Fortinet black logo

CLI Reference

router {policy | policy6}

router {policy | policy6}

Use this command to add, move, edit or delete a route policy. When you create a policy route, any packets that match the policy are forwarded to the IP address of the next-hop gateway through the specified outbound interface.

You can configure the FortiGate unit to route packets based on:

  • a source address
  • a protocol, service type, or port range
  • the inbound interface
  • type of service (TOS)

When the FortiGate unit receives a packet, it starts at the top of the policy routing list and attempts to match the packet with a policy in ascending order. If no packets match the policy route, the FortiGate unit routes the packet using the routing table. Route policies are processed before static routing. You can change the order of policy routes using the move command.

note icon For static routing, any number of static routes can be defined for the same destination. When multiple routes for the same destination exist, the FortiGate unit chooses the route having the lowest administrative distance. Route redundancy is not available for policy routing: any packets that match a route policy are forwarded according to the route specified in the policy.
config router policy
    edit {seq-num}
    # Configure IPv4 routing policies.
        set seq-num {integer}   Sequence number. range[1-65535]
        config input-device
            edit {name}
            # Incoming interface name.
                set name {string}   Interface name. size[64] - datasource(s): system.interface.name
            next
        config src
            edit {subnet}
            # Source IP and mask (x.x.x.x/x).
                set subnet {string}   IP and mask. size[64]
            next
        config srcaddr
            edit {name}
            # Source address name.
                set name {string}   Address/group name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
            next
        set src-negate {enable | disable}   Enable/disable negating source address match.
        config dst
            edit {subnet}
            # Destination IP and mask (x.x.x.x/x).
                set subnet {string}   IP and mask. size[64]
            next
        config dstaddr
            edit {name}
            # Destination address name.
                set name {string}   Address/group name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
            next
        set dst-negate {enable | disable}   Enable/disable negating destination address match.
        set action {deny | permit}   Action of the policy route.
                deny    Do not search policy route table.
                permit  Use this policy route for forwarding.
        set protocol {integer}   Protocol number (0 - 255). range[0-255]
        set start-port {integer}   Start destination port number (0 - 65535). range[0-65535]
        set end-port {integer}   End destination port number (0 - 65535). range[0-65535]
        set start-source-port {integer}   Start source port number (0 - 65535). range[0-65535]
        set end-source-port {integer}   End source port number (0 - 65535). range[0-65535]
        set gateway {ipv4 address}   IP address of the gateway.
        set output-device {string}   Outgoing interface name. size[35] - datasource(s): system.interface.name
        set tos {string}   Type of service bit pattern.
        set tos-mask {string}   Type of service evaluated bits.
        set status {enable | disable}   Enable/disable this policy route.
        set comments {string}   Optional comments. size[255]
    next
end
config router policy6
    edit {seq-num}
    # Configure IPv6 routing policies.
        set seq-num {integer}   Sequence number. range[0-4294967295]
        set input-device {string}   Incoming interface name. size[35] - datasource(s): system.interface.name
        set src {ipv6 network}   Source IPv6 prefix.
        set dst {ipv6 network}   Destination IPv6 prefix.
        set protocol {integer}   Protocol number (0 - 255). range[0-255]
        set start-port {integer}   Start destination port number (1 - 65535). range[1-65535]
        set end-port {integer}   End destination port number (1 - 65535). range[1-65535]
        set gateway {ipv6 address}   IPv6 address of the gateway.
        set output-device {string}   Outgoing interface name. size[35] - datasource(s): system.interface.name
        set tos {string}   Type of service bit pattern.
        set tos-mask {string}   Type of service evaluated bits.
        set status {enable | disable}   Enable/disable this policy route.
        set comments {string}   Optional comments. size[255]
    next
end

Additional information

The following section is for those options that require additional explanation.

end-port <port number>

Note: This field is available when protocol is 6 (TCP), 17 (UDP), or 132 (SCTP).

Set the end destination port number (0 to 65 535, default = 65 535).

You must configure both the start-port and end-port fields for destination port range matching to take effect. To specify a range, the start-port value must be lower than the end-port value. To specify a single port, the start-port value must be identical to the end-port value.

end-source-port <port number>

Note: This field is available when protocol is 6 (TCP), 17 (UDP), or 132 (SCTP).

Set the port range for source IP.

protocol <protocol number>

Enter the protocol number to match (0 - 255). A value of 0 disables the feature.

RFC 5237 describes protocol numbers and you can find a list of the assigned protocol numbers here. Commonly used protocol include: 1 (ICMP), 6 (TCP), 17 (UDP), 47 (GRE), and 92 (MTP).

start-source-port <port number>

Note: This field is available when protocol is 6 (TCP), 17 (UDP), or 132 (SCTP).

Set the start destination port number (0 to 65 535, default = 65 535).

You must configure both the start-port and end-port fields for destination port range matching to take effect. To specify a range, the start-port value must be lower than the end-port value. To specify a single port, the start-port value must be identical to the end-port value.

tos <hex mask>

The type of service (TOS) mask to match after applying the tos-mask. This is an 8-bit hexadecimal pattern that can be from 00 to FF.

The tos mask attempts to match the quality of service for this profile. Each bit in the mask represents a different aspect of quality. A tos mask of 0010 would indicate reliability is important, but with normal delay and throughput. The hex mask for this pattern would be 04.

tos-mask <hex mask>

This value determines which bits in the IP header’s TOS field are significant. This is an 8-bit hexadecimal mask that can be from 00 to FF.

