Fortinet black logo

CLI Reference

router policy

router policy

Use this command to configure policy routes that redirect traffic away from a static route.

For example, you can divert traffic for intrusion protection scanning (IPS). It is also useful if your FortiWeb protects web servers for different customers (for example, the clients of a Managed Security Service Provider).

Policy routes can direct traffic to a specific network interface and gateway based on the packet’s source and destination IP address.

To use this command, your administrator account’s access control profile must have either w or rw permission to the netgrp area. For details, see Permissions.

Syntax

config router policy

edit <policy_index>

set iif "<incoming_interface_name>"

set src "<source_ip>"

set dst "<destination_ip>"

set fwmark <fwmark_int>

set set action {forward-traffic | stop-policy-routing}

set oif "<outgoing_interface_name>"

set gateway "<router_ip>"

set priority <priorty_int>

next

end

Variable Description Default

<policy_index>

Enter the index number of the policy route.

The valid range is 0–65,535.

No default.

"<incoming_interface_name>"

Enter the name of the interface, such as port1, on which FortiWeb receives packets it applies this routing policy to. No default.

src "<source_ip>"

Enter the source IP address and netmask to match, separated with a space.

FortiWeb routes matching traffic through the specified interface and gateway.

0.0.0.0 0.0.0.0

dst "<destination_ip>"

Enter the destination IP address and netmask to match, separated with a space.

FortiWeb routes matching traffic through the specified interface and gateway.

0.0.0.0 0.0.0.0

fwmark <fwmark_int>

Enter the Fwmark value specified in Firewall Fwmark Policy. If you don't need to match traffic against the Fwmark value, enter value 0.

The valid range is 0-255.

set action {forward-traffic | stop-policy-routing}

forward-traffic: FortiWeb filters traffic against the specified conditions and forwards the traffic to this policy route.

stop-policy-routing: FortiWeb filters traffic against the specified conditions and forwards the traffic according to the matched static route.

"<outgoing_interface_name>"

Enter the name of the interface, such as port2, through which FortiWeb routes packets that match the specified IP address information. No default.

gateway "<router_ip>"

Enter the IP address of a next-hop router.

A gateway address is not required for the particular routing policies used as static routes in an one-arm topology. Leave this blank for a one-arm network topology.

0.0.0.0

priority <priorty_int>

Enter a value between 1 and 200 that specifies the priority of the route.

When packets match more than one policy route, FortiWeb directs traffic to the route with the lowest value.
200

Related topics

router policy

Use this command to configure policy routes that redirect traffic away from a static route.

For example, you can divert traffic for intrusion protection scanning (IPS). It is also useful if your FortiWeb protects web servers for different customers (for example, the clients of a Managed Security Service Provider).

Policy routes can direct traffic to a specific network interface and gateway based on the packet’s source and destination IP address.

To use this command, your administrator account’s access control profile must have either w or rw permission to the netgrp area. For details, see Permissions.

Syntax

config router policy

edit <policy_index>

set iif "<incoming_interface_name>"

set src "<source_ip>"

set dst "<destination_ip>"

set fwmark <fwmark_int>

set set action {forward-traffic | stop-policy-routing}

set oif "<outgoing_interface_name>"

set gateway "<router_ip>"

set priority <priorty_int>

next

end

Variable Description Default

<policy_index>

Enter the index number of the policy route.

The valid range is 0–65,535.

No default.

"<incoming_interface_name>"

Enter the name of the interface, such as port1, on which FortiWeb receives packets it applies this routing policy to. No default.

src "<source_ip>"

Enter the source IP address and netmask to match, separated with a space.

FortiWeb routes matching traffic through the specified interface and gateway.

0.0.0.0 0.0.0.0

dst "<destination_ip>"

Enter the destination IP address and netmask to match, separated with a space.

FortiWeb routes matching traffic through the specified interface and gateway.

0.0.0.0 0.0.0.0

fwmark <fwmark_int>

Enter the Fwmark value specified in Firewall Fwmark Policy. If you don't need to match traffic against the Fwmark value, enter value 0.

The valid range is 0-255.

set action {forward-traffic | stop-policy-routing}

forward-traffic: FortiWeb filters traffic against the specified conditions and forwards the traffic to this policy route.

stop-policy-routing: FortiWeb filters traffic against the specified conditions and forwards the traffic according to the matched static route.

"<outgoing_interface_name>"

Enter the name of the interface, such as port2, through which FortiWeb routes packets that match the specified IP address information. No default.

gateway "<router_ip>"

Enter the IP address of a next-hop router.

A gateway address is not required for the particular routing policies used as static routes in an one-arm topology. Leave this blank for a one-arm network topology.

0.0.0.0

priority <priorty_int>

Enter a value between 1 and 200 that specifies the priority of the route.

When packets match more than one policy route, FortiWeb directs traffic to the route with the lowest value.
200

Related topics