Fortinet black logo

Handbook

Policy routing

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:34912
Download PDF

Policy routing allows you to specify an interface to route your traffic. This is useful when you need to route certain types of network traffic differently than you would if you were using the routing table. For example, you can use the incoming traffic's protocol, source or destination address, source interface, or port number to determine where to send the traffic.

After you configure the FortiGate with policy routes, when a packet arrives the FortiGate starts at the top of the policy route list and attempts to match the packet with a policy. For a match to be found, the policy must contain enough information to route the packet. At a minimum, this requires the outgoing interface to forward the traffic, and the gateway to route the traffic to. If one or both of these are not specified in the policy route itself, then the FortiGate will look at the routing table to find the best active route that corresponds to the policy route. If no routes can be found on the routing table, then the policy route does not match the packet. FortiGate will continue down the policy route list until it reaches the end. If no matches are found, then the FortiGate does a route lookup using the routing table.

Policy route options define what attributes of an incoming packet cause policy routing to occur. If the packet's attributes match all of the specified conditions, then the FortiGate routes the packet through the specified interface to the specified gateway.

To view policy routes go to Network > Policy Routes.

Field

Description

Create New

Add a policy route. See Adding a policy route.

Edit

Edit the selected policy route.

Delete

Delete the selected policy route.

Move To

Move the selected policy route. Enter the new position and select OK.

For more information, see Moving a policy route.

Seq.#

The ID numbers of configured route policies. These numbers are sequential unless policies have been moved within the table.

Incoming Interface

The interfaces on which packets subjected to route policies are received.

Outgoing Interface

The interfaces through which policy routed packets are routed.

Source

The IP source addresses and network masks that cause policy routing to occur.

Destination

The IP destination addresses and network masks that cause policy routing to occur.

Adding a policy route

To add a policy route, go to Network > Policy Routes and select Create New.

Field Description

Protocol

Select from existing or specify the protocol number to match. The Internet Protocol Number is found in the IP packet header. RFC 5237 describes protocol numbers and you can find a list of the assigned protocol numbers here. The range is from 0 to 255. A value of 0 disables the feature.

Commonly used Protocol settings include 6 for TCP sessions, 17 for UDP sessions, 1 for ICMP sessions, 47 for GRE sessions, and 92 for multicast sessions.

Incoming Interface

Select the name of the interface through which incoming packets subjected to the policy are received.

Source Address

To perform policy routing based on IP source address, type the source address and network mask to match. A value of 0.0.0.0/0.0.0.0 disables the feature.

Destination Address

To perform policy routing based on the IP destination address of the packet, type the destination address and network mask to match. A value of 0.0.0.0/0.0.0.0 disables the feature.

Destination Ports

To perform policy routing based on the port on which the packet is received, type the same port number in the From and To fields. To apply policy routing to a range of ports, type the starting port number in the From field and the ending port number in the To field. A value of 0 disables this feature.

The Destination Ports fields are only used for TCP and UDP protocols. The ports are skipped over for all other protocols.

Type of Service

Use a two digit hexadecimal bit pattern to match the service, or use a two digit hexadecimal bit mask to mask out. For more information, see Type of service.

Outgoing Interface

Select the name of the interface through which packets affected by the policy will be routed.

Gateway Address

Type the IP address of the next-hop router that the FortiGate can access through the specified interface.

Example policy route

Configure the following policy route to send all FTP traffic received at port1 out the port10 interface and to a next hop router at IP address 172.20.120.23. To route FTP traffic, set protocol to 6 (for TCP) and set both of the destination ports to 21 (the FTP port).

Field

Value

Protocol

6

Incoming interface

port1

Source Address

0.0.0.0/0.0.0.0

Destination Address

0.0.0.0/0.0.0.0

Destination Ports

From 21 to 21

Type of Service

bit pattern: 00 (hex) bit mask: 00 (hex)

Outgoing Interface

port10

Gateway Address

172.20.120.23

Enabling or disabling individual policy routes

You can enable or disable individual policy routes.

To configure IPv4 policy routes - CLI:

config router policy

edit <sequence number>

set status {enable | disable}

next

end

To configure IPv6 policy routes - CLI:

config router policy6

edit <sequence number>

set status {enable | disable}

next

end

Type of service

Type of service (TOS) is an 8-bit field in the IP header that allows you to determine how the IP datagram should be delivered, with qualities, such as delay, priority, reliability, and minimum cost.

Each quality helps gateways determine the best way to route datagrams. A router maintains a ToS value for each route in its routing table. The lowest priority TOS is 0, the highest is 7 - when bits 3, 4, and 5 are all set to 1. The router tries to match the TOS of the datagram to the TOS on one of the possible routes to the destination. If there's no match, the datagram is sent over a zero TOS route.

