This article describes how to forward traffic going to a particular website to Secure Private Access in FortiSASE.
Scope
FortiSASE.
Solution
It is necessary to have Secure Private Access already set up in FortiSASE. If it is not set, refer to this document: Secure private access
Find the IP of the website to forward, to Secure Private Access (SPA). For this, refer to this article: Troubleshooting Tip: Search logs for who accessed a website
Once the IP address of the website is obtained, go to the FortiGate which is connected to FortiSASE where the SPA is configured, and forward the traffic going to the website.
To forward the traffic from FortiSASE to FortiGate through SPA, advertise the IP of the website from FortiGate to FortiSASE over BGP. For this, go to Network > BGP on the FortiGate.
Under networks, add the IP of the website. Here, 93.184.215.14 is used as example:
After that, create a static route on the FortiGate for this IP to go out via the WAN interface if it is a public website. If it is an internal website, route it according to the network layout by going to Network > Static Route.
Select ‘Create New’, add the Website IP in the destination and choose the Interface as the WAN interface:
Run this command to check the advertised route:
get router info bgp neighbors <neighbor IP> advertise
If the route is being advertised, then the configuration is working.
For more advanced BGP advertisement configuration, use Route map, prefix-list/access list:
Technical Tip: How to control BGP route advertisement with prefix-list
Once the BGP advertisement is configured, the traffic destined for the website coming to FortiSASE will be redirected to SPA and go through FortiGate.