Technical Tip: Verify the matching policy route

nithincs · ‎10-22-2020

Description
This article provides CLI command to verify the matching policy route.

Solution
FortiGate CLI allows to verify the matching policy route to make sure traffic from specific source to destination is triggering the correct policy route.

Syntax.

# dia ip proute match <destination ip> <source ip> <incoming interface> <proto> <destination port number>

For example.

FortiGate is configured with policy routes to forward the traffic from 172.31.135.0/29 via PORT1 and traffic from 172.31.134.0/29 from PORT2.

fermion-kvm42 # dia firewall proute list
list route policy info(vf=root):

id=1 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0:0 iif=5 dport=0-65535 oif=3(port1) gwy=10.5.31.254
source wildcard(1): 172.31.135.0/255.255.255.248
destination wildcard(1): 0.0.0.0/0.0.0.0
hit_count=1 last_used=2020-10-22 08:00:45

id=2 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0:0 iif=5 dport=0-65535 oif=4(port2) gwy=10.5.63.254
source wildcard(1): 172.31.134.0/255.255.255.248
destination wildcard(1): 0.0.0.0/0.0.0.0
hit_count=0 last_used=2020-10-22 09:00:50

To check matching policy route for TCP traffic generated from source 172.31.134.1 to public IP, need to use the debug command as shown below.

fermion-kvm42 # dia ip proute match 208.91.114.181 172.31.134.1 port3 6 443

Output.

dst=208.91.114.181 src=172.31.134.1 smac=00:00:00:00:00:00 iif=5 protocol=6 dport=443
id=00000002 type=Policy Route
seq-num=2 <---- Matching the ID=2 policy route.

Note.
SDWAN rule/services will also act as proute and above commands can be used to verify the matching SD-WAN rule.