Extend Policy/Route Check to Policy Routing
The existing Policy Check and Route Check features in FortiOS 6.0 exclude checking against the Policy Routing engine. In 6.2, this is added, and new options are available in the GUI to support further testing scenarios.
This version adds policy route look up support and prioritizes it over static/dynamic (normal) routes when doing route lookup in the GUI.
In Monitor > Routing Monitor, click Route Lookup to look up an address. If it matches the policy route first, the policy route is highlighted.
The result of the matching policy route is highlighted in the Route Monitor page. Below is an example of IPv4 lookup.
Below is an example of IPv6 lookup.
The result of the matching IPv6 policy route is highlighted in the Route Monitor page.
IPv4 policy route match CLI command:
diag ip proute match <IPv6 destination address> <IPv6 source address> <interface name> <protocol> <destination port>
proute IPv6 policy routing. match Match IPv6 route to policy routes. xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx IPv6 destination address. xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx IPv6 source address. intf-name Interface Name. <1-255> Protocol. <0-65535> Destination port.
IPv6 policy route match CLI command:
diag ipv6 proute match <destination ip addres> <source ip address> <interface name> <protocol> <destination port>
proute Policy routing. match Match policy route XXX.XXX.XXX.XXX Destination IP address. XXX.XXX.XXX.XXX Source IP address. intf-name Interface Name. <1-255> Protocol. <0-65535> Destination port.
To configure IP policy route match using the CLI — example 1:
FGT (root) # diagnose ip proute match 10.100.21.44 2.2.2.2 port2 6 2 dst=10.100.21.44 src=2.2.2.2 iif=24 protocol=6 dport=2 id=7f00000c type=VWL seq-num=12
To configure IP policy route match using the CLI — example 2:
FGT (root) # diagnose ip proute match 10.100.20.44 2.2.2.2 port2 6 2 dst=10.100.20.44 src=2.2.2.2 iif=24 protocol=6 dport=2 id=00000016 type=Policy Route seq-num=22