Description
Scope
Solution
Policy routing enables you to redirect traffic away from a static route. This can be useful if you want to route certain types of network traffic differently. In the following network diagram a device has two wan connections with Port1 being Primary and two Lan Subnets. If you want to route the traffic from 192.168.80.0/24 network out of port3 except 192.168.80.30 then this can be achieved by using the new option "Stop Policy Routing" that was added in 5.2.
Scope
FortiGate or VDOM in NAT mode.
Solution
When you have configured the FortiGate unit with routing policies and a packet arrives at the FortiGate unit, the FortiGate unit starts at the top of the Policy Route list and attempts to match the packet with a policy. If a match is found and the policy contains enough information to route the packet (a minimum of the IP address of the next-hop router and the FortiGate interface for forwarding packets to it), then the FortiGate unit routes the packet using the information in the policy. If no policy route matches the packet, the FortiGate unit routes the packet using the routing table.
In this scenario you can use ""Stop Policy Routing" feature to tell FortiGate to use route in the routing table to forward the traffic instead of attempting to match the Policy Routes listed in the Policy Routing Table.
Configuration:
1) Assume that the device already has static default routes associated with port1 and port3 with port1 route with better metric.
2) Create a Policy route to force the traffic from 192.168.80.0/24 out of Secondary Wan Interface Port3.
CLI Configuration as follows:
config router policy
edit 3
set input-device "port2"
set src "192.168.80.0/255.255.255.0"
set dst "0.0.0.0/0.0.0.0"
set gateway 192.168.50.1
set output-device "port3"
end
Create a Policy Route to stop the FortiGate from doing a lookup in Policy Route Table for the source 192.168.80.30
CLI configuration as follows:
config router policy
edit 2
set input-device "port2"
set src "192.168.80.30/255.255.255.255"
set dst "0.0.0.0/0.0.0.0"
set action deny }----- In command line action is named as "deny"
set comments "Stop Policy based"
end
Please make sure that the Policy Route configured for the source 192.168.80.30 is placed at the top of the table.
Verification:
Run debug flow commands to see 192.168.80.30 traffic flow. You would see traffic will leave out of the port1 by using static route listed in the routing table instead of looking up in the Policy Route Table.
Other machines in 192.68.80.0/24 subnet will go out of port3 by using the Policy Based Route with Seq#3 to the internet.
In this scenario you can use ""Stop Policy Routing" feature to tell FortiGate to use route in the routing table to forward the traffic instead of attempting to match the Policy Routes listed in the Policy Routing Table.
Configuration:
1) Assume that the device already has static default routes associated with port1 and port3 with port1 route with better metric.
2) Create a Policy route to force the traffic from 192.168.80.0/24 out of Secondary Wan Interface Port3.
CLI Configuration as follows:
config router policy
edit 3
set input-device "port2"
set src "192.168.80.0/255.255.255.0"
set dst "0.0.0.0/0.0.0.0"
set gateway 192.168.50.1
set output-device "port3"
end
Create a Policy Route to stop the FortiGate from doing a lookup in Policy Route Table for the source 192.168.80.30
CLI configuration as follows:
config router policy
edit 2
set input-device "port2"
set src "192.168.80.30/255.255.255.255"
set dst "0.0.0.0/0.0.0.0"
set action deny }----- In command line action is named as "deny"
set comments "Stop Policy based"
end
Please make sure that the Policy Route configured for the source 192.168.80.30 is placed at the top of the table.
Verification:
Run debug flow commands to see 192.168.80.30 traffic flow. You would see traffic will leave out of the port1 by using static route listed in the routing table instead of looking up in the Policy Route Table.
Other machines in 192.68.80.0/24 subnet will go out of port3 by using the Policy Based Route with Seq#3 to the internet.
