As per documentation in order to Policy Route work we need to provide at least two parameters:
-Outbound interface

-Gateway

On WAN2 interface we have Starlink aerial. When it is offline it has Gateway 192.168.100.1 and when is online 65.181.7.1 in current region, but I assume this gateway will change based on location. 

If this GW 65.181.7.1 would be permanent then I can create two policy routes one for 192.168.100.1 gateway and another one for 65.181.7.1 and that would be enough. 

But in my case once Gateway changes it will break above policy routes and Fortigate will start looking to Routing Table which will have below route via WAN1:

S*      0.0.0.0/0 [1/0] via x.x.x.x, wan1, [10/0]

I tried to provide 0.0.0.0 Gateway but Fortigate is ignoring such Policy Route and look directly to Routing table. 

I can't apply Policy with restriction for traffic originated from Interface "3" to use "WAN1" connection because both WANs are in SD-WAN. 

What option do I have here? If I exclude WAN1 and WAN2 from SD-WAN then will I be able to achive below via Static Routes and Policies?:
- default route for all internal interfaces via WAN2 (Starlink)
- in case WAN2 is down, failover to WAN1 for all internal interfaces except "3"
- policy restriction for traffic originated from interface "3" to "WAN1"

tried this and it still looking to Routing table and use WAN1 interface when WAN2 is down. 

Hi Vurdalag,

There should be a policy route to route traffic through WAN2 and another policy route to stop policy routing for that source subnet.

Regards,

Vimala

Hi, 

that won't work for my case. "Stop Policy Routing" only tells if there is a traffic match then exit from Policy Route and look at Routing Table. 
So in my case if WAN2 is down then routing table will have default route via WAN1 interface. 
If I configure "Stop Policy Routing" for traffic from interface "B" to WAN1 then it won't restrict from forwarding traffic via WAN1. Instead, it will stop looking at Policy Routing and will switch to Routing Table where will be default route via WAN1 and pass this traffic further. 

FortiOS always looks up policy routes first before looks up routing table. Even if route doesn't exist or interface is down, it follows what policy routes instruct.

Only way to stop one policy route pushes traffic toward the direction is to have another policy route(s), more specific one, overrides it. That's what @kvimaladevi is saying.

<edit>In other words, once you start using policy routes, any redirection based on routing table changes won't work any more.

</edit>

Toshi

Hello,

Made numerous tests. 

1) When both links are UP with connectivity -OK, then routing table is below:

Current Routing Table

2) Configured two Route Policies. First to redirected traffic from Subnet_B via WAN2 only, and second policy to stop Policy Routing for traffic originated from Subnet_B. I made very specific rules for the 192.168.0.101 PC which resides in Subnet_B:

Policy Route Nr. 1

This is Stop Policy Routing:

Policy Route Stop Routing

As you can see traffic is hitting policies:

Running tracert and continious ping from 192.168.0.101 IP on Port3, traffic is forwarding via WAN2 (Nex hop 65.181.6.1):

Traffic Routes via WAN2

Now I simulate connectivity lost on WAN2 (interface itself is UP, LAN cable connected). As you see traffic do not route anymore via WAN2 and also do not failover to WAN1. Once WAN2 connectivity restore, then traffic continue to route via WAN2. So at this step Policy Routing rule is wokring as expected:

Traffic Routes via WAN2

Here I did another test. Before test, traffic is routing via WAN2 interface. Both WAN2 and WAN1 are UP with connectivity OK, so both routes in routing table. Now I unplug cable physically from WAN2 interface. Pinging stopped for a few pings and then resumed pinging. Traffic failvored to WAN1. Policy Routing rules are still in place and are intact. 

Traffci Routes via WAN1

I connected WAN2 cable back but traffic was still routed via WAN1 interface:

Still Routes via WAN1

As per Fortigate manual for policy routes at minimum are required outgoing interface and gateway. Assume that after cable disconnection Fortgiate skip Policy route for this specific intereface. 

This approach with Policy Routes doesn't look reliable as any activities with Starlink equipment power (e.g. lost power, unit reboot, cable disconnection etc. ) will start to failover traffic from Subnet_B via WAN1. 

I checked several articles and as per them Stop Policy Forwarding do not stop traffic mentioned in this rule from routing but just informes Fortigate to stop looking further in other Policy Routing rules and jump to Routing Table:

https://community.fortinet.com/t5/FortiGate/Technical-Note-When-and-how-to-use-the-option-quot-Stop-...