Fortinet white logo
Fortinet white logo

Handbook

Configuring policy routes

Configuring policy routes

Network systems maintain route tables to determine where to forward TCP/IP packets. Policy routes set the gateway for traffic with a source and destination that match the policy.

Routes for outbound traffic are chosen according to the following priorities:

  1. Link local routes—Self-traffic uses link local routes.
  2. LLB Link Policy route—Configured policy routes have priority over default routes.
  3. Policy route—Configured policy routes have priority over default routes.
  4. Static route / ISP route / OSPF route—Priority is based on the distance metric. By default, distance for static routes is 10, for ISP routes is 20, and for OSPF routes is 110. The distance metric is configurable for static routes and OSPF routes, but not ISP routes.
  5. Default LLB Link Policy route—Default routes have lower priority than configured routes.
  6. Default static route / OSPF route—Default routes have lower priority than configured routes.

The system evaluates policy routes, then static routes. The packets are routed to the first route that matches. The policy route table, therefore, does not need to include a “default route” for packets that do not match your policy because those packets can be forwarded to the default route set in the static route table.

Most policy route settings are optional, so a matching route may not provide enough information to forward the packet. In that case, the FortiADC appliance may refer to the routing table in an attempt to match the information in the packet header with a route in the routing table. For example, if the destination address is the only match criteria in the policy route, the FortiADC appliance will look up the IP address of the next-hop router in its routing table. This situation could occur when interfaces are dynamic (such as DHCP or PPPoE) and you do not want or are unable to specify a static IP address of the next-hop router.

Before you begin:
  • You must have Read-Write permission for System settings.
To configure a policy route:
  1. Go to Network > Routing.
  2. Click the Policy tab.
  3. Click Create New to display the configuration editor.
  4. Complete the configuration as described in Policy route configuration.
  5. Save the configuration.

Policy route configuration

Settings Guidelines
Source Address/mask notation to match the source IP in the packet header. To match any value, either leave it blank or enter 0.0.0.0/32.
Destination Address/mask notation to match the destination IP in the packet header. To match any value, leave it blank or enter 0.0.0.0/32.
Gateway IP address of the next-hop router where the FortiADC system will forward packets for this policy route. This router must know how to route packets to the destination subnet, or forward packets to another router with this information.

Configuring policy routes

Configuring policy routes

Network systems maintain route tables to determine where to forward TCP/IP packets. Policy routes set the gateway for traffic with a source and destination that match the policy.

Routes for outbound traffic are chosen according to the following priorities:

  1. Link local routes—Self-traffic uses link local routes.
  2. LLB Link Policy route—Configured policy routes have priority over default routes.
  3. Policy route—Configured policy routes have priority over default routes.
  4. Static route / ISP route / OSPF route—Priority is based on the distance metric. By default, distance for static routes is 10, for ISP routes is 20, and for OSPF routes is 110. The distance metric is configurable for static routes and OSPF routes, but not ISP routes.
  5. Default LLB Link Policy route—Default routes have lower priority than configured routes.
  6. Default static route / OSPF route—Default routes have lower priority than configured routes.

The system evaluates policy routes, then static routes. The packets are routed to the first route that matches. The policy route table, therefore, does not need to include a “default route” for packets that do not match your policy because those packets can be forwarded to the default route set in the static route table.

Most policy route settings are optional, so a matching route may not provide enough information to forward the packet. In that case, the FortiADC appliance may refer to the routing table in an attempt to match the information in the packet header with a route in the routing table. For example, if the destination address is the only match criteria in the policy route, the FortiADC appliance will look up the IP address of the next-hop router in its routing table. This situation could occur when interfaces are dynamic (such as DHCP or PPPoE) and you do not want or are unable to specify a static IP address of the next-hop router.

Before you begin:
  • You must have Read-Write permission for System settings.
To configure a policy route:
  1. Go to Network > Routing.
  2. Click the Policy tab.
  3. Click Create New to display the configuration editor.
  4. Complete the configuration as described in Policy route configuration.
  5. Save the configuration.

Policy route configuration

Settings Guidelines
Source Address/mask notation to match the source IP in the packet header. To match any value, either leave it blank or enter 0.0.0.0/32.
Destination Address/mask notation to match the destination IP in the packet header. To match any value, leave it blank or enter 0.0.0.0/32.
Gateway IP address of the next-hop router where the FortiADC system will forward packets for this policy route. This router must know how to route packets to the destination subnet, or forward packets to another router with this information.