Fortinet black logo

New Features

Extend Policy/Route Check to Policy Routing

Copy Link
Copy Doc ID 761d83e3-4a7b-11e9-94bf-00505692583a:990852
Download PDF

Extend Policy/Route Check to Policy Routing

The existing Policy Check and Route Check features in FortiOS 6.0 exclude checking against the Policy Routing engine. In 6.2, this is added, and new options are available in the GUI to support further testing scenarios.

This version adds policy route look up support and prioritizes it over static/dynamic (normal) routes when doing route lookup in the GUI.

In Monitor > Routing Monitor, click Route Lookup to look up an address. If it matches the policy route first, the policy route is highlighted.

The result of the matching policy route is highlighted in the Route Monitor page. Below is an example of IPv4 lookup.

Below is an example of IPv6 lookup.

The result of the matching IPv6 policy route is highlighted in the Route Monitor page.

IPv4 policy route match CLI command:

diag ip proute match <IPv6 destination address> <IPv6 source address> <interface name> <protocol> <destination port>

proute                                    IPv6 policy routing.
match                                     Match IPv6 route to policy routes.
xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx   IPv6 destination address.
xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx   IPv6 source address.
intf-name                                 Interface Name.
<1-255>                                   Protocol.
<0-65535>                                 Destination port.
IPv6 policy route match CLI command:

diag ipv6 proute match <destination ip addres> <source ip address> <interface name> <protocol> <destination port>

proute             Policy routing.
match              Match policy route
XXX.XXX.XXX.XXX    Destination IP address.
XXX.XXX.XXX.XXX    Source IP address.
intf-name          Interface Name.
<1-255>            Protocol.
<0-65535>          Destination port.
To configure IP policy route match using the CLI — example 1:
FGT (root) # diagnose ip proute match 10.100.21.44 2.2.2.2 port2 6 2
dst=10.100.21.44 src=2.2.2.2 iif=24 protocol=6 dport=2
id=7f00000c type=VWL
seq-num=12
To configure IP policy route match using the CLI — example 2:
FGT (root) # diagnose ip proute match 10.100.20.44 2.2.2.2 port2 6 2
dst=10.100.20.44 src=2.2.2.2 iif=24 protocol=6 dport=2
id=00000016 type=Policy Route
seq-num=22

Related Videos

sidebar video

Extended Route Test

  • 850 views
  • 5 years ago

Extend Policy/Route Check to Policy Routing

The existing Policy Check and Route Check features in FortiOS 6.0 exclude checking against the Policy Routing engine. In 6.2, this is added, and new options are available in the GUI to support further testing scenarios.

This version adds policy route look up support and prioritizes it over static/dynamic (normal) routes when doing route lookup in the GUI.

In Monitor > Routing Monitor, click Route Lookup to look up an address. If it matches the policy route first, the policy route is highlighted.

The result of the matching policy route is highlighted in the Route Monitor page. Below is an example of IPv4 lookup.

Below is an example of IPv6 lookup.

The result of the matching IPv6 policy route is highlighted in the Route Monitor page.

IPv4 policy route match CLI command:

diag ip proute match <IPv6 destination address> <IPv6 source address> <interface name> <protocol> <destination port>

proute                                    IPv6 policy routing.
match                                     Match IPv6 route to policy routes.
xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx   IPv6 destination address.
xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx   IPv6 source address.
intf-name                                 Interface Name.
<1-255>                                   Protocol.
<0-65535>                                 Destination port.
IPv6 policy route match CLI command:

diag ipv6 proute match <destination ip addres> <source ip address> <interface name> <protocol> <destination port>

proute             Policy routing.
match              Match policy route
XXX.XXX.XXX.XXX    Destination IP address.
XXX.XXX.XXX.XXX    Source IP address.
intf-name          Interface Name.
<1-255>            Protocol.
<0-65535>          Destination port.
To configure IP policy route match using the CLI — example 1:
FGT (root) # diagnose ip proute match 10.100.21.44 2.2.2.2 port2 6 2
dst=10.100.21.44 src=2.2.2.2 iif=24 protocol=6 dport=2
id=7f00000c type=VWL
seq-num=12
To configure IP policy route match using the CLI — example 2:
FGT (root) # diagnose ip proute match 10.100.20.44 2.2.2.2 port2 6 2
dst=10.100.20.44 src=2.2.2.2 iif=24 protocol=6 dport=2
id=00000016 type=Policy Route
seq-num=22