Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nithincs
Staff
Staff

Created on ‎10-22-2020 03:10 AM Edited on ‎05-02-2025 07:24 AM By Moderator

Article Id 190640

Technical Tip: Verify the matching policy route

Description

 

This article describes the CLI command to verify the matching policy route.

 

Scope

 

FortiGate.

Solution

 

FortiGate CLI allows the verification of the matching policy route to make sure traffic from a specific source to a destination is triggering the correct policy route.

Syntax.

 

diagnose ip proute match <destination ip> <source ip> <incoming interface> <proto> <destination port number>

 

For example.

FortiGate is configured with policy routes to forward the traffic from 172.31.135.0/29 via PORT1 and traffic from 172.31.134.0/29 from PORT2.

 

fermion-kvm42 # diagnose  firewall  proute list
list route policy info(vf=root):

id=1 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0:0 iif=5 dport=0-65535 oif=3(port1) gwy=10.5.31.254
source wildcard(1): 172.31.135.0/255.255.255.248
destination wildcard(1): 0.0.0.0/0.0.0.0
hit_count=1 last_used=2020-10-22 08:00:45

id=2 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0:0 iif=5 dport=0-65535 oif=4(port2) gwy=10.5.63.254
source wildcard(1): 172.31.134.0/255.255.255.248
destination wildcard(1): 0.0.0.0/0.0.0.0
hit_count=0 last_used=2020-10-22 09:00:50

 

To check the matching policy route for TCP traffic generated from source 172.31.134.1 to the public IP, need to use the debug command as shown below.

 

fermion-kvm42 # diagnose ip proute match 208.91.114.181 172.31.134.1 port3 6 443

 

Output.

 

dst=208.91.114.181 src=172.31.134.1 smac=00:00:00:00:00:00 iif=5 protocol=6 dport=443
id=00000002 type=Policy Route
seq-num=2                            <---- Matching the ID=2 policy route.

 

In case, policy route are set to stop the policy route: Technical Tip: How to create a 'Stop Policy Route', it will not come in when a policy route lookup is performed, reason being, firewall will stop looking up the policy route as soon as it hits the 'stop policy route' and will fallback to static route.

 

Note:
SD-WAN rule/services will also act as a proute, and the above commands can be used to verify the matching SD-WAN rule.

ISDB policy routes will also be visible in the proute commands above. SD-WAN Rules and ISDB policy routes will have an ID above 65535, whereas regular policy routes have an ID between 1-65535. 

24502
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.