Policy Route - Fortinet Fortigate-5000 series Administration Manual

Router Static

Policy Route

FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Whenever a packet arrives at a FortiGate unit interface, the FortiGate unit
determines whether the packet was received on a legitimate interface by doing a
reverse lookup using the source IP address in the packet header. If the FortiGate
unit cannot communicate with the computer at the source IP address through the
interface on which the packet was received, the FortiGate unit drops the packet.
If the destination address can be matched to a local address (and the local
configuration permits delivery), the FortiGate unit delivers the packet to the local
network. If the packet is destined for another network, the FortiGate unit forwards
the packet to a next-hop router according to a route policy and/or the information
stored in the FortiGate forwarding table (see
When routing policies exist and a packet arrives at the FortiGate unit, the
FortiGate unit starts at the top of the Policy Route list and attempts to match the
packet with a policy. If a match is found and the policy contains enough
information to route the packet (the IP address of the next-hop router must be
specified as well as the FortiGate interface for forwarding packets to the next-hop
router), the FortiGate unit routes the packet using the information in the policy. If
no route policy matches the packet, the FortiGate unit routes the packet using the
routing table.
Note: Because most policy settings are optional, a matching policy alone might not provide
enough information for the FortiGate unit to forward the packet. The FortiGate unit may
refer to the routing table in an attempt to match the information in the packet header with a
route in the routing table.
For example, if the outgoing interface is the only item given in the policy, the FortiGate unit
looks up the IP address of the next-hop router in the routing table. This situation could
happen when the FortiGate interfaces are dynamic (the interface receives an IP address
through DHCP or PPPoE) and you do not want or are unable to specify the IP address of
the next-hop router because the IP address changes dynamically.
To view the list of route policies, go to Router > Static > Policy Route. To edit an
existing route policy, go to Router > Static > Policy Route and select the Edit
icon beside the policy that you want to edit.
Figure 102 shows the policy route list belonging to a FortiGate unit that has
interfaces named "external" and "internal". The names of the interfaces on your
FortiGate unit may be different.
Figure 102:Policy Route list
Create New Add a route policy. See
# The ID numbers of configured route policies. These numbers are sequential
unless policies have been moved within the table.
Incoming The interfaces on which packets subjected to route policies are received.
Outgoing The interfaces through which policy routed packets are routed.
"Routing concepts" on page
"Adding a route policy" on page
Policy Route
177).
Delete
Edit
Move
186.
185