FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes the process of configuring Policy Routes when it is necessary to route certain type or source of traffic to another interface. In other words, a specific protocol or IP will sometimes need to be sent to a destination other than the default gateway or route. For instance, a host outbound FTP traffic needs to egress through WAN2, while leaving the internet traffic and other ports protocol to egress through WAN1.
The following example shows how to configure policy route for TCP port 80 traffic arriving on port 1 from subnet 192.168.1.0/24 and send to port 6 and gateway 10.10.10.1.
Scope
FortiGate.
Solution
The Policy Routes feature is not visible by default. To enable it, navigate to Firewall GUI -> System -> Feature Visibility, then enable Advanced Routing and select 'Apply'.
To enable Policy Routes in the CLI:
config system setting
set gui-dynamic-routing enable
end
Once the policy route is enabled on the feature visibility, it should be possible to get it on the below path.
Go to: FortiGate GUI -> Network -> Policy Routes.
Configure it by following the steps below to forward the traffic over a specific port by overriding the routing table.
Select 'Create New'.
Protocol – Select from existing options or specify the protocol number to match.
The Internet Protocol Number is found in the IP packet header. RFC 5237 describes protocol numbers and a list of the assigned protocol numbers is available here. The range is from 0 to 255. A value of 0 disables the feature. (Commonly used Protocol numbers include 6 for TCP sessions, 17 for UDP sessions, 1 for ICMP sessions, 47 for GRE sessions, and 92 for multicast sessions.)
Source Address / Mask – To perform policy routing based on the IP source address, type the source address and network mask to match. A value of 0.0.0.0/0.0.0.0 disables the feature.
Destination Address / Mask – To perform policy routing based on the IP destination address of the packet, type the destination address and network mask to match. A value of 0.0.0.0/0.0.0.0 disables the feature.
Internet Service – To perform policy routing based on the Internet Service of the packet for the destination, add the internet service from the list of ISDB available. Example of Internet services: Fortinet-FTP, Adobe-DNS, Amazon-AWS, etc.
Type of Service – Use a two-digit hexadecimal bit pattern to match the service, or use a two-digit hexadecimal bit mask to mask out. For more information, see Type of Service.
Set action – select the Action of the policy route whether to 'Forward' or 'Stop Policy Routing' based on the requirement. If 'Stop Policy Routing' is selected, the routing table of the FortiGate device will be checked.
Outgoing Interface - Select the name of the interface through which packets affected by the policy will be routed.
Gateway Address - Type the IP address of the next-hop router that the FortiGate unit can access through the specified interface. If the outgoing interface is an IPsec tunnel, make sure the interface IP is configured on it. The gateway address will be the interface IP of the remote side.
Note: If the Gateway IP address is not specified and is left it blank, it will be necessary to have a valid route in the routing-table for the outgoing interface. Otherwise, the traffic will not follow the policy route.
Select 'Status' – Enabled.
Then select 'OK' to save and apply the configuration.
In versions before and including 6.0, policy routing does not have 'Internet Service' as an option in the GUI.
In version 6.2 and later, policy routing has 'Internet Service' as an option in the GUI.
CLI Configuration.
To configure policy routes using the CLI:
FGT # config router policy FGT (policy) # edit 1
set input-device <- Incoming interface name. set input-device-negate <- Enable/disable negation of input device match. set src <- Source IP and mask (x.x.x.x/x). set srcaddr <- Source address name. set src-negate <- Enable/disable negating source address match. set dst <- Destination IP and mask (x.x.x.x/x). set dstaddr <- Destination address name. set dst-negate <- Enable/disable negating destination address match. set action <- Action of the policy route. set protocol <- Protocol number (0 - 255). set gateway <- IP address of the gateway. set output-device <- Outgoing interface name. set tos <- Type of service bit pattern. set tos-mask <- Type of service evaluated bits. set status <- Enable/disable this policy route. set comments <- Optional comments. set internet-service-id <- Destination Internet Service ID. set internet-service-custom <- Custom Destination Internet Service name. next end
Policy routes are executed in order (similar to firewall policies) so more specific policies should be placed on top and more general ones near the bottom.
Note: An SD-WAN zone cannot be chosen in the interface section of the policy-route, as explained in this document.
However, SD-WAN zones can be used in firewall policies for more granular control. To work around this limitation, create policies based on the SD-WAN zones indirectly by using the SD-WAN rules that reference the zones. This allows for effective traffic steering and control based on the defined SD-WAN zones. It is possible to control traffic flow for SD-WAN zone members this way.
Policy routes will take precedence over any other routes in the routing table. FortiGate will first check regular policy routes before coming to SD-WAN policy routes (if any) and then the routing table.
Verification of Configuration and troubleshooting.
For example, generate some test traffic from the configured source IP / subnet and check on the traffic logs for the outgoing interface. diagnose firewall proute list