Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nithincs
Staff & Editor
Staff & Editor

Created on ‎10-22-2020 03:10 AM Edited on ‎09-09-2025 01:11 AM By Moderator

Article Id 190640

Technical Tip: Verify the matching policy route

Description

 

This article describes the CLI command to verify the matching policy route.

 

Scope

 

FortiGate.

Solution

 

FortiGate CLI allows the verification of the matching policy route to make sure traffic from a specific source to a destination is triggering the correct policy route.

Syntax.

 

diagnose ip proute match <destination ip> <source ip> <incoming interface> <proto> <destination port number>

 

For example.

FortiGate is configured with policy routes to forward the traffic from 172.31.135.0/29 via PORT1 and traffic from 172.31.134.0/29 via PORT2.

 

fermion-kvm42 # diagnose  firewall  proute list
list route policy info(vf=root):

id=1 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0:0 iif=5 dport=0-65535 oif=3(port1) gwy=10.5.31.254
source wildcard(1): 172.31.135.0/255.255.255.248
destination wildcard(1): 0.0.0.0/0.0.0.0
hit_count=1 last_used=2020-10-22 08:00:45

id=2 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0:0 iif=5 dport=0-65535 oif=4(port2) gwy=10.5.63.254
source wildcard(1): 172.31.134.0/255.255.255.248
destination wildcard(1): 0.0.0.0/0.0.0.0
hit_count=0 last_used=2020-10-22 09:00:50

 

To check the matching policy route for TCP traffic generated from source 172.31.134.1 to the public IP, use the debug command as shown below.

 

fermion-kvm42 # diagnose ip proute match 208.91.114.181 172.31.134.1 port3 6 443

 

Output.

 

dst=208.91.114.181 src=172.31.134.1 smac=00:00:00:00:00:00 iif=5 protocol=6 dport=443
id=00000002 type=Policy Route
seq-num=2                            <---- Matching the ID=2 policy route.

 

In case policy routes are set to stop the policy route: Technical Tip: How to create a 'Stop Policy Route', it will not come in when a policy route lookup is performed, the reason being, the firewall will stop looking up the policy route as soon as it hits the 'stop policy route' and will fallback to the static route.

 

Note:
SD-WAN rule/services will also act as a proute, and the above commands can be used to verify the matching SD-WAN rule.

ISDB policy routes will also be visible in the proute commands above. SD-WAN Rules and ISDB policy routes will have an ID above 65535, whereas regular policy routes have an ID between 1 and 65535. 

 

Additional CLI Syntax (FortiOS v7.2.x and above).

FortiOS v7.2.x and above introduces an additional command to verify whether the specified parameters match a kernel route.

 

IPv4 Syntax:


diagnose ip route match <dst-ip> <src-ip> <outgoing-intf> <incoming-intf> <vrf>

 

For 'src-ip', '0.0.0.0' means unset.
For 'outgoing-intf' or 'incoming-intf', '-' means unset.
The command will return the details of at most one route, or none if no match is found.

 

Example:

 

diagnose ip route match 172.16.171.172 0.0.0.0 port1 - 0
dst=172.16.171.172 src=0.0.0.0 psrc=172.16.171.6 gwy=0.0.0.0 oif=port1(3) iif=-(0) vrf=0 local=0

 

IPv6 Syntax:


diagnose ipv6 route match <dst-ip> <interface-name>

 

For 'interface-name', '-' means unset.
The command will return the details of at most one route, or none if no match is found.

 

Example:

 

diagnose ipv6 route match 2001::1 port1
dst=2001::1 src=::1 gwy=:: oif=port1(3) local=0

26603
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.