Created on 03-02-2022 11:38 PM Edited on 03-13-2022 11:16 PM
Description |
This article describes how to define a policy route based on MAC address. |
Scope |
The FortiGate should be able to see the source MAC address as such if an L3 unit is connected downstream to FortiGate, this will not be applicable as the source MAC address seen would be that of the L3 unit. |
Solution |
Below is the CLI configuration for the same:
# config router policy
# config firewall address edit "PC1" set type mac set associated-interface "port10" set macaddr "00:78:65:6e:25:01" next end |
Validation |
Use the command '# diag firewall proute list' to check the policy route.
Below is a sample entry:
id=1 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-0 iif=12 dport=0-65535 path(1) oif=5(port3) gwy=10.5.63.254
The flow trace can be checked to see the traffic processing:
2022-01-31 06:47:23 id=20085 trace_id=9 func=print_pkt_detail line=5783 msg="vd-root:0 received a packet(proto=1, 192.168.10.10:1->8.8.8.8:2048) from port10. type=8, code=0, id=1, seq=13."
The routing table entry is as shown below:
Routing table for VRF=0
The packet is routed to port3 interface despite having the default route pointed to port1. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.