Technical Tip: ISDB on Policy route
| Description | This article discusses inconsistent behavior of Policy routing when ISDB and Subnet addresses are in use. |
| Scope | FortiGate v6.4 and v7.0. |
| Solution | If a user requests to access an ISDB object from a specific source address on a specific outgoing interface, it is possible to create a Policy route with the ISDB object as the Destination Address. Sometimes multiple destination address is also configured on a single Policy route, it can be mixed with ISDB and Network addresses.
Here are the steps to create a policy route with an ISDB object as the destination:
This will cause an issue with the policy route not able to work or is providing inconsistent output if ISDB and Network address are within the same Policy route.
To resolve the issue and have a consistent output of the policy route with ISDB and Network address, a separate policy route for Network address and ISDB object must be created.
Since v7.2 and v7.4, it is not possible to create a policy route with a Network address and ISDB. The network address is automatically deleted and the address field becomes greyed out when adding an ISDB object to the destination address of the Policy route.
Note: As of v7.6.3, FortiOS has added support for configuring users and groups in policy routes, allowing administrators to use users and user groups as source filters. For more information, see Users/Groups on Policy Routes.
Related documents: Policy routes | FortiGate / FortiOS 7.4.2 | Fortinet Document Library Technical Tip: Creating a static route for Predefined Internet Services (ISDB) Technical Tip: Configuring the firewall Policy Routes Technical Tip: How to get an updated list of IP addresses of all FortiGuard servers via CLI |
