Fortinet black logo

CLI Reference

config router policy

config router policy

Network systems maintain route tables to determine where to forward TCP/IP packets. Use this command to configure system policy routes. Policy routes are based on IP layer values, specifically the source and/or destination fields.

Routes for outbound traffic are chosen according to the following priorities:

  1. Link local routes—Self-traffic uses link local routes.
  2. LLB policy route—Configured policy routes have priority over default routes.
  3. System policy route—Configured policy routes have priority over default routes.
  4. Static route / ISP route / OSPF route—Priority is based on the distance metric. By default, distance for static routes is 10, for ISP routes is 20, and for OSPF routes is 110. The distance metric is configurable for static routes and OSPF routes, but not ISP routes.
  5. Default LLB route—Default routes have lower priority than configured routes.
  6. Default static route / OSPF route—Default routes have lower priority than configured routes.

The system evaluates policy routes, then static routes. The packets are routed to the first route that matches. The policy route table, therefore, need not include a “default route” for packets that do not match your policy because those packets can be forwarded to the default route set in the static route table.

Most policy route settings are optional, so a matching route might not provide enough information to forward the packet. In that case, the FortiADC appliance may refer to the routing table in an attempt to match the information in the packet header with a route in the routing table. For example, if the destination address is the only match criteria in the policy route, the FortiADC appliance looks up the IP address of the next-hop router in its routing table. This situation could occur when interfaces are dynamic (such as DHCP or PPPoE) and you do not want or are unable to specify a static IP address of the next-hop router.

Before you begin:

  • You must have read-write permission for system settings.

Syntax

config router policy

edit <No.>

set destination <ip&netmask>

set gateway <class_ip>

set source <ip&netmask>

next

end

destination

Address/mask notation to match the destination IP in the packet header.

To match any value, leave it blank or enter 0.0.0.0/32.

gateway

IP address of the gateway router that can route packets to the destination IP address that you have specified.

source

Address/mask notation to match the source IP in the packet header.

To match any value, either leave it blank or enter 0.0.0.0/32.

config router policy

Network systems maintain route tables to determine where to forward TCP/IP packets. Use this command to configure system policy routes. Policy routes are based on IP layer values, specifically the source and/or destination fields.

Routes for outbound traffic are chosen according to the following priorities:

  1. Link local routes—Self-traffic uses link local routes.
  2. LLB policy route—Configured policy routes have priority over default routes.
  3. System policy route—Configured policy routes have priority over default routes.
  4. Static route / ISP route / OSPF route—Priority is based on the distance metric. By default, distance for static routes is 10, for ISP routes is 20, and for OSPF routes is 110. The distance metric is configurable for static routes and OSPF routes, but not ISP routes.
  5. Default LLB route—Default routes have lower priority than configured routes.
  6. Default static route / OSPF route—Default routes have lower priority than configured routes.

The system evaluates policy routes, then static routes. The packets are routed to the first route that matches. The policy route table, therefore, need not include a “default route” for packets that do not match your policy because those packets can be forwarded to the default route set in the static route table.

Most policy route settings are optional, so a matching route might not provide enough information to forward the packet. In that case, the FortiADC appliance may refer to the routing table in an attempt to match the information in the packet header with a route in the routing table. For example, if the destination address is the only match criteria in the policy route, the FortiADC appliance looks up the IP address of the next-hop router in its routing table. This situation could occur when interfaces are dynamic (such as DHCP or PPPoE) and you do not want or are unable to specify a static IP address of the next-hop router.

Before you begin:

  • You must have read-write permission for system settings.

Syntax

config router policy

edit <No.>

set destination <ip&netmask>

set gateway <class_ip>

set source <ip&netmask>

next

end

destination

Address/mask notation to match the destination IP in the packet header.

To match any value, leave it blank or enter 0.0.0.0/32.

gateway

IP address of the gateway router that can route packets to the destination IP address that you have specified.

source

Address/mask notation to match the source IP in the packet header.

To match any value, either leave it blank or enter 0.0.0.0/32.