Policy Based Routing conditions and caveats (FortiOS 2.8 MR7 and MR8)

‎02-28-2005

Article

Description

Policy Based Routing (Router > Policy) is used to 'bend' traffic away from a default route. You can define the routing so that only certain services, such as HTTP, SMTP, and so on, are affected.

Components All FortiGate units running FortiOS v2.80 MR7 (build 318) and v2.8 MR8 (build 359). Previous versions may behave differently.

Details

The following are the conditions and caveats to be aware of, when configuring Policy Based Routing:

You must configure an additional default route (Router > Static) on the FortiGate unit for the interface, which will receive the 'bent' traffic. You must configure this redundant default route with the same "Distance" value as the original (main) default route. If you are using a PPPoE enabled interface on the FortiGate unit, go to System >Network >Interface and select "Retrieve default gateway from server". Note that a DHCP or PPPoE enabled interface has a default Distance of "1" whereas the static default is "10". If a mixture of static and dynamic interfaces are configured, the dynamic Distance should be changed to "10".

A minimum of two Policy Routes (Router > Policy) are required. For example, a Policy Route could force all HTTP (TCP port 80) traffic out of the DMZ interface, and the other Policy Route is required to allow the rest of the traffic out of the WAN1 interface. This would ensure that the configured traffic flows are always respected, regardless of which of the two Default Routes takes precedence. The example below forces HTTP, HTTPS and DNS from Port 4 to Port 2, and the last policy forces the rest of the traffic to Port 1.config router policy edit 1 set end_port 80 set input_device "port4" set output_device "port2" set protocol 6 set start_port 80 next edit 2 set end_port 443 set input_device "port4" set output_device "port2" set protocol 6 set start_port 443 next edit 4 set end_port 53 set input_device "port4" set output_device "port2" set protocol 17 set start_port 53 next edit 5 set input_device "port4" set output_device "port1" next end

You should not use the "Gateway Address" field in Router > Policy. Only use the "Force traffic to: Outgoing interface" field.

You cannot statically define a default gateway for a PPPoE enabled interface via the GUI (only necessary if not using the "Retrieve default gateway from server" option). It is possible to do so via the CLI using the "conf router static" command. When configuring this type of route, do not specify the "device", for example, the 'Gateway out interface'. Only configure the "dst" and "gateway" fields, for example, the 'Destination IP' and 'Gateway IP'.

Configure a Ping Server for each interface that will be used for Policy based routing. This is configured in System > Network > Interface > Ping Server. The IP should be a device that is at least a couple of hops away from the FortiGate unit's interface. Avoid configuring the next hop router’s interface.

Firewall Policies are required for each respective Policy Route, in order to allow the required traffic from egressing the FortiGate unit.

Additional Firewall Policies may be required if Policy Route fail-over conditions are required. For example, if all HTTP traffic was configured to egress from the DMZ port, and this link is goes down due to Ping Server failure detection, a Firewall Policy may be required to allow this traffic to divert and egress out of WAN1 instead.

Internally generated traffic, for example, FortiGate DNS queries, SMTP Alert emails, Anti-Virus update requests, NTP synchronization) will not follow Policy Based Routing rules. This also applies to VPN tunnels. These requests and traffic will be sent out of the unit using one of the two Default Routes (and hence one of two possible interfaces). Which interface can be confusing and slightly unpredictable:

With two statically configured interfaces, it is the last route which is manually configured (Router > Static) on the unit. Changing the sort/display order of the two default routes (Router > Static) has no impact on route preference.
With two PPPoE configured interfaces, it is the last PPPoE connection which gets established which becomes the "true" default route. In the Route Monitor (Router > Monitor), this will be the ppp route, which is lowest (closer to the bottom of the list).
With one static interface, and one PPPoE interface, it’s a toss-up at boot time. Should the PPPoE interface eventually bounce, it will become the preferential default route.

The CLI command "get router info routing_table" will display the "true" preferential default route.


Fortigate # get router info routing_table 

Codes: K - kernel, C - connected, S - static, R - RIP, B
    - BGP 
    O - OSPF, IA - OSPF inter area 
    N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 
    E1 - OSPF external type 1, E2 - OSPF external type 2 
    i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area 
    * - candidate default 



S* 0.0.0.0/0 [10/0] via 192.168.183.254, wan1 <<< Default route 1



 [10/0] via 172.31.224.254, wan2 <<< Default route 2 & the "True" default route

C 10.100.1.0/24 is directly connected, dmz 

C 10.103.1.0/24 is directly connected, internal 

C 172.31.224.0/24 is directly connected, wan2 

C 192.168.182.0/23 is directly connected, wan1

A basic method to test and determine which interface has the preferred rout is to enable the FortiGate unit's NTP synchronization feature (System > Config > Time) and set the interval to 1 minute. Activate the built-in sniffer on each interface to determine which one is used for this egressing traffic.

For example:
diag sniff pack wan1 'udp port 123'
diag sniff pack wan2 'udp port 123'