Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 7.6.6
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiGate / FortiOS 7.6.6 Administration Guide
    7.6.6
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.0

    Policy routes

    Policy routes

    Policy routing allows you to specify an interface to route traffic. This is useful when you need to route certain types of network traffic differently than you would if you were using the routing table. You can use the incoming traffic's protocol, source or destination address, source interface, or port number to determine where to send the traffic.

    When a packet arrives, the FortiGate starts at the top of the policy route list and attempts to match the packet with a policy. For a match to be found, the policy must contain enough information to route the packet. At a minimum, this requires either the outgoing interface to forward the traffic, or the gateway to route the traffic to, or both.

    If one or both of these are not specified in the policy route, then the FortiGate searches the routing table to find the best active route that corresponds to the policy route:

    • If only the outgoing interface is specified, FortiGate will look up the routing table to find the gateway, filtered by the outgoing interface.

    • If only the gateway is specified, FortiGate will look up the routing table to find the outgoing interface, filtered by the gateway

    If either of these cannot be found, then the policy route does not match the packet.

    When both the outgoing interface and gateway are specified, the FortiGate must still find a route in the routing table ensuring that the gateway is routable over the outgoing interface. If a route cannot be found, then the policy route again does not match the packet.

    In any of these scenarios, the FortiGate continues down the policy route list until it reaches the end. If no matches are found, then the FortiGate does a route lookup using the routing table.

    Note

    Policy routes are sometimes referred to as Policy-based routes (PBR).

    Configuring a policy route

    In this example, a policy route is configured to send all FTP traffic received at port1 out through port4 and to a next hop router at 172.20.120.23. To route FTP traffic, the protocol is set to TCP (6) and the destination ports are set to 21 (the FTP port).

    To configure a policy route in the GUI:

    1. Go to Network > Policy Routes.

    2. Click Create New > Policy Route.

    3. Configure the following fields:

      Incoming interface

      port1

      Source Address

      0.0.0.0/0.0.0.0

      Destination Address

      0.0.0.0/0.0.0.0

      Protocol

      TCP

      Destination ports

      21 - 21

      Type of service

      0x00

      Bit Mask

      0x00

      Outgoing interface

      Enable and select port4

      Gateway address

      172.20.120.23

    4. Click OK.

    To configure a policy route in the CLI:
    config router policy
    edit 1
        set input-device "port1"
        set src "0.0.0.0/0.0.0.0"
        set dst "0.0.0.0/0.0.0.0"
        set protocol 6
        set start-port 21
        set end-port 21
        set gateway 172.20.120.23
        set output-device "port4"
        set tos 0x00
        set tos-mask 0x00
    next
end

    Configuring users and groups in policy routes

    Users and groups can be added in policy routes, allowing administrators to use users and user groups as source filters. This provides granular control over network traffic, enabling organizations to prioritize resources for specific users or groups.

    To configure user and groups in policy routes:

    1. Configure the users:

      config user local
    edit "test1"
        set type password
        set passwd ********
    next
    edit "test2"
        set type password
        set passwd ********
    next
    edit "test3"
        set type password
        set passwd ********
    next
end

    2. Configure the user group:

      config user group
    edit "group1"
        set member "test1" "test2"
    next
end

    3. Configure the IPv4 routing policy with both a user and a user group as source filters:

      config router policy
    edit 22
        set dst "10.1.100.1/255.255.255.255"
        set gateway 172.16.200.55
        set output-device "port1"
        set users "test3"
        set groups "group1"
    next
end

    4. Configure the IPv6 routing policy with two users as source filters:

      config router policy6
    edit 23
        set dst "2000::55/128"
        set gateway 2000:172:16:200::2
        set output-device "port1"
        set users "test1" "test2"
    next
end

    5. Verify that the IPv4 routing policy is using both the user and user group as source filters:

      # diagnose firewall proute list
list route policy info(vf=root):

id=22(0x16) dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 port=src(0->0):dst(0->0) iif=0(any)
path(1): oif=7(port1) gwy=172.16.200.55
users and groups(2): test3(16777219) group1(1)
source wildcard(1): 0.0.0.0/0.0.0.0
destination wildcard(1): 10.1.100.1/255.255.255.255
hit_count=0 rule_last_used=2025-02-12 11:40:34

    6. Verify that the IPv6 routing policy is using both of the assigned users as source filters:

      # diagnose firewall proute6 list
list route policy6 info(vf=root):

id=23(0x17) flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 port=src(0->0):dst(0->0) iif=0(any)
path(1): oif=7(port1) gwy=2000:172:16:200::2
users and groups(2): test1(16777217) test2(16777218)
destination(1): 2000::55/128
source wildcard(1):  ADDR(::)/ADDR(::)
hit_count=0 last_used=2025-02-12 11:47:07

    Moving a policy route

    A routing policy is added to the bottom of the table when it is created. Routing policies can be moved to a different location in the table to change the order of preference. In this example, routing policy 3 will be moved before routing policy 2.

