Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
subramanis
Staff
Staff

Created on ‎08-12-2024 03:02 AM Edited on ‎08-12-2024 03:05 AM By Community Manager

Article Id 332273

Technical Tip: Policy route lookup scenario

Description This article describes how FortiGate performs route lookup for policy route If the gateway is not defined
Scope FortiGate.
Solution

Captureospf1.png

 

The Firewall routes the packet to the configured interface and gateway defined in the policy route and bypasses the routing table, or it stops checking the policy routes and routes the packet based on the routing table

 

  1. The interface and the gateway are configured:


config router policy
edit 1
set input-device "port2"
set srcaddr "all"
set dst "200.0.0.0/255.255.255.0"
set gateway 14.0.0.2
set output-device "vw2"
next
end


FGT1 # get router info routing-table details 200.0.0.1
% Network not in table

 

id=20085 trace_id=4 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 192.168.100.10:1->200.0.0.1:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=1, seq=16."
id=20085 trace_id=4 func=init_ip_session_common line=6046 msg="allocate a new session-0000ceaa, tun_id=0.0.0.0"
id=20085 trace_id=4 func=rpdb_srv_match_input line=1036 msg="Match policy routing id=1: to 14.0.0.2 via ifindex-24"
id=20085 trace_id=4 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-14.0.0.2 via vw2"
id=20085 trace_id=4 func=fw_forward_handler line=881 msg="Allowed by Policy-1:"

 

The packet is forwarded to the configured interface and gateway, bypassing the routing table.

 

  1. The interface is configured but no gateway is configured:

 

FGT1 # show router policy
    config router policy
        edit 1
            set input-device "port2"
            set srcaddr "all"
            set dst "200.0.0.0/255.255.255.0"
            set output-device "vw2"
        next
    end


FGT1 # get router info routing-table details | grep 200.0.0
S 200.0.0.0/25 [10/0] via 14.0.0.2, vw2, [1/0] < - - - - - -
S 200.0.0.1/32 [10/0] via 12.0.0.2, vw1, [1/0]


id=20085 trace_id=40 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 192.168.100.10:1->200.0.0.1:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=1, seq=21."
id=20085 trace_id=40 func=init_ip_session_common line=6046 msg="allocate a new session-0000d00b, tun_id=0.0.0.0"
id=20085 trace_id=40 func=rpdb_srv_match_input line=1036 msg="Match policy routing id=1: to 200.0.0.1 via ifindex-24"
id=20085 trace_id=40 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-14.0.0.2 via vw2"
id=20085 trace_id=40 func=fw_forward_handler line=881 msg="Allowed by Policy-1:"


FGT1 # get router info routing-table details | grep 200.0.0
S 200.0.0.0/25 [10/0] via 14.0.0.2, vw2, [1/0]
S 200.0.0.0/26 [10/0] via 14.0.0.3, vw2, [1/0] < - - - - - -
S 200.0.0.1/32 [10/0] via 12.0.0.2, vw1, [1/0]


id=20085 trace_id=169 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 192.168.100.10:1->200.0.0.1:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=1, seq=32."
id=20085 trace_id=169 func=init_ip_session_common line=6046 msg="allocate a new session-000246f4, tun_id=0.0.0.0"
id=20085 trace_id=169 func=rpdb_srv_match_input line=1036 msg="Match policy routing id=1: to 200.0.0.1 via ifindex-24"
id=20085 trace_id=169 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-14.0.0.3 via vw2"
id=20085 trace_id=169 func=fw_forward_handler line=881 msg="Allowed by Policy-1:"
id=20085 trace_id=169 func=ids_receive line=418 msg="send to ips"


The firewall will only evaluate the best routes via vw2, not the optimal path via vw1.

 

  1. The interface is configured but no gateway is configured (active route in diff. interface):

 

FGT1 # show router policy
    config router policy
        edit 1
            set input-device "port2"
            set srcaddr "all"
            set dst "200.0.0.0/255.255.255.0"
            set output-device "vw2"
        next
    end

 

FGT1 # get router info routing-table details | grep 200.0.
S 200.0.0.1/32 [10/0] via 12.0.0.2, vw1, [1/0]


FGT1 # id=20085 trace_id=65 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 192.168.100.10:1->200.0.0.1:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=1, seq=23."
id=20085 trace_id=65 func=init_ip_session_common line=6046 msg="allocate a new session-0000d123, tun_id=0.0.0.0"
id=20085 trace_id=65 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-12.0.0.2 via vw1"
id=20085 trace_id=65 func=fw_forward_handler line=881 msg="Allowed by Policy-1:"

 

There is no active route over vw2, the firewall does not check the policy route, and traffic is forwarded according to the routing table.

 

  1. The gateway is configured but no Interface is configured:

 

FGT1 # show router policy
    config router policy
        edit 1
            set input-device "port2"
            set srcaddr "all"
            set dst "200.0.0.0/255.255.255.0"
            set gateway 14.0.0.2
        next

    end

 

FGT1 # get router info routing-table details | grep 200.0.0
% Network not in table


id=20085 trace_id=50 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 192.168.100.10:1->200.0.0.1:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=1, seq=22."
id=20085 trace_id=50 func=init_ip_session_common line=6046 msg="allocate a new session-0000d07c, tun_id=0.0.0.0"
id=20085 trace_id=50 func=rpdb_srv_match_input line=1036 msg="Match policy routing id=1: to 14.0.0.2 via ifindex-24"
id=20085 trace_id=50 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-14.0.0.2 via vw2"
id=20085 trace_id=50 func=fw_forward_handler line=881 msg="Allowed by Policy-1:"

 

FGT1 # get router info routing-table details | grep 200.0.0
S 200.0.0.0/26 [10/0] via 14.0.0.3, vw2, [1/0]
S 200.0.0.1/32 [10/0] via 12.0.0.2, vw1, [1/0]

 

FGT1 # id=65308 trace_id=6 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 192.168.100.10:1->200.0.0.1:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=1, seq=42."
id=65308 trace_id=6 func=init_ip_session_common line=6009 msg="allocate a new session-0000016b, tun_id=0.0.0.0"
id=65308 trace_id=6 func=rpdb_srv_match_input line=1046 msg="Match policy routing id=1: to 14.0.0.2 via ifindex-24"
id=65308 trace_id=6 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-14.0.0.2 via vw2"
id=65308 trace_id=6 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=104, len=3"
id=65308 trace_id=6 func=fw_forward_handler line=979 msg="Allowed by Policy-1:"
id=65308 trace_id=6 func=ids_receive line=429 msg="send to ips

 

The packet is forwarded to the configured gateway, bypassing the routing table.
382
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.