FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ddsouza_FTNT
Staff
Staff
Article Id 190646
Description
Policy routing enables you to redirect traffic away from a static route. This can be useful if you want to route certain types of network traffic differently. In the following network diagram a device has two wan connections with Port1 being Primary and two Lan Subnets. If you want to route the traffic from 192.168.80.0/24 network out of port3 except 192.168.80.30 then this can be achieved by using the  new option "Stop Policy Routing" that was added in 5.2.
ddsouza_FD35136_FD-35136-1.jpg

Scope
FortiGate or VDOM in NAT mode.

Solution
When you have configured the FortiGate unit with routing policies and a packet arrives at the FortiGate unit, the FortiGate unit starts at the top of the Policy Route list and attempts to match the packet with a policy. If a match is found and the policy contains enough information to route the packet  (a minimum of the IP address of the next-hop router and the FortiGate interface for forwarding packets to it), then the FortiGate unit routes the packet using the information in the policy. If no policy route matches the packet, the FortiGate unit routes the packet using the routing table.

In this scenario  you can use ""Stop Policy Routing" feature to tell FortiGate to use route in the routing table to forward the traffic instead of attempting  to match the Policy Routes listed in the Policy Routing Table.

Configuration:

1) Assume that the device already has static default routes associated with port1 and port3 with port1 route with  better metric.

ddsouza_FD35136_FD-35136-2.jpg

ddsouza_FD35136_FD-35136-3.jpg

   2) Create a Policy route to force the traffic from 192.168.80.0/24 out of Secondary Wan Interface Port3.

ddsouza_FD35136_FD-35136-4.jpg

CLI Configuration as follows:

config router policy
        edit 3
        set input-device "port2"
        set src "192.168.80.0/255.255.255.0"
        set dst "0.0.0.0/0.0.0.0"
        set gateway 192.168.50.1
        set output-device "port3"
   end

Create a Policy Route to stop the FortiGate from doing a lookup in Policy Route Table for the source 192.168.80.30

ddsouza_FD35136_FD-35136-5.jpg

 CLI configuration as follows:

config router policy
    edit 2
        set input-device "port2"
        set src "192.168.80.30/255.255.255.255"
        set dst "0.0.0.0/0.0.0.0"
        set action deny      }----- In command line action is named as "deny"
        set comments "Stop Policy based"
end

Please make sure that the Policy Route configured for the source 192.168.80.30 is placed at the top of the table.

 ddsouza_FD35136_FD-35136-6.jpg

Verification:

Run debug flow commands to see 192.168.80.30 traffic flow. You would see traffic will leave out of the port1 by using static route listed in the routing table instead of looking up in the Policy Route Table.

 ddsouza_FD35136_tn_FD-35136-7a.jpg

Other machines in 192.68.80.0/24 subnet will go out of port3 by using the Policy Based Route with Seq#3 to the internet.

 ddsouza_FD35136_tn_FD-35136-8a.jpg

Contributors