Skip to main content
ss198939
ss198939
New Member
March 17, 2018
Question

Static route or policy route

  • March 17, 2018
  • 3 replies
  • 4090 views
Hi All I knw policy route having preference over Static and all other route But do anyone knw a command to make sure that traffic is going only via policy route not via static route. I am asking this question in case someone has misconfigured policy route.

    3 replies

    subramanis
    Staff
    subramanis
    Staff
    July 10, 2022

    Hi ss198939,

    you can check the hit counts by using the below commands 

    #diag firewall proute list

    you have to run the debug flow to check the exact policy route which matches the traffic
    https://community.fortinet.com/t5/FortiGate/Technical-Tip-Diagnostic-commands-to-check-the-status-of-the-SD/ta-p/194246

    Thanks
    Sasikumar.S

    Yurisk
    SuperUser
    Yurisk
    SuperUser
    July 11, 2022

    Fortigate checks first PBR table, in order,  then regular FIB (static/dynamic) table. You could, for example, prevent going to the regular FIB by creating 2 PBR rules - 1st via the actual interface you want it to be routed to, 2nd, after this, PBR rule with the same match but routing traffic to a Loopback interface, which is always on, and this way black holing such traffic when regular interface is down.  Not something I did, but thinking out loud.

     

    EDIT: only after the publishing noticed the post is from 2018, but will leave it for future readers anyway.

    AEK
    SuperUser
    AEK
    SuperUser
    July 12, 2022

    I think policy route is not good practice. Avoid using it unless it is "really really really" necessary. Use instead static routes, routing protocols, SD-WAN rules.

    AEK
    Terms & ConditionsAccessibility statement