    To move a policy route in the GUI:

    1. Go to Network > Policy Routes.

    2. In the table, select the policy route.

    3. Drag the selected policy route to the desired position.

    To move a policy route in the CLI:
    config router policy
    move 3 after 1
end

    ISDB route

    An Internet service database (ISDB) route is a special kind of policy route that can be configured on the Static Routes page, where the destination is specifically defined as an Internet service from the ISDB.

    To configure an ISDB route in the GUI:

    1. Go to Network > Static Routes and click Create new.

    2. Set Destination to Internet Service and select a custom or predefined service from the drop-down list.

    3. Specify the Gateway Address and Interface.

    4. Click OK.

    To configure an ISDB route in the CLI:
    config router static
    edit <id>
        set gateway <address of next hop>
        set device <outgoing interface>
        set internet-service <Internet service id>
    next
end
    To check the order of the route with respect to other policy routes:
    # diagnose firewall proute list 
list route policy info(vf=root):
id=2113929222(0x7e000006) static_route=6 dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 port=src(0->0):dst(1->65535) iif=0(any) 
path(1): oif=3(port1) gwy=10.152.95.88
source wildcard(1): 0.0.0.0/0.0.0.0 
destination wildcard(1): 0.0.0.0/0.0.0.0 
internet service(1): BuiltIn-Alibaba-DingTalk(4278190117,0,0,0) 
hit_count=0 rule_last_used=2025-02-12 09:38:36

    Policy routes order of precedence

    Policy routes can take different forms, including the policy-based, ISDB, and SD-WAN routes. When these routes are evaluated, the following order of precedence is applied:

    Policy-based routes > ISDB routes > SD-WAN routes

    Previous
    Next

    More Links

    Controlling return path with auxiliary session

    Policy routes

    Policy routes

    Policy routing allows you to specify an interface to route traffic. This is useful when you need to route certain types of network traffic differently than you would if you were using the routing table. You can use the incoming traffic's protocol, source or destination address, source interface, or port number to determine where to send the traffic.

    When a packet arrives, the FortiGate starts at the top of the policy route list and attempts to match the packet with a policy. For a match to be found, the policy must contain enough information to route the packet. At a minimum, this requires either the outgoing interface to forward the traffic, or the gateway to route the traffic to, or both.

    If one or both of these are not specified in the policy route, then the FortiGate searches the routing table to find the best active route that corresponds to the policy route:

    • If only the outgoing interface is specified, FortiGate will look up the routing table to find the gateway, filtered by the outgoing interface.

    • If only the gateway is specified, FortiGate will look up the routing table to find the outgoing interface, filtered by the gateway

    If either of these cannot be found, then the policy route does not match the packet.

    When both the outgoing interface and gateway are specified, the FortiGate must still find a route in the routing table ensuring that the gateway is routable over the outgoing interface. If a route cannot be found, then the policy route again does not match the packet.

    In any of these scenarios, the FortiGate continues down the policy route list until it reaches the end. If no matches are found, then the FortiGate does a route lookup using the routing table.

    Note

    Policy routes are sometimes referred to as Policy-based routes (PBR).

    Configuring a policy route

    In this example, a policy route is configured to send all FTP traffic received at port1 out through port4 and to a next hop router at 172.20.120.23. To route FTP traffic, the protocol is set to TCP (6) and the destination ports are set to 21 (the FTP port).

