router {policy | policy6}
Use this command to add, move, edit or delete a route policy. When you create a policy route, any packets that match the policy are forwarded to the IP address of the next-hop gateway through the specified outbound interface.
You can configure the FortiGate unit to route packets based on:
- a source address
- a protocol, service type, or port range
- the inbound interface
- type of service (TOS)
When the FortiGate unit receives a packet, it starts at the top of the policy routing list and attempts to match the packet with a policy in ascending order. If no packets match the policy route, the FortiGate unit routes the packet using the routing table. Route policies are processed before static routing. You can change the order of policy routes using the move command.
For static routing, any number of static routes can be defined for the same destination. When multiple routes for the same destination exist, the FortiGate unit chooses the route having the lowest administrative distance. Route redundancy is not available for policy routing: any packets that match a route policy are forwarded according to the route specified in the policy. |
config router policy edit {seq-num} # Configure IPv4 routing policies. set seq-num {integer} Sequence number. range[1-65535] config input-device edit {name} # Incoming interface name. set name {string} Interface name. size[64] - datasource(s): system.interface.name next config src edit {subnet} # Source IP and mask (x.x.x.x/x). set subnet {string} IP and mask. size[64] next config srcaddr edit {name} # Source address name. set name {string} Address/group name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name next set src-negate {enable | disable} Enable/disable negating source address match. config dst edit {subnet} # Destination IP and mask (x.x.x.x/x). set subnet {string} IP and mask. size[64] next config dstaddr edit {name} # Destination address name. set name {string} Address/group name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name next set dst-negate {enable | disable} Enable/disable negating destination address match. set action {deny | permit} Action of the policy route. deny Do not search policy route table. permit Use this policy route for forwarding. set protocol {integer} Protocol number (0 - 255). range[0-255] set start-port {integer} Start destination port number (0 - 65535). range[0-65535] set end-port {integer} End destination port number (0 - 65535). range[0-65535] set start-source-port {integer} Start source port number (0 - 65535). range[0-65535] set end-source-port {integer} End source port number (0 - 65535). range[0-65535] set gateway {ipv4 address} IP address of the gateway. set output-device {string} Outgoing interface name. size[35] - datasource(s): system.interface.name set tos {string} Type of service bit pattern. set tos-mask {string} Type of service evaluated bits. set status {enable | disable} Enable/disable this policy route. set comments {string} Optional comments. size[255] next end
config router policy6 edit {seq-num} # Configure IPv6 routing policies. set seq-num {integer} Sequence number. range[0-4294967295] set input-device {string} Incoming interface name. size[35] - datasource(s): system.interface.name set src {ipv6 network} Source IPv6 prefix. set dst {ipv6 network} Destination IPv6 prefix. set protocol {integer} Protocol number (0 - 255). range[0-255] set start-port {integer} Start destination port number (1 - 65535). range[1-65535] set end-port {integer} End destination port number (1 - 65535). range[1-65535] set gateway {ipv6 address} IPv6 address of the gateway. set output-device {string} Outgoing interface name. size[35] - datasource(s): system.interface.name set tos {string} Type of service bit pattern. set tos-mask {string} Type of service evaluated bits. set status {enable | disable} Enable/disable this policy route. set comments {string} Optional comments. size[255] next end
Additional information
The following section is for those options that require additional explanation.
end-port <port number>
Note: This field is available when protocol
is 6
(TCP), 17
(UDP), or 132
(SCTP).
Set the end destination port number (0 to 65 535, default = 65 535).
You must configure both the start-port
and end-port
fields for destination port range matching to take effect. To specify a range, the start-port
value must be lower than the end-port
value. To specify a single port, the start-port value must be identical to the end-port value.
end-source-port <port number>
Note: This field is available when protocol
is 6
(TCP), 17
(UDP), or 132
(SCTP).
Set the port range for source IP.
protocol <protocol number>
Enter the protocol number to match (0 - 255). A value of 0
disables the feature.
RFC 5237 describes protocol numbers and you can find a list of the assigned protocol numbers here. Commonly used protocol include: 1 (ICMP), 6 (TCP), 17 (UDP), 47 (GRE), and 92 (MTP).
start-source-port <port number>
Note: This field is available when protocol
is 6
(TCP), 17
(UDP), or 132
(SCTP).
Set the start destination port number (0 to 65 535, default = 65 535).
You must configure both the start-port
and end-port
fields for destination port range matching to take effect. To specify a range, the start-port
value must be lower than the end-port
value. To specify a single port, the start-port value must be identical to the end-port value.
tos <hex mask>
The type of service (TOS) mask to match after applying the tos-mask
. This is an 8-bit hexadecimal pattern that can be from 00
to FF
.
The tos mask attempts to match the quality of service for this profile. Each bit in the mask represents a different aspect of quality. A tos mask of 0010
would indicate reliability is important, but with normal delay and throughput. The hex mask for this pattern would be 04
.
tos-mask <hex mask>
This value determines which bits in the IP header’s TOS field are significant. This is an 8-bit hexadecimal mask that can be from 00
to FF
.
Typically, only bits 3 through 6 are used for TOS, so it is necessary to mask out the other bits. To mask out everything but bits 3 through 6, the hex mask would be 1E
.