FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 189996


This article explains how to configure the Policy Routes.

In some FortiGate deployments, it may be necessary to have a certain type or source of traffic filtered through a different network connection. In other words, a specific protocol or IP will sometimes need to be sent to a destination other than the default gateway or route. 

Steps that follow show how this is done using the GUI with a basic example.

The example that follows shows how TCP port 80 traffic arriving on port 1, and from subnet, will be sent to port 6 and gateway






In order to get the Policy Routes option on GUI, first enable the Advanced Routing in the feature visibility following the steps below:

Go to: Firewall GUI -> System -> Feature Visibility
Enable Advanced Routing, then click on 'Apply'.


Once the policy route is enabled on the feature visibility, it should be possible to get it on the below path.

Go to: Firewall GUI -> Network -> Policy Routes -> New Routing Policy.
Configure it by following the steps below to forward the traffic over a specific port by overriding the routing table.
  1. Select 'Create New'.
  1. Protocol – Select from existing options or specify the protocol number to match.

    The Internet Protocol Number is found in the IP packet header. RFC 5237 describes protocol numbers and a list of the assigned protocol numbers is available here. The range is from 0 to 255. A value of 0 disables the feature.
    (Commonly used Protocol numbers include 6 for TCP sessions, 17 for UDP sessions, 1 for ICMP sessions, 47 for GRE sessions, and 92 for multicast sessions.)

  2. Source Address / Mask – To perform policy routing based on the IP source address, type the source address and network mask to match. A value of disables the feature.

  3. Destination Address / Mask – To perform policy routing based on the IP destination address of the packet, type the destination address and network mask to match. A value of disables the feature.

  4. Type of Service – Use a two-digit hexadecimal bit pattern to match the service, or use a two-digit hexadecimal bit mask to mask out. For more information, see Type of Service.

  5. Set action – select the Action of the policy route whether to 'Forward' or 'Stop Policy Routing' based on the requirement. If 'Stop Policy Routing' is selected, the routing table of the FortiGate device will be checked.

  6. Outgoing Interface - Select the name of the interface through which packets affected by the policy will be routed.

  7. Gateway Address - Type the IP address of the next-hop router that the FortiGate unit can access through the specified interface. If the outgoing interface is an IPsec tunnel, make sure the interface IP is configured on it. The gateway address will be the interface IP of the remote side. 
    Note: If the Gateway IP address is not specified and is left it blank, it will be necessary to have a valid route in the routing-table for the outgoing interface. Otherwise, the traffic will not follow the policy route. 

  8. Select 'Status' – Enabled.

  9. Then select 'OK' to save and apply the configuration.
    CLI Configuration.

    To configure policy routes using the CLI:

        FGT # config router policy
        FGT (policy) # edit 1

            set input-device   <----- Incoming interface name.
            set input-device-negate <----- Enable/disable negation of input device match.
            set src    <----- Source IP and mask (x.x.x.x/x).
            set srcaddr   <----- Source address name.
            set src-negate <----- Enable/disable negating source address match.
            set dst   <----- Destination IP and mask (x.x.x.x/x).
            set dstaddr <----- Destination address name.
            set dst-negate <----- Enable/disable negating destination address match.
            set action <----- Action of the policy route.
            set protocol <----- Protocol number (0 - 255).
            set gateway <----- IP address of the gateway.
            set output-device <----- Outgoing interface name.
            set tos <----- Type of service bit pattern.
            set tos-mask <----- Type of service evaluated bits.
            set status <----- Enable/disable this policy route.
            set comments <----- Optional comments.
            set internet-service-id <----- Destination Internet Service ID.
            set internet-service-custom <----- Custom Destination Internet Service name.

    Policy routes are executed in order (similar to firewall policies) so more specific policies should be placed on top and more general ones near the bottom.

    Policy routes will take precedence over any other routes in the routing table. FortiGate will first check regular policy routes before coming to SD-WAN policy routes (if any) and then the routing table.

    Verification of Configuration and troubleshooting.
    For example, generate some test traffic from the configured source IP / subnet and check on the traffic logs for the outgoing interface.
    diagnose firewall proute list

Related documents:

Technical Tip: How to create 'Stop Policy Route'

Related video: