No PR
211.21.48.196 10.10.1.0/255.255.255.0 No PR

Note: Rules are matched top down. Once one rule is matched, the rest will be ignored. In this case, the connections from 192.168.0.15 may meet the criteria of the first and second IP Pair rules, only the first rule will be applied. Hence the rules will not perform NoPR on 192.168.0.15 even though it matches the second rule.It shall be noted that Web Service Rules are prioritized over IP Pair Rules. As 192.168.10.0/255.255.255.0 is configured to be NoPR in IP Pair Rules, but DoPR in Web Service Rules, HTTP connections will still apply persistent routing.

 

This entry was posted in Administration Guides, FortiWAN on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.