Blackhole Routing

OK, so you’ve created your ipsec vpn tunnels and added the corresponding static routes, but which path does the VPN traffic take if your tunnel is down ?

Right, it uses the next best route in the routing table and chances are this is your default route pointing to your internet router…

But luckily you did add a blackhole route for this traffic, preventing this:

 

 

 

 

 

So next time your VPN tunnel is down, traffic will be dropped by the Fortigate and not use your default route again.

Or you can use the CLI for this:

config router static
edit 0
set blackhole enable
set dst 172.16.0.0/12
next
end

Hits: 6

Fortigate Tips & Tricks

Switch to VDOMs:

GUI:

Dashboard>System>VirtualDomain

CLI:

config system global
  set vdom-admin enable
end

Select Global from GUI and create VDOMS from there,

Set dedicated mgmt port in ROOT vdom via Network>Interfaces

Create VDOMS as needed, add interfaces, configure administrators

Check Cookbook for more info

Hits: 149