|
The Firewall routes the packet to the configured interface and gateway defined in the policy route and bypasses the routing table, or it stops checking the policy routes and routes the packet based on the routing table
- The interface and the gateway are configured:
config router policy
edit 1
set input-device "port2"
set srcaddr "all"
set dst "200.0.0.0/255.255.255.0"
set gateway 14.0.0.2
set output-device "vw2"
next
end
FGT1 # get router info routing-table details 200.0.0.1
% Network not in table
id=20085 trace_id=4 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 192.168.100.10:1->200.0.0.1:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=1, seq=16."
id=20085 trace_id=4 func=init_ip_session_common line=6046 msg="allocate a new session-0000ceaa, tun_id=0.0.0.0"
id=20085 trace_id=4 func=rpdb_srv_match_input line=1036 msg="Match policy routing id=1: to 14.0.0.2 via ifindex-24"
id=20085 trace_id=4 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-14.0.0.2 via vw2"
id=20085 trace_id=4 func=fw_forward_handler line=881 msg="Allowed by Policy-1:"
The packet is forwarded to the configured interface and gateway, bypassing the routing table.
- The interface is configured but no gateway is configured:
FGT1 # show router policy
config router policy
edit 1
set input-device "port2"
set srcaddr "all"
set dst "200.0.0.0/255.255.255.0"
set output-device "vw2"
next
end
FGT1 # get router info routing-table details | grep 200.0.0
S 200.0.0.0/25 [10/0] via 14.0.0.2, vw2, [1/0] < - - - - - -
S 200.0.0.1/32 [10/0] via 12.0.0.2, vw1, [1/0]
id=20085 trace_id=40 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 192.168.100.10:1->200.0.0.1:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=1, seq=21."
id=20085 trace_id=40 func=init_ip_session_common line=6046 msg="allocate a new session-0000d00b, tun_id=0.0.0.0"
id=20085 trace_id=40 func=rpdb_srv_match_input line=1036 msg="Match policy routing id=1: to 200.0.0.1 via ifindex-24"
id=20085 trace_id=40 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-14.0.0.2 via vw2"
id=20085 trace_id=40 func=fw_forward_handler line=881 msg="Allowed by Policy-1:"
FGT1 # get router info routing-table details | grep 200.0.0
S 200.0.0.0/25 [10/0] via 14.0.0.2, vw2, [1/0]
S 200.0.0.0/26 [10/0] via 14.0.0.3, vw2, [1/0] < - - - - - -
S 200.0.0.1/32 [10/0] via 12.0.0.2, vw1, [1/0]
id=20085 trace_id=169 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 192.168.100.10:1->200.0.0.1:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=1, seq=32."
id=20085 trace_id=169 func=init_ip_session_common line=6046 msg="allocate a new session-000246f4, tun_id=0.0.0.0"
id=20085 trace_id=169 func=rpdb_srv_match_input line=1036 msg="Match policy routing id=1: to 200.0.0.1 via ifindex-24"
id=20085 trace_id=169 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-14.0.0.3 via vw2"
id=20085 trace_id=169 func=fw_forward_handler line=881 msg="Allowed by Policy-1:"
id=20085 trace_id=169 func=ids_receive line=418 msg="send to ips"
The firewall does a route lookup to determine the gateway, only evaluating the best routes via vw2, not the more specific 200.0.0.1/32 route via vw1.
- The interface is configured but no gateway is configured (active route in diff. interface):
FGT1 # show router policy
config router policy
edit 1
set input-device "port2"
set srcaddr "all"
set dst "200.0.0.0/255.255.255.0"
set output-device "vw2"
next
end
FGT1 # get router info routing-table details | grep 200.0.
S 200.0.0.1/32 [10/0] via 12.0.0.2, vw1, [1/0]
FGT1 # id=20085 trace_id=65 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 192.168.100.10:1->200.0.0.1:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=1, seq=23."
id=20085 trace_id=65 func=init_ip_session_common line=6046 msg="allocate a new session-0000d123, tun_id=0.0.0.0"
id=20085 trace_id=65 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-12.0.0.2 via vw1"
id=20085 trace_id=65 func=fw_forward_handler line=881 msg="Allowed by Policy-1:"
FortiGate does a route lookup in the routing table to determine the gateway, but there is no active route over VW2.
Therefore, no appropriate next-hop is found, and the policy route is invalid. The firewall does not match the policy route, and traffic is forwarded according to a later policy route, or the routing table if no policy route matches.
This restriction applies even if the outgoing interface is point-to-point, such as an IPsec site-to-site tunnel. If an IPsec tunnel has a remote IP defined under Network -> Interfaces, this value can be used as a gateway for the policy route.
- The gateway is configured, but no Interface is configured:
FGT1 # show router policy
config router policy
edit 1
set input-device "port2"
set srcaddr "all"
set dst "200.0.0.0/255.255.255.0"
set gateway 14.0.0.2
next
end
FGT1 # get router info routing-table details | grep 200.0.0
% Network not in table
id=20085 trace_id=50 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 192.168.100.10:1->200.0.0.1:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=1, seq=22."
id=20085 trace_id=50 func=init_ip_session_common line=6046 msg="allocate a new session-0000d07c, tun_id=0.0.0.0"
id=20085 trace_id=50 func=rpdb_srv_match_input line=1036 msg="Match policy routing id=1: to 14.0.0.2 via ifindex-24"
id=20085 trace_id=50 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-14.0.0.2 via vw2"
id=20085 trace_id=50 func=fw_forward_handler line=881 msg="Allowed by Policy-1:"
FGT1 # get router info routing-table details | grep 200.0.0
S 200.0.0.0/26 [10/0] via 14.0.0.3, vw2, [1/0]
S 200.0.0.1/32 [10/0] via 12.0.0.2, vw1, [1/0]
FGT1 # id=65308 trace_id=6 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 192.168.100.10:1->200.0.0.1:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=1, seq=42."
id=65308 trace_id=6 func=init_ip_session_common line=6009 msg="allocate a new session-0000016b, tun_id=0.0.0.0"
id=65308 trace_id=6 func=rpdb_srv_match_input line=1046 msg="Match policy routing id=1: to 14.0.0.2 via ifindex-24"
id=65308 trace_id=6 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-14.0.0.2 via vw2"
id=65308 trace_id=6 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=104, len=3"
id=65308 trace_id=6 func=fw_forward_handler line=979 msg="Allowed by Policy-1:"
id=65308 trace_id=6 func=ids_receive line=429 msg="send to ips
The FortiGate does a recursive route lookup to determine the best route to the policy route gateway 14.0.0.2, and forwards according to the result.
Note:
The same logic also applies to SD-WAN rules, which are considered as policy routes themselves. To differentiate between PBR and SD-WAN rules in the debug flow, they are assigned different IDs.
For PBRs, the ID of the particular rule created will be seen, e.g:
"msg="Match policy routing id=1"
For SD-WAN rules the ID number has always a higher value, like the message below:
"msg="Match policy routing id=2131493263"
|
