Technical Tip: How to differentiate policy route type from CLI

pgautam · ‎08-28-2023

Description

This article describes that FortiGate maintains a policy route table for the regular policy route, ISDB route, and SD-WAN rule.

Scope

FortiOS, SD-WAN, Policy route table, ISDB route.

Solution

FortiOS has three types of policy routes displayed in the policy route table:

Regular Policy route.
ISDB routes (Internet Service Database)
SD-WAN rules.

To display the policy route use the below commands:

dia firewall proute list

list route policy info(vf=root):

id=1(0x01) dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-0 iif=6(port4) dport=0-65535 path(1) oif=8(port6)
source wildcard(1): 10.201.0.0/255.255.255.0
destination wildcard(1): 0.0.0.0/0.0.0.0
hit_count=0 last_used=2023-08-28 19:04:17

id=2113929220(0x7e000004) static_route=4 dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-0 iif=0(any) dport=1-65535 path(1) oif=3(port1)
source wildcard(1): 0.0.0.0/0.0.0.0
destination wildcard(1): 0.0.0.0/0.0.0.0
internet service(1): Google-DNS(65539,0,0,0,0)
hit_count=109 last_used=2023-08-28 19:05:51

id=2131886081(0x7f120001) vwl_service=1(test123) vwl_mbr_seq=1 5 dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0(any) dport=1-65535 path(2) oif=3(port1) oif=8(port6)
source(1): 0.0.0.0-255.255.255.255
destination(1): 0.0.0.0-255.255.255.255
hit_count=197 last_used=2023-08-28 19:05:57

The above output includes the regular policy route, ISDB route, and SDWAN rule.

Regular policy routes are assigned an ID no higher than 65535. In this example ID 1. This means its policy route:

id=1(0x01) dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-0 iif=6(port4) dport=0-65535 path(1) oif=8(port6)
source wildcard(1): 10.201.0.0/255.255.255.0
destination wildcard(1): 0.0.0.0/0.0.0.0
hit_count=0 last_used=2023-08-28 19:04:17

regular policy route.PNG

ISDB routes are assigned an ID higher than 65535. Both ISDB and SD-WAN rules have a higher ID than 65535 in order to differentiate between ISDB and SD-WAN rules, the SD-WAN rule has a field indicated vwl_service.
SD-WAN rule also includes the SD-WAN rule name

ISDB route:

id=2113929220(0x7e000004) static_route=4 dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-0 iif=0(any) dport=1-65535 path(1) oif=3(port1)
source wildcard(1): 0.0.0.0/0.0.0.0
destination wildcard(1): 0.0.0.0/0.0.0.0
Internet service(1): Google-DNS(65539,0,0,0,0)
hit_count=109 last_used=2023-08-28 19:05:51

SD-WAN route:

id=2131886081(0x7f120001) vwl_service=1(test123) vwl_mbr_seq=1 5 dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0(any) dport=1-65535 path(2) oif=3(port1) oif=8(port6)
source(1): 0.0.0.0-255.255.255.255
destination(1): 0.0.0.0-255.255.255.255
hit_count=197 last_used=2023-08-28 19:05:57

Note: IDs for regular routes are in the 1 to 65535 range, the maximum number of policy routes it is possible to configure on FortiGate is much lower and varies among the models.

For example: it is possible to configure 512 regular policy routes on 200F FortiGate device.
Policy route value is defined under router.policy object in the max value table.

Device level available list can be validated using the below link:

Technical Note: FortiGate maximum values table.

Refer to the below link for the route lookup, SD-WAN, policy route, and ISDB configuration example:

Technical Tip: Routing in FortiGate (route-lookup-process).

Technical Tip: Configuring the firewall Policy Routes.

Technical Tip : Creating a static route for Predefined Internet Services (ISDB).

Administration guide SD-WAN.