Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ss198939
New Contributor

Static route or policy route

Hi All I knw policy route having preference over Static and all other route But do anyone knw a command to make sure that traffic is going only via policy route not via static route. I am asking this question in case someone has misconfigured policy route.
3 REPLIES 3
subramanis
Staff
Staff

Hi ss198939,

you can check the hit counts by using the below commands 

#diag firewall proute list

you have to run the debug flow to check the exact policy route which matches the traffic
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Diagnostic-commands-to-check-the-status-of...

Thanks
Sasikumar.S

Yurisk
Valued Contributor

Fortigate checks first PBR table, in order,  then regular FIB (static/dynamic) table. You could, for example, prevent going to the regular FIB by creating 2 PBR rules - 1st via the actual interface you want it to be routed to, 2nd, after this, PBR rule with the same match but routing traffic to a Loopback interface, which is always on, and this way black holing such traffic when regular interface is down.  Not something I did, but thinking out loud.

 

EDIT: only after the publishing noticed the post is from 2018, but will leave it for future readers anyway.

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
AEK
Honored Contributor

I think policy route is not good practice. Avoid using it unless it is "really really really" necessary. Use instead static routes, routing protocols, SD-WAN rules.

AEK
AEK
Top Kudoed Authors