router : policy, policy6
 
policy, policy6
Use this command to add, move, edit or delete a route policy. When you create a policy route, any packets that match the policy are forwarded to the IP address of the next-hop gateway through the specified outbound interface.
You can configure the FortiGate unit to route packets based on:
a source address
a protocol, service type, or port range
the inbound interface
type of service (TOS)
When the FortiGate unit receives a packet, it starts at the top of the policy routing list and attempts to match the packet with a policy in ascending order. If no packets match the policy route, the FortiGate unit routes the packet using the routing table. Route policies are processed before static routing. You can change the order of policy routes using the move command.
 
For static routing, any number of static routes can be defined for the same destination. When multiple routes for the same destination exist, the FortiGate unit chooses the route having the lowest administrative distance. Route redundancy is not available for policy routing: any packets that match a route policy are forwarded according to the route specified in the policy.
Type of service (TOS) is an 8-bit field in the IP header that enables you to determine how the IP datagram should be delivered, with such criteria as delay, priority, reliability, and minimum cost. Each quality helps gateways determine the best way to route datagrams. A router maintains a ToS value for each route in its routing table. The lowest priority TOS is 0, the highest is 7 - when bits 3, 4, and 5 are all set to 1. The router tries to match the TOS of the datagram to the TOS on one of the possible routes to the destination. If there is no match, the datagram is sent over a zero TOS route. Using increased quality may increase the cost of delivery because better performance may consume limited network resources. For more information see RFC 791 and RFC 1349.
Table 1: The role of each bit in the IP header TOS 8-bit field
bits 0, 1, 2
Precedence
Some networks treat high precedence traffic as more important traffic. Precedence should only be used within a network, and can be used differently in each network. Typically you do not care about these bits.
bit 3
Delay
When set to 1, this bit indicates low delay is a priority. This is useful for such services as VoIP where delays degrade the quality of the sound.
bit 4
Throughput
When set to 1, this bit indicates high throughput is a priority. This is useful for services that require lots of bandwidth such as video conferencing.
bit 5
Reliability
When set to 1, this bit indicates high reliability is a priority. This is useful when a service must always be available such as with DNS servers.
bit 6
Cost
When set to 1, this bit indicates low cost is a priority. Generally there is a higher delivery cost associated with enabling bits 3,4, or 5, and bit 6 indicates to use the lowest cost route.
bit 7
Reserved for future use
Not used at this time.
The two fields tos and tos-mask enable you to configure type of service support on your FortiGate unit. tos-mask enables you to only look at select bits of the 8-bit TOS field in the IP header. This is useful as you may only care about reliability for some traffic, and not about the other TOS criteria.
The value in tos is used to match the pattern from tos-mask. If it matches, then the rest of the policy is applied. If the mask doesn’t match, the next policy tries to match if its configured, and eventually default routing is applied if there are no other matches.
 
You need to use tos-mask to remove bits from the pattern you don’t care about, or those bits will prevent a match with your tos pattern.
Syntax
config router policy, policy6
move <seq-num1> {before | after} <seq-num2>
edit <policy_integer>
set dst <dst‑address_ipv4mask> [<dst‑address_ipv4mask>...]
set end-port <port_integer>
set end-source-port <port_integer>
set gateway <address_ipv4>
set input-device <interface‑name_str>
set output-device <interface‑name_str>
set protocol <protocol_integer>
set src <src‑address_ipv4mask> [<src‑address_ipv4mask>...]
set start-port <port_integer>
set start-source-port <port_integer>
set tos <hex_mask>
set tos-mask <hex_mask>
end
Use the router policy6 command for IPv6 policy routes. The input-device field is required. All other fields are optional.
Variable
Description
Default
move <seq-num1> {before | after} <seq-num2>
Move policy <seq-num1> to before or after policy. <seq-num2>.
No default.
edit <policy_integer>
Enter an ID number for the route policy. The number must be an integer.
No default.
dst <dst‑address_ipv4mask> [<dst‑address_ipv4mask>...]
Match packets that have these destination IP addresses/netmasks.
IPv4:
0.0.0.0 0.0.0.0
IPv6:
::/0
end-port <port_integer>
The end port number of a port range for a policy route. Match packets that have this destination port range. You must configure both the start-port and end-port fields for destination-port-range matching to take effect. To specify a range, the start-port value must be lower than the end-port value. To specify a single port, the start-port value must be identical to the end-port value. The port_integer range is 0 to 65 535.
For protocols other than 6 (TCP), 17 (UDP), and 132 (SCTP) the port number is ignored.
65 535
end-source-port <port_integer>
Set port range for source IP. Use in combination with start-source-port. Available when protocol is 6 (TCP), 17 (UDP), or 132 (SCTP).
65 535
gateway <address_ipv4>
Send packets that match the policy to this next hop router.
0.0.0.0
input-device <interface‑name_str>
Match packets that are received on this interface.
Null
output-device <interface‑name_str>
Send packets that match the policy out this interface.
Null
protocol <protocol_integer>
To perform policy routing based on the value in the protocol field of the packet, enter the protocol number to match. The Internet Protocol Number is found in the IP packet header. RFC 5237 describes protocol numbers and you can find a list of the assigned protocol numbers here. The range is from 0 to 255. A value of 0 disables the feature.
Commonly used protocol settings include 6 to route TCP sessions, 17 for UDP sessions, 1 for ICMP sessions, 47 for GRE sessions, and 92 for multicast sessions.
For protocols other than 6 (TCP), 17 (UDP), and 132 (SCTP) the port number is ignored.
0
src <src‑address_ipv4mask> [<src‑address_ipv4mask>...]
 
Match packets that have these source IP addresses/ netmasks.
IPv4:
0.0.0.0 0.0.0.0
IPv6:
::/0
start-port <port_integer>
The start port number of a port range for a policy route. Match packets that have this destination port range. You must configure both the start-port and end-port fields for destination-port-range matching to take effect. To specify a range, the start-port value must be lower than the end-port value. To specify a single port, the start-port value must be identical to the end-port value. The port_integer range is 0 to 65 535.
For protocols other than 6 (TCP), 17 (UDP), and 132 (SCTP) the port number is ignored.
1
start-source-port <port_integer>
Set port range for source IP. Use in combination with end-source-port. Available when protocol is 6 (TCP), 17 (UDP), or 132 (SCTP).
1
tos <hex_mask>
The type of service (TOS) mask to match after applying the tos-mask. This is an 8-bit hexadecimal pattern that can be from “00” to “FF”.
The tos mask attempts to match the quality of service for this profile. Each bit in the mask represents a different aspect of quality. A tos mask of “0010” would indicate reliability is important, but with normal delay and throughput. The hex mask for this pattern would be “04”.
Null
tos-mask <hex_mask>
This value determines which bits in the IP header’s TOS field are significant. This is an 8-bit hexadecimal mask that can be from “00” to “FF”.
Typically, only bits 3 through 6 are used for TOS, so it is necessary to mask out the other bits. To mask out everything but bits 3 through 6, the hex mask would be “1E”.
Null