Using increased quality may increase the cost of delivery because better performance may consume limited network resources. For more information, see RFC 791 and RFC 1349.

The role of each bit in the IP header TOS 8-bit field

Bit

Quality

Description

bits 0, 1, 2

Precedence

Some networks treat high precedence traffic as more important traffic. Precedence should only be used within a network, and can be used differently in each network. Typically, you don't care about these bits.

bit 3

Delay

When set to 1, this bit indicates low delay is a priority. This is useful for such services as VoIP where delays degrade the quality of the sound.

bit 4

Throughput

When set to 1, this bit indicates high throughput is a priority. This is useful for services that require lots of bandwidth, such as video conferencing.

bit 5

Reliability

When set to 1, this bit indicates high reliability is a priority. This is useful when a service must always be available, such as with DNS servers.

bit 6

Cost

When set to 1, this bit indicates low cost is a priority. Generally there is a higher delivery cost associated with enabling bits 3, 4, or 5, and bit 6 indicates to use the lowest cost route.

bit 7

Reserved for

future use

Not used at this time.

For example, if you want to assign low delay and high reliability for a VoIP application, where delays are unacceptable, you would use a bit pattern of xxx1x1xx where ‘x’ indicates that bit can be any value. Since all bits aren't set, this is a good use for the bit mask. If the mask is set to 0x14, it will match any TOS packets that are set to low delay and high reliability.

Moving a policy route

A routing policy is added to the bottom of the routing table when it's created. If you prefer to use one policy over another, you may want to move it to a different location in the routing policy table.

The option to use one of two routes happens when both routes are a match, for example 172.20.0.0/255.255.0.0 and 172.20.120.0/255.255.255.0. If both of these routes are in the policy table, both can match a route to 172.20.120.112 but you would consider the second one a better match. In this case, the best match route should be positioned before the other route in the policy table.

To change the position of a policy route in the table, go to Network > Policy Routes and select Move To for the policy route you want to move.

Field

Description

Before/After

Select Before to place the selected policy route before the indicated route. Select After to place it following the indicated route.

Policy route ID

Enter the policy route ID of the route in the policy route table to move the selected route before or after.

Use of firewall addresses for policy route destinations

When you configure a policy route, you can use firewall addresses and address groups. The only exception for the address types that can be used is the URL type of address object.

Policy routing allows you to specify an interface to route your traffic. This is useful when you need to route certain types of network traffic differently than you would if you were using the routing table. For example, you can use the incoming traffic's protocol, source or destination address, source interface, or port number to determine where to send the traffic.

After you configure the FortiGate with policy routes, when a packet arrives the FortiGate starts at the top of the policy route list and attempts to match the packet with a policy. For a match to be found, the policy must contain enough information to route the packet. At a minimum, this requires the outgoing interface to forward the traffic, and the gateway to route the traffic to. If one or both of these are not specified in the policy route itself, then the FortiGate will look at the routing table to find the best active route that corresponds to the policy route. If no routes can be found on the routing table, then the policy route does not match the packet. FortiGate will continue down the policy route list until it reaches the end. If no matches are found, then the FortiGate does a route lookup using the routing table.

Policy route options define what attributes of an incoming packet cause policy routing to occur. If the packet's attributes match all of the specified conditions, then the FortiGate routes the packet through the specified interface to the specified gateway.

To view policy routes go to Network > Policy Routes.

Field

Description

Create New

Add a policy route. See Adding a policy route.

Edit

Edit the selected policy route.

Delete

Delete the selected policy route.

Move To

Move the selected policy route. Enter the new position and select OK.

For more information, see Moving a policy route.

Seq.#

The ID numbers of configured route policies. These numbers are sequential unless policies have been moved within the table.

Incoming Interface

The interfaces on which packets subjected to route policies are received.

Outgoing Interface

The interfaces through which policy routed packets are routed.

Source

The IP source addresses and network masks that cause policy routing to occur.

Destination

The IP destination addresses and network masks that cause policy routing to occur.

Adding a policy route

To add a policy route, go to Network > Policy Routes and select Create New.

Field Description

Protocol

Select from existing or specify the protocol number to match. The Internet Protocol Number is found in the IP packet header. RFC 5237 describes protocol numbers and you can find a list of the assigned protocol numbers here. The range is from 0 to 255. A value of 0 disables the feature.

Commonly used Protocol settings include 6 for TCP sessions, 17 for UDP sessions, 1 for ICMP sessions, 47 for GRE sessions, and 92 for multicast sessions.

Incoming Interface

Select the name of the interface through which incoming packets subjected to the policy are received.

