FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 190646
Policy routing enables you to redirect traffic away from a static route. This can be useful if you want to route certain types of network traffic differently. In the following network diagram a device has two wan connections with Port1 being Primary and two Lan Subnets. If you want to route the traffic from network out of port3 except then this can be achieved by using the  new option "Stop Policy Routing" that was added in 5.2.

FortiGate or VDOM in NAT mode.

When you have configured the FortiGate unit with routing policies and a packet arrives at the FortiGate unit, the FortiGate unit starts at the top of the Policy Route list and attempts to match the packet with a policy. If a match is found and the policy contains enough information to route the packet  (a minimum of the IP address of the next-hop router and the FortiGate interface for forwarding packets to it), then the FortiGate unit routes the packet using the information in the policy. If no policy route matches the packet, the FortiGate unit routes the packet using the routing table.

In this scenario  you can use ""Stop Policy Routing" feature to tell FortiGate to use route in the routing table to forward the traffic instead of attempting  to match the Policy Routes listed in the Policy Routing Table.


1) Assume that the device already has static default routes associated with port1 and port3 with port1 route with  better metric.



   2) Create a Policy route to force the traffic from out of Secondary Wan Interface Port3.


CLI Configuration as follows:

config router policy
        edit 3
        set input-device "port2"
        set src ""
        set dst ""
        set gateway
        set output-device "port3"

Create a Policy Route to stop the FortiGate from doing a lookup in Policy Route Table for the source


 CLI configuration as follows:

config router policy
    edit 2
        set input-device "port2"
        set src ""
        set dst ""
        set action deny      }----- In command line action is named as "deny"
        set comments "Stop Policy based"

Please make sure that the Policy Route configured for the source is placed at the top of the table.



Run debug flow commands to see traffic flow. You would see traffic will leave out of the port1 by using static route listed in the routing table instead of looking up in the Policy Route Table.


Other machines in subnet will go out of port3 by using the Policy Based Route with Seq#3 to the internet.