Policy routing
Policy routing enables you to redirect traffic away from a static route. This can be useful if you want to route certain types of network traffic differently. You can use incoming traffic’s protocol, source address or interface, destination address, or port number to determine where to send the traffic. For example, generally network traffic would go to the router of a subnet, but you might want to direct SMTP or POP3 traffic directly to the mail server on that subnet.
If you have configured the FortiGate unit with routing policies and a packet arrives at the FortiGate unit, the FortiGate unit starts at the top of the Policy Route list and attempts to match the packet with a policy. If a match is found and the policy contains enough information to route the packet (a minimum of the IP address of the next-hop router and the FortiGate interface for forwarding packets to it), the FortiGate unit routes the packet using the information in the policy. If no policy route matches the packet, the FortiGate unit routes the packet using the routing table.
Most policy settings are optional, and a matching policy alone might not provide enough information for forwarding the packet. In fact, the FortiGate almost always requires a matching route in the routing table in order to use a policy route. The FortiGate unit will refer to the routing table in an attempt to match the information in the packet header with a route in the routing table. |
Policy route options define which attributes of a incoming packet cause policy routing to occur. If the attributes of a packet match all the specified conditions, the FortiGate unit routes the packet through the specified interface to the specified gateway.
To view policy routes go to Network > Policy Routes.
Create New | Add a policy route. See Adding a policy route. |
Edit | Edit the selected policy route. |
Delete | Delete the selected policy route. |
Move To | Move the selected policy route. Enter the new position and select OK. For more information, see Moving a policy route. |
# | The ID numbers of configured route policies. These numbers are sequential unless policies have been moved within the table. |
Incoming | The interfaces on which packets subjected to route policies are received. |
Outgoing | The interfaces through which policy routed packets are routed. |
Source | The IP source addresses and network masks that cause policy routing to occur. |
Destination | The IP destination addresses and network masks that cause policy routing to occur. |
Adding a policy route
To add a policy route, go to Network > Policy Route and select Create New.
Protocol | Select from existing or specify the protocol number to match. The Internet Protocol Number is found in the IP packet header. RFC 5237 describes protocol numbers and you can find a list of the assigned protocol numbers here. The range is from 0 to 255. A value of 0 disables the feature.Commonly used Protocol settings include 6 for TCP sessions, 17 for UDP sessions, 1 for ICMP sessions, 47 for GRE sessions, and 92 for multicast sessions. |
Incoming Interface | Select the name of the interface through which incoming packets subjected to the policy are received. |
Source Address / Mask | To perform policy routing based on IP source address, type the source address and network mask to match. A value of 0.0.0.0/0.0.0.0 disables the feature. |
Destination Address / Mask | To perform policy routing based on the IP destination address of the packet, type the destination address and network mask to match. A value of 0.0.0.0/0.0.0.0 disables the feature. |
Destination Ports | To perform policy routing based on the port on which the packet is received, type the same port number in the From and To fields. To apply policy routing to a range of ports, type the starting port number in the From field and the ending port number in the To field. A value of 0 disables this feature. The Destination Ports fields are only used for TCP and UDP protocols. The ports are skipped over for all other protocols. |
Type of Service | Use a two digit hexadecimal bit pattern to match the service, or use a two digit hexadecimal bit mask to mask out. For more information, see Type of Service. |
Outgoing Interface | Select the name of the interface through which packets affected by the policy will be routed. |
Gateway Address | Type the IP address of the next-hop router that the FortiGate unit can access through the specified interface. |
Example policy route
Configure the following policy route to send all FTP traffic received at port1
out the port10
interface and to a next hop router at IP address 172.20.120.23
. To route FTP traffic set protocol to 6 (for TCP) and set both of the destination ports to 21, the FTP port.
Protocol | 6 |
Incoming interface | port1 |
Source address / mask | 0.0.0.0/0.0.0.0 |
Destination address / mask | 0.0.0.0/0.0.0.0 |
Destination Ports | From 21 to 21 |
Type of Service | bit pattern: 00 (hex) bit mask: 00 (hex) |
Outgoing interface | port10 |
Gateway Address | 172.20.120.23 |
Type of Service
Type of service (TOS) is an 8-bit field in the IP header that enables you to determine how the IP datagram should be delivered, with such qualities as delay, priority, reliability, and minimum cost.
Each quality helps gateways determine the best way to route datagrams. A router maintains a ToS value for each route in its routing table. The lowest priority TOS is 0, the highest is 7 - when bits 3, 4, and 5 are all set to 1. The router tries to match the TOS of the datagram to the TOS on one of the possible routes to the destination. If there is no match, the datagram is sent over a zero TOS route.
Using increased quality may increase the cost of delivery because better performance may consume limited network resources. For more information, see RFC 791 and RFC 1349.
The role of each bit in the IP header TOS 8-bit field
bits 0, 1, 2 | Precedence | Some networks treat high precedence traffic as more important traffic. Precedence should only be used within a network, and can be used differently in each network. Typically you do not care about these bits. |
bit 3 | Delay | When set to 1, this bit indicates low delay is a priority. This is useful for such services as VoIP where delays degrade the quality of the sound. |
bit 4 | Throughput | When set to 1, this bit indicates high throughput is a priority. This is useful for services that require lots of bandwidth such as video conferencing. |
bit 5 | Reliability | When set to 1, this bit indicates high reliability is a priority. This is useful when a service must always be available such as with DNS servers. |
bit 6 | Cost | When set to 1, this bit indicates low cost is a priority. Generally there is a higher delivery cost associated with enabling bits 3,4, or 5, and bit 6 indicates to use the lowest cost route. |
bit 7 | Reserved for future use |
Not used at this time. |
For example, if you want to assign low delay, and high reliability, say for a VoIP application where delays are unacceptable, you would use a bit pattern of xxx1x1xx where an ‘x’ indicates that bit can be any value. Since all bits are not set, this is a good use for the bit mask; if the mask is set to 0x14, it will match any TOS packets that are set to low delay and high reliability.
Moving a policy route
A routing policy is added to the bottom of the routing table when it is created. If you prefer to use one policy over another, you may want to move it to a different location in the routing policy table.
The option to use one of two routes happens when both routes are a match, for example 172.20.0.0/255.255.0.0
and 172.20.120.0/255.255.255.0
. If both of these routes are in the policy table, both can match a route to 172.20.120.112
but you consider the second one as a better match. In that case the best match route should be positioned before the other route in the policy table.
To change the position of a policy route in the table, go to Network> Policy Routes and select Move To for the policy route you want to move.
Before/After | Select Before to place the selected Policy Route before the indicated route. Select After to place it following the indicated route. |
Policy route ID | Enter the Policy route ID of the route in the Policy route table to move the selected route before or after. |