Source Address

To perform policy routing based on IP source address, type the source address and network mask to match. A value of 0.0.0.0/0.0.0.0 disables the feature.

Destination Address

To perform policy routing based on the IP destination address of the packet, type the destination address and network mask to match. A value of 0.0.0.0/0.0.0.0 disables the feature.

Destination Ports

To perform policy routing based on the port on which the packet is received, type the same port number in the From and To fields. To apply policy routing to a range of ports, type the starting port number in the From field and the ending port number in the To field. A value of 0 disables this feature.

The Destination Ports fields are only used for TCP and UDP protocols. The ports are skipped over for all other protocols.

Type of Service

Use a two digit hexadecimal bit pattern to match the service, or use a two digit hexadecimal bit mask to mask out. For more information, see Type of service.

Outgoing Interface

Select the name of the interface through which packets affected by the policy will be routed.

Gateway Address

Type the IP address of the next-hop router that the FortiGate can access through the specified interface.

Example policy route

Configure the following policy route to send all FTP traffic received at port1 out the port10 interface and to a next hop router at IP address 172.20.120.23. To route FTP traffic, set protocol to 6 (for TCP) and set both of the destination ports to 21 (the FTP port).

Field

Value

Protocol

6

Incoming interface

port1

Source Address

0.0.0.0/0.0.0.0

Destination Address

0.0.0.0/0.0.0.0

Destination Ports

From 21 to 21

Type of Service

bit pattern: 00 (hex) bit mask: 00 (hex)

Outgoing Interface

port10

Gateway Address

172.20.120.23

Enabling or disabling individual policy routes

You can enable or disable individual policy routes.

To configure IPv4 policy routes - CLI:

config router policy

edit <sequence number>

set status {enable | disable}

next

end

To configure IPv6 policy routes - CLI:

config router policy6

edit <sequence number>

set status {enable | disable}

next

end

Type of service

Type of service (TOS) is an 8-bit field in the IP header that allows you to determine how the IP datagram should be delivered, with qualities, such as delay, priority, reliability, and minimum cost.

Each quality helps gateways determine the best way to route datagrams. A router maintains a ToS value for each route in its routing table. The lowest priority TOS is 0, the highest is 7 - when bits 3, 4, and 5 are all set to 1. The router tries to match the TOS of the datagram to the TOS on one of the possible routes to the destination. If there's no match, the datagram is sent over a zero TOS route.

Using increased quality may increase the cost of delivery because better performance may consume limited network resources. For more information, see RFC 791 and RFC 1349.

The role of each bit in the IP header TOS 8-bit field

Bit

Quality

Description

bits 0, 1, 2

Precedence

Some networks treat high precedence traffic as more important traffic. Precedence should only be used within a network, and can be used differently in each network. Typically, you don't care about these bits.

bit 3

Delay

When set to 1, this bit indicates low delay is a priority. This is useful for such services as VoIP where delays degrade the quality of the sound.

bit 4

Throughput

When set to 1, this bit indicates high throughput is a priority. This is useful for services that require lots of bandwidth, such as video conferencing.

bit 5

Reliability

When set to 1, this bit indicates high reliability is a priority. This is useful when a service must always be available, such as with DNS servers.

bit 6

Cost

When set to 1, this bit indicates low cost is a priority. Generally there is a higher delivery cost associated with enabling bits 3, 4, or 5, and bit 6 indicates to use the lowest cost route.

bit 7

Reserved for

future use

Not used at this time.

For example, if you want to assign low delay and high reliability for a VoIP application, where delays are unacceptable, you would use a bit pattern of xxx1x1xx where ‘x’ indicates that bit can be any value. Since all bits aren't set, this is a good use for the bit mask. If the mask is set to 0x14, it will match any TOS packets that are set to low delay and high reliability.

Moving a policy route

A routing policy is added to the bottom of the routing table when it's created. If you prefer to use one policy over another, you may want to move it to a different location in the routing policy table.

The option to use one of two routes happens when both routes are a match, for example 172.20.0.0/255.255.0.0 and 172.20.120.0/255.255.255.0. If both of these routes are in the policy table, both can match a route to 172.20.120.112 but you would consider the second one a better match. In this case, the best match route should be positioned before the other route in the policy table.

To change the position of a policy route in the table, go to Network > Policy Routes and select Move To for the policy route you want to move.

Field

Description

Before/After

Select Before to place the selected policy route before the indicated route. Select After to place it following the indicated route.

Policy route ID

Enter the policy route ID of the route in the policy route table to move the selected route before or after.

Use of firewall addresses for policy route destinations

When you configure a policy route, you can use firewall addresses and address groups. The only exception for the address types that can be used is the URL type of address object.