Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
subramanis
Staff
Staff

Created on ‎03-24-2025 05:13 AM

Article Id 384126

Technical Tip: Policy route behavior and directly connected interface limitation

Description This article describes the configuration behavior when both the source and destination networks are directly connected, and there is a requirement to influence traffic flow using a policy route.
Scope FortiGate.
Solution

The source network 192.168.1.0/24 is directly connected to VLAN10.

The destination network 192.168.2.0/24 is directly connected to mgmt1.

By default, traffic between these networks follows the directly connected route.

However, if there is a requirement to route traffic from a specific source IP 192.168.1.10 (VLAN10) to a specific destination 192.168.2.30 (mgmt1) via port11 policy route

 

Source:


edit "VLAN10"

set vdom "root"
set ip 192.168.1.0 255.255.255.0
set allowaccess ping
set device-identification enable
set role lan
set snmp-index 68
set color 28
set interface "fortilink"
set vlanid 100

next

C 192.168.1.0/24 is directly connected, VLAN10

 

Destination:

 

edit "mgmt1"

set vdom "root"
set management-ip 192.168.2.2 255.255.255.0
set ip 192.168.2.1 255.255.255.0
set allowaccess ping https ssh http fgfm
set type physical
set role lan
set snmp-index 1

next

 

A specific static route has been added to reach the destination via port11

 

S 192.168.2.30/32 [10/0] via 192.168.2.254, port11, [1/0]

 

config router policy

    edit 1

        set input-device "VLAN10"
        set srcaddr "192.168.1.0/24"
        set dstaddr "192.168.2.0/24"
        set gateway 192.168.2.254
        set output-device "port11"
    next
end

 

The firewall policy allows specific traffic from the source to the destination over port11

 

edit 122
    set name "Test"
    set uuid 1d3615bc-d983-51ef-e1ad-9282698740da
    set srcintf "VLAN10"
    set dstintf "port11"
    set action accept
    set srcaddr "192.168.1.10/32"
    set dstaddr "192.168.2.30/32"
    set schedule "always"
    set service "ALL"
next


2025-01-23 13:13:16 id=65308 trace_id=10 func=print_pkt_detail line=5857 msg="vd-root:0 received a packet(proto=1, 192.168.1.10:1->192.168.2.30:2048) tun_id=0.0.0.0 from VLAN10. type=8, code=0, id=1, seq=13."
2025-01-23 13:13:16 id=65308 trace_id=10 func=init_ip_session_common line=6043 msg="allocate a new session-0d065999, tun_id=0.0.0.0"
2025-01-23 13:13:16 id=65308 trace_id=10 func=__vf_ip_route_input_rcu line=2001 msg="find a route: flag=80000000 gw-0.0.0.0 via root"
2025-01-23 13:13:16 id=65308 trace_id=10 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=22, len=9"
2025-01-23 13:13:16 id=65308 trace_id=10 func=fw_local_in_handler line=615 msg="iprope_in_check() check failed on policy 0, drop"

 

The directly connected route always takes precedence over a static route. As a result, the policy route will not be applied, and this configuration will not work as intended.
730
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.