Description
This article describes the CLI command to verify the matching policy route.
Scope
FortiGate.
Solution
FortiGate CLI allows the verification of the matching policy route to make sure traffic from a specific source to a destination is triggering the correct policy route.
Syntax.
dia ip proute match <destination ip> <source ip> <incoming interface> <proto> <destination port number>
For example.
FortiGate is configured with policy routes to forward the traffic from 172.31.135.0/29 via PORT1 and traffic from 172.31.134.0/29 from PORT2.
fermion-kvm42 # dia firewall proute list
list route policy info(vf=root):
id=1 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0:0 iif=5 dport=0-65535 oif=3(port1) gwy=10.5.31.254
source wildcard(1): 172.31.135.0/255.255.255.248
destination wildcard(1): 0.0.0.0/0.0.0.0
hit_count=1 last_used=2020-10-22 08:00:45
id=2 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0:0 iif=5 dport=0-65535 oif=4(port2) gwy=10.5.63.254
source wildcard(1): 172.31.134.0/255.255.255.248
destination wildcard(1): 0.0.0.0/0.0.0.0
hit_count=0 last_used=2020-10-22 09:00:50
To check the matching policy route for TCP traffic generated from source 172.31.134.1 to public IP, need to use the debug command as shown below.
fermion-kvm42 # dia ip proute match 208.91.114.181 172.31.134.1 port3 6 443
Output.
dst=208.91.114.181 src=172.31.134.1 smac=00:00:00:00:00:00 iif=5 protocol=6 dport=443
id=00000002 type=Policy Route
seq-num=2 <---- Matching the ID=2 policy route.
Note:
SD-WAN rule/services will also act as proute and the above commands can be used to verify the matching SD-WAN rule.
ISDB policy routes will also be visible in the proute commands above. SD-WAN Rules and ISDB policy routes will have an ID above 65535 whereas regular policy routes have an ID between 1-65535.
