Description
This article describes the steps to create a 'stop policy route'.
Scope
FortiGate.
Solution
When the FortiGate unit is configured with routing policies and the packet arrives at the FortiGate unit, the FortiGate unit starts at the top of the Policy Route list and attempts to match the packet with a policy route.
- If a match is found, then the FortiGate unit routes the packet using this information i.e. the IP address of the next-hop router and the FortiGate interface for forwarding packets.
- If no policy route matches the packet, then the FortiGate unit routes the packet using the static routing table.
In this scenario, use the 'Stop Policy Routing' feature to tell FortiGate to use a route in the static routing table to forward the traffic instead of attempting to match the Policy Routes listed in the Policy Routing Table.
Configuration:
- Assume that the device already has static default routes associated with port1 and port2.
get router info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
> - selected route, * - FIB route, p - stale info
S *> 0.0.0.0/0 [10/0] via x.x.x.x, port1
*> [10/0] via x.x.x.x, port2
C *> 10.5.16.0/20 is directly connected, port1
C *> 10.5.48.0/20 is directly connected, port2
C *> 172.31.128.0/20 is directly connected, port3
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
> - selected route, * - FIB route, p - stale info
S *> 0.0.0.0/0 [10/0] via x.x.x.x, port1
*> [10/0] via x.x.x.x, port2
C *> 10.5.16.0/20 is directly connected, port1
C *> 10.5.48.0/20 is directly connected, port2
C *> 172.31.128.0/20 is directly connected, port3
-
Create a Policy route to force the traffic from 192.168.1.0/24 subnet out of Secondary Wan Interface Port2.
CLI Configuration as follows:config router policyedit 1
set input-device "port3"
set input-device-negate disable
set src "192.168.1.0/255.255.255.0"
set src-negate disable
set dst "0.0.0.0/0.0.0.0"
set dst-negate disable
set action permit
set protocol 0
set gateway x.x.x.x
set output-device "port2"
end
-
Create a Policy Route to stop the FortiGate from doing a lookup in the Policy Route Table for the source 192.168.1.30/32
CLI configuration is as follows:
config router policy
edit 2
set input-device “port3”
set input-device-negate disable
set src "192.168.1.30/255.255.255.255"
set src-negate disable
set dst "0.0.0.0/0.0.0.0"
set dst-negate disable
set action deny
set protocol 0
set tos 0x00
set tos-mask 0x00
set status enable
set comments "STOP POLICY ROUTE"
end -
Make sure that the Policy Route configured for the source 192.168.80.30 is placed at the top of the table.
Note :
- If the interfaces are members of SD-WAN, and if there is a rule where for the source the traffic should be forwarded to a specific member, and if the member goes down, the traffic should not route to another member based on SD-WAN. To achieve this with the SD-WAN rule, it cannot be achieved as if one member goes down, the traffic will be routed based on the next SD-WAN rule or with the default SD-WAN rule.
- To achieve this need to configure the stop policy route, with the SD-WAN rule it cannot be achieved.
