- Routing in Fortinet FortiGate
- Configuration Steps of Static Routing
- Configuration Steps of Dynamic Routing (BGP)
- Policy Base Routing
- Routing Monitor GUI
- Troubleshooting Commands for Routing in FortiGate
Routing in Fortinet FortiGate Firewall
Routing means how a packet can be sent from a source to destination in a Network.
To perform routing every firewall has a routing table. A routing table contains series of rules which specify the next-hop and active routing sessions. Each routing hop in routing path requires a routing table lookup to pass the packet along as it reaches the destination.
Firewall first find the routing rule in routing table that matches based on the destination address in packet, when performing this match FortiGate evaluate the entire routing table and select most specific route before forwarding the packet to next hop.
What is route lookup?
When a packet arrives on a Firewall interface, Firewall inspects the IPv4 header, detects the destination IPv4 address, and proceeds through the route lookup process.
For each session FortiGate performs route lookup twice.
First lookup performs for the first packet sent by initiator and then for the first reply packet coming from responder. After completing these two lookups firewall updates routing information in session table.
Sequence of packets are routed according to the session table. After a routing table change, route information is flushed from the sessions and must be re-learned.
Static Route: Manually configured route, when you are configuring static route, you are telling Firewall to see the packet for specific destination range and specific interface. Example shown in this slide is default static route which means all subnet (0.0.0.0/0) traffic will go via port 1 by using gateway 10.0.3.1 if no matches found in the routing table.
Static Route Configuration in FortiGate:
- GUI-> Network-> Static Routes
- Add New Static Route
- Gateway-> Firewall Gateway (10.0.3.1)
- AD-> 10(value for static route)
For large Network manually configuring routes may not be a practical. Therefore, dynamic routing has been introduced in firewall to learn the route automatically.
Dynamic Routing Protocols supports by FortiGate Firewall
In dynamic routing, FortiGate communicates with nearby routers to discover their paths and to advertise its zones to directly connected subnets. Discovered paths are automatically added to the routing table, so verify that neighbour routers are trusted and secure.
Refer below images to configure BGP in FortiGate Firewall.
You can verify the routes in Routing Monitor
Policy Based Routing
Policy based routes can match more than only destination IP address. For example if you have 2 ISP links 10 Gpbs and 5 Gbps , one is for higher management for fast internet access and another one for users for average internet reachability.
Policy Based routing has feature to forward traffic on the basis of policy criteria defined in the firewall. If packet matched the policy, firewall bypasses the any routing table. Policy Based route has maintained separate routing table apart for normal firewall routing table.
Moreover, in Policy Based routing Firewall performs
- Traffic is being forwarded by using specified egress interface to the specified gateways
- Uses the routing table instead and Stops policy routing
Routing Table Monitor
Routing Table Monitor: In the FortiGate Firewall, GUI shows the active routes. Routing Monitor captures static routes data, directly connected subnets assigned to FortiGate interfaces, connected routes.
If the link is not established or down, route will not be captured by the monitor tab
Steps to check Route Lookup in Routing Monitor
Select Route Lookup-> Add search Criteria -> Check Logs
Each of the route listed in routing table includes several attributes with associated values
Network Column: list the destination IP address and subnet mask which matched the routing table.
Interface Column: list the interface that will be used to deliver the packet
Distance Column: or administrative distance is used to rank routes from most preferred to least preferred. If multiple routes to the same destination, then smaller distance will be considered for packet transfer.
CLI Command to check active Routes in FortiGate Firewall:
Active, Standby and Inactive Routes
Common Troubleshooting Commands for FortiGate Routing
Some of the commonly used FortiGate CLI commands are:
Are you preparing for your next interview?
If you want to learn more about Fortigate, then check our e-book on Fortigate Interview Questions and Answers in easy to understand PDF Format explained with relevant Diagrams (where required) for better ease of understanding.