Configuring policy routes

Networking : Configuring policy routes

Network systems maintain route tables to determine where to forward TCP/IP packets.

The FortiADC system route table includes up to three types routes:

1. Content routes—Content routes are based on application layer values, specifically the URL or Host: field in the HTTP header.

2. Policy routes—Policy routes are based on IP layer values, specifically the source and/or destination fields.

3. Static routes—Static routes are based on IP layer values, specifically the destination field.

The system evaluates content route rules first, then policy routes, then static routes. The packets are routed to the first route that matches. The policy route table, therefore, need not include a “default route” for packets that do not match your policy because those packets can be forwarded to the default route set in the static route table.

A policy route is chosen when no content route applies and both the source address and destination address in the packet match the policy.

Most policy route settings are optional, so a matching route might not provide enough information to forward the packet. In that case, the FortiADC appliance may refer to the routing table in an attempt to match the information in the packet header with a route in the routing table. For example, if the destination address is the only match criteria in the policy route, the FortiADC appliance looks up the IP address of the next-hop router in its routing table. This situation could occur when interfaces are dynamic (such as DHCP or PPPoE) and you do not want or are unable to specify a static IP address of the next-hop router.

Before you begin:

• You must have Read-Write permission for System settings.

To configure a policy route:

1. Go to Networking > Routing.

2. Click the Policy tab.

3. Click Add to display the configuration editor.

4. Complete the configuration as described in Table 47.

5. Save the configuration.

Table 47: Policy route configuration
Settings	Guidelines
Source	Address/mask notation to match the source IP in the packet header. To match any value, either leave it blank or enter 0.0.0.0/32.
Destination	Address/mask notation to match the destination IP in the packet header. To match any value, leave it blank or enter 0.0.0.0/32.
Gateway	IP address of the next-hop router where the FortiADC system will forward packets for this policy route. This router must know how to route packets to the destination subnet, or forward packets to another router with this information.


	To configure a static route using the CLI: config router policy edit 1 set source <ip address/netmask> set destination <ip address/netmask> set gateway <ip address> end