Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Kush_Patel
Staff
Staff

Created on ‎08-13-2023 12:16 AM

Article Id 268514

Technical Tip: Understanding the Differences between Policy Routes, SD-WAN Rules, and ISDB Routes for FortiGate Debugging

Description This article clarifies the distinctions between policy routes, SD-WAN rules, and ISDB routes while troubleshooting on FortiGate.
Scope FortiGate.
Solution

While gathering flow debug data on a FortiGate, it is possible to come across significant ID values in the logs.

This ID provides insights into the behavior of different routing elements. For instance:

 

# id=20085 trace_id=505 func=print_pkt_detail line=5844 msg="vd-root:0 received a packet(proto=1, 10.177.70.4:8->172.1

7.1.36:2048) tun_id=0.0.0.0 from lan. type=8, code=0, id=8, seq=0."

id=20085 trace_id=505 func=init_ip_session_common line=6023 msg="allocate a new session-000176c6, tun_id=0.0.0.0"

id=20085 trace_id=505 func=rpdb_srv_match_input line=1036 msg="Match policy routing id=2134114318: to 172.17.1.36 via ifindex-6"

id=20085 trace_id=505 func=vf_ip_route_input_common line=2605 msg="find a route: flag=00000000 gw-104.28.95.52 via wan2"

 

Here, the given ID (2134114318) signifies traffic being processed by an SD-WAN rule.

 

It is possible to execute the CLI command to view an ID of configured policy routes, SD-WAN rules, and ISDB routes as follows:

 

diagnose firewall proute list

list route policy info(vf=root):

 

id=1(0x01) dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-0 iif=7(port5) dport=0-65535 path(1) oif=8(port6) gwy=10.20.30.4

source(1): 0.0.0.0-255.255.255.255

destination fqdn(1):

        gmail.com ID(218) ADDR(172.217.18.197)

hit_count=0 last_used=2023-08-10 16:13:31

 

id=2113929219(0x7e000003) static_route=3 dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-0 iif=0(any) dport=1-65535 path(1) oif=4(port2) gwy=10.9.14.22

source wildcard(1): 0.0.0.0/0.0.0.0

destination wildcard(1): 0.0.0.0/0.0.0.0

internet service(1): Fortinet-FortiCloud(1245326,0,0,0,0)

hit_count=5 last_used=2023-08-10 16:13:33

 

id=2132541443(0x7f1c0003) vwl_service=3(Failover) vwl_mbr_seq=1 2 dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0(any) dport=1-65535

 path(2) oif=11(port9) oif=12(port10)

source(1): 0.0.0.0-255.255.255.255

destination(1): 0.0.0.0-255.255.255.255

hit_count=0 last_used=2023-07-28 11:39:03

 

To clarify further:

 

  1. A regular Policy Route is always associated with an ID that is equal to or less than 65535 (ID <= 65535).
  2. Conversely, an ISDB route's ID is greater than 65535. Although it lacks the 'vwl_service' field, it includes the 'static_route' field. (ID > 65535, without the 'vwl_service' field but with the 'static_route' field)
  3.  Meanwhile, an SD-WAN rule also has an ID higher than 65535. Additionally, the 'vwl_service' field is present in this case. (ID > 65535, with the 'vwl_service' field present).
2451
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.