    To configure a policy route in the GUI:

    1. Go to Network > Policy Routes.

    2. Click Create New > Policy Route.

    3. Configure the following fields:

      Incoming interface

      port1

      Source Address

      0.0.0.0/0.0.0.0

      Destination Address

      0.0.0.0/0.0.0.0

      Protocol

      TCP

      Destination ports

      21 - 21

      Type of service

      0x00

      Bit Mask

      0x00

      Outgoing interface

      Enable and select port4

      Gateway address

      172.20.120.23

    4. Click OK.

    To configure a policy route in the CLI:
    config router policy
    edit 1
        set input-device "port1"
        set src "0.0.0.0/0.0.0.0"
        set dst "0.0.0.0/0.0.0.0"
        set protocol 6
        set start-port 21
        set end-port 21
        set gateway 172.20.120.23
        set output-device "port4"
        set tos 0x00
        set tos-mask 0x00
    next
end

    Configuring users and groups in policy routes

    Users and groups can be added in policy routes, allowing administrators to use users and user groups as source filters. This provides granular control over network traffic, enabling organizations to prioritize resources for specific users or groups.

    To configure user and groups in policy routes:

    1. Configure the users:

      config user local
    edit "test1"
        set type password
        set passwd ********
    next
    edit "test2"
        set type password
        set passwd ********
    next
    edit "test3"
        set type password
        set passwd ********
    next
end

    2. Configure the user group:

      config user group
    edit "group1"
        set member "test1" "test2"
    next
end

    3. Configure the IPv4 routing policy with both a user and a user group as source filters:

      config router policy
    edit 22
        set dst "10.1.100.1/255.255.255.255"
        set gateway 172.16.200.55
        set output-device "port1"
        set users "test3"
        set groups "group1"
    next
end

    4. Configure the IPv6 routing policy with two users as source filters:

      config router policy6
    edit 23
        set dst "2000::55/128"
        set gateway 2000:172:16:200::2
        set output-device "port1"
        set users "test1" "test2"
    next
end

    5. Verify that the IPv4 routing policy is using both the user and user group as source filters:

      # diagnose firewall proute list
list route policy info(vf=root):

id=22(0x16) dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 port=src(0->0):dst(0->0) iif=0(any)
path(1): oif=7(port1) gwy=172.16.200.55
users and groups(2): test3(16777219) group1(1)
source wildcard(1): 0.0.0.0/0.0.0.0
destination wildcard(1): 10.1.100.1/255.255.255.255
hit_count=0 rule_last_used=2025-02-12 11:40:34

    6. Verify that the IPv6 routing policy is using both of the assigned users as source filters:

      # diagnose firewall proute6 list
list route policy6 info(vf=root):

id=23(0x17) flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 port=src(0->0):dst(0->0) iif=0(any)
path(1): oif=7(port1) gwy=2000:172:16:200::2
users and groups(2): test1(16777217) test2(16777218)
destination(1): 2000::55/128
source wildcard(1):  ADDR(::)/ADDR(::)
hit_count=0 last_used=2025-02-12 11:47:07

    Moving a policy route

    A routing policy is added to the bottom of the table when it is created. Routing policies can be moved to a different location in the table to change the order of preference. In this example, routing policy 3 will be moved before routing policy 2.

    To move a policy route in the GUI:

    1. Go to Network > Policy Routes.

    2. In the table, select the policy route.

    3. Drag the selected policy route to the desired position.

    To move a policy route in the CLI:
    config router policy
    move 3 after 1
end

    ISDB route

    An Internet service database (ISDB) route is a special kind of policy route that can be configured on the Static Routes page, where the destination is specifically defined as an Internet service from the ISDB.

    To configure an ISDB route in the GUI:

    1. Go to Network > Static Routes and click Create new.

    2. Set Destination to Internet Service and select a custom or predefined service from the drop-down list.

    3. Specify the Gateway Address and Interface.

    4. Click OK.

    To configure an ISDB route in the CLI:
    config router static
    edit <id>
        set gateway <address of next hop>
        set device <outgoing interface>
        set internet-service <Internet service id>
    next
end
    To check the order of the route with respect to other policy routes:
    # diagnose firewall proute list 
list route policy info(vf=root):
id=2113929222(0x7e000006) static_route=6 dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 port=src(0->0):dst(1->65535) iif=0(any) 
path(1): oif=3(port1) gwy=10.152.95.88
source wildcard(1): 0.0.0.0/0.0.0.0 
destination wildcard(1): 0.0.0.0/0.0.0.0 
internet service(1): BuiltIn-Alibaba-DingTalk(4278190117,0,0,0) 
hit_count=0 rule_last_used=2025-02-12 09:38:36

    Policy routes order of precedence

    Policy routes can take different forms, including the policy-based, ISDB, and SD-WAN routes. When these routes are evaluated, the following order of precedence is applied:

    Policy-based routes > ISDB routes > SD-WAN routes

    Previous
    Next