FortiWeb's Static Routes configuration directs outgoing traffic based on packet destination. However, some environments require you to also use the Policy Route settings to route outgoing traffic based on source IP address, the incoming interface, or both.
For example, if your FortiWeb receives traffic from more than one gateway, it is possible for request and reply packets in the same TCP connection to use different gateways (asymmetric routing), which can break the connection. Policy-based routing can correct this problem by ensuring that replies to clients use the same interface as the original request.
For example, a FortiWeb has a default static route that forwards traffic for any destination to 1.1.1.254, which is the gateway for ISP1. However, the appliance also has a virtual server with the address 2.2.2.2 that receives traffic from the ISP2 gateway, which has an IP address of 2.2.2.254.
A client request destined for the virtual server 2.2.2.2 arrives from the client with the IP address 4.4.4.4. In reverse proxy mode, FortiWeb opens a connection to the server pool member on behalf of the client. The pool member’s reply contains the destination provided by FortiWeb (4.4.4.4) but not the interface associated with the request. Using the Static Route settings only, FortiWeb routes the reply to gateway 1.1.1.254 for all destinations, which does not have the correct state information for the TCP connection.
The following Policy Route settings fix this asymmetric routing issue by directing outgoing traffic based on the source IP. Because all incoming traffic for virtual server 2.2.2.2 arrives on the IP2 gateway 2.2.2.254, you configure FortiWeb to route all replies from 2.2.2.2 to that gateway. In addition, the configuration directs any outgoing traffic from the virtual server with an IP address 1.1.1.1 (which receives traffic over the default gateway) to the default gateway:
config router policy
edit 1
set src 1.1.1.1/24
set gateway 1.1.1.254
set oif port1
next
edit 2
set src 2.2.2.2/24
set gateway 2.2.2.254
set oif port2
next
end