Typically, only bits 3 through 6 are used for TOS, so it is necessary to mask out the other bits. To mask out everything but bits 3 through 6, the hex mask would be 1E.

router {policy | policy6}

Use this command to add, move, edit or delete a route policy. When you create a policy route, any packets that match the policy are forwarded to the IP address of the next-hop gateway through the specified outbound interface.

You can configure the FortiGate unit to route packets based on:

  • a source address
  • a protocol, service type, or port range
  • the inbound interface
  • type of service (TOS)

When the FortiGate unit receives a packet, it starts at the top of the policy routing list and attempts to match the packet with a policy in ascending order. If no packets match the policy route, the FortiGate unit routes the packet using the routing table. Route policies are processed before static routing. You can change the order of policy routes using the move command.

note icon For static routing, any number of static routes can be defined for the same destination. When multiple routes for the same destination exist, the FortiGate unit chooses the route having the lowest administrative distance. Route redundancy is not available for policy routing: any packets that match a route policy are forwarded according to the route specified in the policy.
config router policy
    edit {seq-num}
    # Configure IPv4 routing policies.
        set seq-num {integer}   Sequence number. range[1-65535]
        config input-device
            edit {name}
            # Incoming interface name.
                set name {string}   Interface name. size[64] - datasource(s): system.interface.name
            next
        config src
            edit {subnet}
            # Source IP and mask (x.x.x.x/x).
                set subnet {string}   IP and mask. size[64]
            next
        config srcaddr
            edit {name}
            # Source address name.
                set name {string}   Address/group name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
            next
        set src-negate {enable | disable}   Enable/disable negating source address match.
        config dst
            edit {subnet}
            # Destination IP and mask (x.x.x.x/x).
                set subnet {string}   IP and mask. size[64]
            next
        config dstaddr
            edit {name}
            # Destination address name.
                set name {string}   Address/group name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
            next
        set dst-negate {enable | disable}   Enable/disable negating destination address match.
        set action {deny | permit}   Action of the policy route.
                deny    Do not search policy route table.
                permit  Use this policy route for forwarding.
        set protocol {integer}   Protocol number (0 - 255). range[0-255]
        set start-port {integer}   Start destination port number (0 - 65535). range[0-65535]
        set end-port {integer}   End destination port number (0 - 65535). range[0-65535]
        set start-source-port {integer}   Start source port number (0 - 65535). range[0-65535]
        set end-source-port {integer}   End source port number (0 - 65535). range[0-65535]
        set gateway {ipv4 address}   IP address of the gateway.
        set output-device {string}   Outgoing interface name. size[35] - datasource(s): system.interface.name
        set tos {string}   Type of service bit pattern.
        set tos-mask {string}   Type of service evaluated bits.
        set status {enable | disable}   Enable/disable this policy route.
        set comments {string}   Optional comments. size[255]
    next
end
config router policy6
    edit {seq-num}
    # Configure IPv6 routing policies.
        set seq-num {integer}   Sequence number. range[0-4294967295]
        set input-device {string}   Incoming interface name. size[35] - datasource(s): system.interface.name
        set src {ipv6 network}   Source IPv6 prefix.
        set dst {ipv6 network}   Destination IPv6 prefix.
        set protocol {integer}   Protocol number (0 - 255). range[0-255]
        set start-port {integer}   Start destination port number (1 - 65535). range[1-65535]
        set end-port {integer}   End destination port number (1 - 65535). range[1-65535]
        set gateway {ipv6 address}   IPv6 address of the gateway.
        set output-device {string}   Outgoing interface name. size[35] - datasource(s): system.interface.name
        set tos {string}   Type of service bit pattern.
        set tos-mask {string}   Type of service evaluated bits.
        set status {enable | disable}   Enable/disable this policy route.
        set comments {string}   Optional comments. size[255]
    next
end

Additional information

The following section is for those options that require additional explanation.

end-port <port number>

Note: This field is available when protocol is 6 (TCP), 17 (UDP), or 132 (SCTP).

Set the end destination port number (0 to 65 535, default = 65 535).

You must configure both the start-port and end-port fields for destination port range matching to take effect. To specify a range, the start-port value must be lower than the end-port value. To specify a single port, the start-port value must be identical to the end-port value.

end-source-port <port number>

Note: This field is available when protocol is 6 (TCP), 17 (UDP), or 132 (SCTP).

Set the port range for source IP.

protocol <protocol number>

Enter the protocol number to match (0 - 255). A value of 0 disables the feature.

RFC 5237 describes protocol numbers and you can find a list of the assigned protocol numbers here. Commonly used protocol include: 1 (ICMP), 6 (TCP), 17 (UDP), 47 (GRE), and 92 (MTP).

start-source-port <port number>

Note: This field is available when protocol is 6 (TCP), 17 (UDP), or 132 (SCTP).

Set the start destination port number (0 to 65 535, default = 65 535).

You must configure both the start-port and end-port fields for destination port range matching to take effect. To specify a range, the start-port value must be lower than the end-port value. To specify a single port, the start-port value must be identical to the end-port value.

tos <hex mask>

The type of service (TOS) mask to match after applying the tos-mask. This is an 8-bit hexadecimal pattern that can be from 00 to FF.

The tos mask attempts to match the quality of service for this profile. Each bit in the mask represents a different aspect of quality. A tos mask of 0010 would indicate reliability is important, but with normal delay and throughput. The hex mask for this pattern would be 04.

tos-mask <hex mask>

This value determines which bits in the IP header’s TOS field are significant. This is an 8-bit hexadecimal mask that can be from 00 to FF.

Typically, only bits 3 through 6 are used for TOS, so it is necessary to mask out the other bits. To mask out everything but bits 3 through 6, the hex mask would be 1E.