Fortinet black logo

Administration Guide

Home FortiProxy 7.0.0 Administration Guide
7.0.0
7.4.3
7.4.2
7.4.1
7.4.0
7.2.10
7.2.9
7.2.8
7.2.7
7.2.0
7.0.17
7.0.0
2.0.0
1.2.0
1.1.0
1.0.0

Policy routes

Policy routes

Policy routing allows you to specify an interface to route traffic. This is useful when you need to route certain types of network traffic differently than you would if you were using the routing table. You can use the incoming traffic's protocol, source or destination address, source interface, or port number to determine where to send the traffic. Policy routes are sometimes referred to as Policy-based routes (PBR).

When a packet arrives, the FortiProxy starts at the top of the policy route list and attempts to match the packet with a policy. For a match to be found, the policy must contain enough information to route the packet. At a minimum, this requires the outgoing interface to forward the traffic, and the gateway to route the traffic to. If one or both of these are not specified in the policy route, then the FortiProxy searches the routing table to find the best active route that corresponds to the policy route. If no routes are found in the routing table, then the policy route does not match the packet. The FortiProxy continues down the policy route list until it reaches the end. If no matches are found, then the FortiProxy does a route lookup using the routing table.

Configuring a policy route

In this example, a policy route is configured to send all FTP traffic received at port1 out through port3 and to a next hop router at 10.1.1.1. To route FTP traffic, the protocol is set to TCP (6) and the destination ports are set to 21 (the FTP port).

To configure a policy route in the GUI:

  1. Go to Network > Policy Routes and click Create New.

  2. Configure the following fields:

    Incoming interface

    port1

    Source Address

    0.0.0.0/0.0.0.0

    Destination Address

    0.0.0.0/0.0.0.0

    Protocol

    TCP

    Destination ports

    21 - 21

    Type of service

    0x00

    Bit Mask

    0x00

    Outgoing interface

    Enable and select port4

    Gateway address

    10.1.1.1

  3. Click OK.

To configure a policy route in the CLI:
config router policy
    edit 1
        set input-device "port1"
        set src "0.0.0.0/0.0.0.0"
        set dst "0.0.0.0/0.0.0.0"
        set protocol 6
        set start-port 21
        set end-port 21
        set gateway 10.1.1.1
        set output-device "port3"
    next
end
Previous
Next

Policy routes

Policy routing allows you to specify an interface to route traffic. This is useful when you need to route certain types of network traffic differently than you would if you were using the routing table. You can use the incoming traffic's protocol, source or destination address, source interface, or port number to determine where to send the traffic. Policy routes are sometimes referred to as Policy-based routes (PBR).

When a packet arrives, the FortiProxy starts at the top of the policy route list and attempts to match the packet with a policy. For a match to be found, the policy must contain enough information to route the packet. At a minimum, this requires the outgoing interface to forward the traffic, and the gateway to route the traffic to. If one or both of these are not specified in the policy route, then the FortiProxy searches the routing table to find the best active route that corresponds to the policy route. If no routes are found in the routing table, then the policy route does not match the packet. The FortiProxy continues down the policy route list until it reaches the end. If no matches are found, then the FortiProxy does a route lookup using the routing table.

Configuring a policy route

In this example, a policy route is configured to send all FTP traffic received at port1 out through port3 and to a next hop router at 10.1.1.1. To route FTP traffic, the protocol is set to TCP (6) and the destination ports are set to 21 (the FTP port).

To configure a policy route in the GUI:

  1. Go to Network > Policy Routes and click Create New.

  2. Configure the following fields:

    Incoming interface

    port1

    Source Address

    0.0.0.0/0.0.0.0

    Destination Address

    0.0.0.0/0.0.0.0

    Protocol

    TCP

    Destination ports

    21 - 21

    Type of service

    0x00

    Bit Mask

    0x00

    Outgoing interface

    Enable and select port4

    Gateway address

    10.1.1.1

  3. Click OK.

To configure a policy route in the CLI:
config router policy
    edit 1
        set input-device "port1"
        set src "0.0.0.0/0.0.0.0"
        set dst "0.0.0.0/0.0.0.0"
        set protocol 6
        set start-port 21
        set end-port 21
        set gateway 10.1.1.1
        set output-device "port3"
    next
end
Previous
Next