Description
This articles provides the steps to create a 'stop policy route'.
Solution
When the FortiGate unit is configured with routing policies and packet arrives at the FortiGate unit, the FortiGate unit starts at the top of the Policy Route list and attempts to match the packet with a policy route.
- If a match is found, then the FortiGate unit routes the packet using this information i.e. the IP address of the next-hop router and the FortiGate interface for forwarding packets.
- If no policy route matches the packet, then the FortiGate unit routes the packet using the static routing table.
In this scenario, use "Stop Policy Routing" feature to tell FortiGate to use route in the static routing table to forward the traffic instead of attempting to match the Policy Routes listed in the Policy Routing Table.
Configuration:
1) Assume that the device already has static default routes associated with port1 and port2 .
This articles provides the steps to create a 'stop policy route'.
Solution
When the FortiGate unit is configured with routing policies and packet arrives at the FortiGate unit, the FortiGate unit starts at the top of the Policy Route list and attempts to match the packet with a policy route.
- If a match is found, then the FortiGate unit routes the packet using this information i.e. the IP address of the next-hop router and the FortiGate interface for forwarding packets.
- If no policy route matches the packet, then the FortiGate unit routes the packet using the static routing table.
In this scenario, use "Stop Policy Routing" feature to tell FortiGate to use route in the static routing table to forward the traffic instead of attempting to match the Policy Routes listed in the Policy Routing Table.
Configuration:
1) Assume that the device already has static default routes associated with port1 and port2 .
# get router info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
> - selected route, * - FIB route, p - stale info
S *> 0.0.0.0/0 [10/0] via x.x.x.x, port1
*> [10/0] via x.x.x.x, port2
C *> 10.5.16.0/20 is directly connected, port1
C *> 10.5.48.0/20 is directly connected, port2
C *> 172.31.128.0/20 is directly connected, port3
2) Create a Policy route to force the traffic from 192.168.1.0/24 subnet out of Secondary Wan Interface Port2.
CLI Configuration as follows:
#config router policy
edit 1
set input-device "port3"
set input-device-negate disable
set src "192.168.1.0/255.255.255.0"
set src-negate disable
set dst "0.0.0.0/0.0.0.0"
set dst-negate disable
set action permit
set protocol 0
set gateway x.x.x.x
set output-device "port2"
end
3) Create a Policy Route to stop the FortiGate from doing a lookup in Policy Route Table for the source 192.168.1.30/32
CLI configuration as follows:
#config router policy4) Make sure that the Policy Route configured for the source 192.168.80.30 is placed at the top of the table.
edit 2
set input-device “port3”
set input-device-negate disable
set src "192.168.1.30/255.255.255.255"
set src-negate disable
set dst "0.0.0.0/0.0.0.0"
set dst-negate disable
set action deny
set protocol 0
set tos 0x00
set tos-mask 0x00
set status enable
set comments "STOP POLICY ROUTE"
end
