Policy routing allows you to specify an interface to route traffic. This is useful when you need to route certain types of network traffic differently than you would if you were using the routing table. You can use the incoming traffic's protocol, source or destination address, source interface, or port number to determine where to send the traffic.
When a packet arrives, the FortiGate starts at the top of the policy route list and attempts to match the packet with a policy. For a match to be found, the policy must contain enough information to route the packet. At a minimum, this requires the outgoing interface to forward the traffic, and the gateway to route the traffic to. If one or both of these are not specified in the policy route, then the FortiGate searches the routing table to find the best active route that corresponds to the policy route. If no routes are found in the routing table, then the policy route does not match the packet. The FortiGate continues down the policy route list until it reaches the end. If no matches are found, then the FortiGate does a route lookup using the routing table.
Policy routes are sometimes referred to as Policy-based routes (PBR).
In this example, a policy route is configured to send all FTP traffic received at port1 out through port4 and to a next hop router at 172.20.120.23. To route FTP traffic, the protocol is set to TCP (6) and the destination ports are set to 21 (the FTP port).
Go to Network > Policy Routes.
Click Create New > Policy Route.
Configure the following fields:
21 - 21
Type of service
Enable and select port4
config router policy edit 1 set input-device "port1" set src "0.0.0.0/0.0.0.0" set dst "0.0.0.0/0.0.0.0" set protocol 6 set start-port 21 set end-port 21 set gateway 172.20.120.23 set output-device "port4" set tos 0x00 set tos-mask 0x00 next end
A routing policy is added to the bottom of the table when it is created. Routing policies can be moved to a different location in the table to change the order of preference. In this example, routing policy 3 will be moved before routing policy 2.
- Go to Network > Policy Routes.
- In the table, select the policy route.
- Drag the selected policy route to the desired position.
config router policy move 3 after 1 end
If a policy route is configured to match return traffic, the policy route will not be checked.
For example: traffic from the client to the servers enters the FortiGate on either port1 or port2, and a policy route is defined to match traffic that is sent from the servers' subnet to port2. The return traffic will not be checked against the policy route.
If auxiliary session is enabled, the traffic will egress from an interface based on the best route. If auxiliary session is disable, traffic will egress on the same interface where the incoming traffic arrived .
For more information, see Controlling return path with auxiliary session.