Technical Tip: Policy Route behavior with link monitoring

vsahu · ‎02-14-2023

Description

This article describes the policy route behavior with link monitoring.

Scope

FortiGate 7.0.1 and later.

Solution

Policy routing allows specifying an interface to route traffic. This is useful when it is needed to route certain types of network traffic differently than some using the routing table.

In earlier versions (before 7.0.1), when the link monitoring is configured and the link monitor goes down it also makes the PBR disabled, and no control is possible to toggle between enabling or disabling policy route updates when a link monitor fails.

Also, When you configure Forward traffic as the action in PBR, the Destination address Outgoing Interface and Gateway address setting must match a route in the FIB Otherwise the policy route is considered as invalid as a result skipped, but PBR can also become invalid/inactive if the configured link monitor fails or if the PBR is manually disabled.

Explanation of the above-mentioned using the below scenarios:

Scenario 1:

wan 1 -> Having default route 0.0.0.0 (static or dynamic). wan 2 -> no route. Pbr -> configured for wan 2. link-monitor for wan 2-> Disable/not configured.PBR is working fine as when Interface IP is configured on the WAN2 it creates a route in the FIB table, no route explicitly configured for WAN2

iron-kvm45 # get router info kernel | grep port1
tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.5.16.0/32 pref=10.5.29.74 gwy=0.0.0.0 dev=3(port1)
tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.5.29.74/32 pref=10.5.29.74 gwy=0.0.0.0 dev=3(port1)
tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.5.31.255/32 pref=10.5.29.74 gwy=0.0.0.0 dev=3(port1)
tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.5.16.0/20 pref=10.5.29.74 gwy=0.0.0.0 dev=3(port1)

Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.5.63.254, port2, [1/0] <----- Wan1.
C 10.5.16.0/20 is directly connected, port1 <----- WAN2.

Scenario 2:

wan 1 -> Having default route 0.0.0.0 (static or dynamic). wan 2 -> no route. Pbr -> configured for wan 2. link-monitor for wan 2 with update-static-route disable configured (failing without gateway).

PBR got disabled because of the link monitor, as the state is dead but the FIB route is still there.

Scenario 3:

wan 1 -> Having default route 0.0.0.0 (static or dynamic). wan 2 -> no route. Pbr -> configured for wan 2. link-monitor for wan 2 -> configured (with gateway).

PBR worked because of the link monitor, as the status is alive.

Note: Regarding the link monitoring why it is working only when adding a gateway, there are no routes from wan 2 so it does not know from which path or next hop to take to route the traffic.

But when the gateway is added, it knows the next hop so sending the probe using the gateway and link monitor is coming up.

Link Monitor config (version older than 7.0.1).

# config system link-monitor
edit "PBR_Link_Monitor"
set srcintf "Wan1"
set server "8.8.8.8"
set gateway-ip x.x.x.x
set update-cascade-interface disable
set update-static-route disable
next

From 7.0.1 and later, it is possible to configure the update-policy-route and have control over the link-monitor influence over the policy route.

# config system link-monitor
edit "PBR_Link_Monitor"
set srcintf "Wan1"
set server "8.8.8.8"
set gateway-ip x.x.x.x
set update-cascade-interface disable

set update-policy-route enable/disable -> Default config is enabled.
set update-static-route disable
next

Related documents:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-the-firewall-Policy-Routes/ta-...
https://docs.fortinet.com/document/fortigate/7.0.0/new-features/81096/enable-or-disable-updating-pol...