Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
subramanis
Staff
Staff

Created on ‎08-12-2024 03:02 AM Edited on ‎02-25-2025 12:28 AM By Community Manager

Article Id 332273

Technical Tip: Policy route lookup scenario

Description This article describes how the FortiGate performs route lookup for policy routes when the gateway has not been defined on v7.0.1 and above
Scope FortiGate.
Solution

Captureospf1.png

 

The Firewall routes the packet to the configured interface and gateway defined in the policy route and bypasses the routing table, or it stops checking the policy routes and routes the packet based on the routing table

 

  1. The interface and the gateway are configured:


config router policy
    edit 1
        set input-device "port2"
        set srcaddr "all"
        set dst "200.0.0.0/255.255.255.0"
        set gateway 14.0.0.2
        set output-device "vw2"
    next
end


FGT1 # get router info routing-table details 200.0.0.1
% Network not in table

 

id=20085 trace_id=4 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 192.168.100.10:1->200.0.0.1:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=1, seq=16."
id=20085 trace_id=4 func=init_ip_session_common line=6046 msg="allocate a new session-0000ceaa, tun_id=0.0.0.0"
id=20085 trace_id=4 func=rpdb_srv_match_input line=1036 msg="Match policy routing id=1: to 14.0.0.2 via ifindex-24"
id=20085 trace_id=4 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-14.0.0.2 via vw2"
id=20085 trace_id=4 func=fw_forward_handler line=881 msg="Allowed by Policy-1:"

 

The packet is forwarded to the configured interface and gateway, bypassing the routing table.

 

  1. The interface is configured but no gateway is configured:

 

FGT1 # show router policy
    config router policy
        edit 1
            set input-device "port2"
            set srcaddr "all"
            set dst "200.0.0.0/255.255.255.0"
            set output-device "vw2"
        next
    end


FGT1 # get router info routing-table details | grep 200.0.0
S 200.0.0.0/25 [10/0] via 14.0.0.2, vw2, [1/0] < - - - - - -
S 200.0.0.1/32 [10/0] via 12.0.0.2, vw1, [1/0]


id=20085 trace_id=40 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 192.168.100.10:1->200.0.0.1:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=1, seq=21."
id=20085 trace_id=40 func=init_ip_session_common line=6046 msg="allocate a new session-0000d00b, tun_id=0.0.0.0"
id=20085 trace_id=40 func=rpdb_srv_match_input line=1036 msg="Match policy routing id=1: to 200.0.0.1 via ifindex-24"
id=20085 trace_id=40 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-14.0.0.2 via vw2"
id=20085 trace_id=40 func=fw_forward_handler line=881 msg="Allowed by Policy-1:"


FGT1 # get router info routing-table details | grep 200.0.0
S 200.0.0.0/25 [10/0] via 14.0.0.2, vw2, [1/0]
S 200.0.0.0/26 [10/0] via 14.0.0.3, vw2, [1/0] < - - - - - -
S 200.0.0.1/32 [10/0] via 12.0.0.2, vw1, [1/0]


id=20085 trace_id=169 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 192.168.100.10:1->200.0.0.1:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=1, seq=32."
id=20085 trace_id=169 func=init_ip_session_common line=6046 msg="allocate a new session-000246f4, tun_id=0.0.0.0"
id=20085 trace_id=169 func=rpdb_srv_match_input line=1036 msg="Match policy routing id=1: to 200.0.0.1 via ifindex-24"
id=20085 trace_id=169 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-14.0.0.3 via vw2"
id=20085 trace_id=169 func=fw_forward_handler line=881 msg="Allowed by Policy-1:"
id=20085 trace_id=169 func=ids_receive line=418 msg="send to ips"


The firewall will only evaluate the best routes via vw2, not the optimal path via vw1.

 

  1. The interface is configured but no gateway is configured (active route in diff. interface):

 

FGT1 # show router policy
    config router policy
        edit 1
            set input-device "port2"
            set srcaddr "all"
            set dst "200.0.0.0/255.255.255.0"
            set output-device "vw2"
        next
    end

 

FGT1 # get router info routing-table details | grep 200.0.
S 200.0.0.1/32 [10/0] via 12.0.0.2, vw1, [1/0]


FGT1 # id=20085 trace_id=65 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 192.168.100.10:1->200.0.0.1:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=1, seq=23."
id=20085 trace_id=65 func=init_ip_session_common line=6046 msg="allocate a new session-0000d123, tun_id=0.0.0.0"
id=20085 trace_id=65 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-12.0.0.2 via vw1"
id=20085 trace_id=65 func=fw_forward_handler line=881 msg="Allowed by Policy-1:"

 

There is no active route over vw2, the firewall does not check the policy route, and traffic is forwarded according to the routing table.

 

  1. The gateway is configured but no Interface is configured:

 

FGT1 # show router policy
    config router policy
        edit 1
            set input-device "port2"
            set srcaddr "all"
            set dst "200.0.0.0/255.255.255.0"
            set gateway 14.0.0.2
        next

    end

 

FGT1 # get router info routing-table details | grep 200.0.0
% Network not in table


id=20085 trace_id=50 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 192.168.100.10:1->200.0.0.1:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=1, seq=22."
id=20085 trace_id=50 func=init_ip_session_common line=6046 msg="allocate a new session-0000d07c, tun_id=0.0.0.0"
id=20085 trace_id=50 func=rpdb_srv_match_input line=1036 msg="Match policy routing id=1: to 14.0.0.2 via ifindex-24"
id=20085 trace_id=50 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-14.0.0.2 via vw2"
id=20085 trace_id=50 func=fw_forward_handler line=881 msg="Allowed by Policy-1:"

 

FGT1 # get router info routing-table details | grep 200.0.0
S 200.0.0.0/26 [10/0] via 14.0.0.3, vw2, [1/0]
S 200.0.0.1/32 [10/0] via 12.0.0.2, vw1, [1/0]

 

FGT1 # id=65308 trace_id=6 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 192.168.100.10:1->200.0.0.1:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=1, seq=42."
id=65308 trace_id=6 func=init_ip_session_common line=6009 msg="allocate a new session-0000016b, tun_id=0.0.0.0"
id=65308 trace_id=6 func=rpdb_srv_match_input line=1046 msg="Match policy routing id=1: to 14.0.0.2 via ifindex-24"
id=65308 trace_id=6 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-14.0.0.2 via vw2"
id=65308 trace_id=6 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=104, len=3"
id=65308 trace_id=6 func=fw_forward_handler line=979 msg="Allowed by Policy-1:"
id=65308 trace_id=6 func=ids_receive line=429 msg="send to ips

 

The packet is forwarded to the configured gateway, bypassing the routing table.

 

Note:
The same logic applies also to SDWAN rules which are considered as policy routes themselves.  To differentiate between PBR and SD-WAN rules in the debug flow they are assigned different IDs. 


For PBRs the ID of the particular rule created will be seen for e.g: 


"msg="Match policy routing id=1"

For SD-WAN rules the ID number has always a higher value like the message below: 

 

"msg="Match policy routing id=2131493263"
615
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.