The FortiGate appliance operates as a router when its configured in NAT mode.
It's supports IPv4 and IPv6 routing.
Within the routing table there are best route and duplicate routes.
The best route is the most specific route to a destination.
The duplicate routes are simply multiple routes to the same destination.
It's important to configure the security profiles on FortiGate based on the routing configurations.
FortiGate contains a Routing Information Base (RIB) and the Forwarding Information Base (FIB).
The RIB is the standard routing table used by FortiGate and contains connected, static and dynamic routes.
The FIB is made up of mostly RIB entries and additional system information.
FortiGate persons a lookup on the routing table twice. Initially when the first packet is sent by the sender, and a second time when the destination replies.
All other packets that belongs to the same session will use the same path between a source and destination.
A route lookup will be performed when there's a change in the topology.
These types of routes are manually configured by the administrator.
If a network topology is changed, the static route does not automatically update.
To create a static route, use the following instructions:
Go to, Network > Static Routes
Click on New
Set the destination as Subnet and set the destination network with it's subnet mask.
Default routes are 0.0.0.0/0.0.0.0
Set the Gateway address.
Set the Administrative Distance.
Enable the route
Additionally, static routes can include named addresses, use the following instructions:
Create a Policy & Objects > Addresses > New
Create a name
Type: Subnet / IP Range / FQDN / Geography / Device MAC address
Set the IP address
Next, go to Static Routes > New
Select Named Addresses
Select the newly create address or group
Dynamic routing enables a router or firewall to automatically learn and share information about remote networks and populate the routing table.
If there's a change in the network topology, the routing protocol can automatically detect the change and modify the entries within the routing table.
The following are supported dynamic routing protocols on FortiGate:
Routing Information Protocol (RIP)
Open Shortest Path First (OSPF)
Border Gateway Protocol (BGP)
Intermediate System to Intermediate System (IS-IS)
Policy routes enables the administrator to create static routes with more granularity, such as specifying the following matching criteria:
Source address
Destination address
Source ports
Destination ports
Protocols
Type of Service (ToS) marking
Destination internet service
Policy routes as precedence over the routes within the routing table.
There's a separate table, known as the policy route table.
To create a policy route, go to Network > Policy Routes, set the matching criteria and action.
Policy route actions:
Stop Policy Routing – This action will skip all the policy routes and uses the FIB.
Forward Traffic – If this action is set, the matching traffic needs to match a route within the FIB. If no match is found, the policy route is skipped.
If you want to route specific traffic through specific interfaces, use the following guidelines:
Check whether the Internet Service Database (ISDB) contains the internet service, such as AWS or Azure. Go to, Policy & Objects > Internet Service Database.
Next, go to, Network > Static Routes. Ensure to set the destination as Internet Service and select the service from the drop-down menu.
Ensure IPv6 is enable on the FortiGate, go to System > Feature Visibility > enable IPv6.
The routing table contains both dynamic and static routes of the FortiGate device.
To view the routing table using GUI:
Dashboard > Network > Routing > Static & Dynamic Routing
Dashboard > Network > Routing > Policy
To perform a route lookup to determine how the FortiGate will forward traffic to a destination:
Dashboard > Network > Routing
To view the routing table on the CLI, use the get router info routing-table all or get route info routing-table <dst address> command.
Distance – The Administrative Distance (AD) helps the router/firewall to determine which route, from different routing protocols to the same destination is installed in the routing table.
The route with the lowest AD value is preferred.
The following are the default AD value for each type of route:
0 – Connected
1 – Static SD-WAN zone
5 – Static (DHCP)
10 – Static (Manual)
15 – Static (IKE)
20 - eBGP
110 – OSPF
115 – IS-IS
120 – RIP
200 – iBGP
Metric – This attribute is used to determine which is the preferred route when there are multiple routes from the same protocol to the same destination.
Priority – This attribute is used to determine the preferred route when there are equal-distance duplicate routes. The default priority is 1 on all routes except static and BGP routes.
ECMP routes contains the same destination subnet, administrative distance, metric and priority within the routing table.
View ECMP routes:
Dashboard > Network > Routing > Static & Dynamic
Use the get router info routing-table all command.
ECMP load balancing methods:
Source IP
Source-destination IP
Weighted
Usage (spillover)
Configuring ECMP:
This is possible only when SD-WAN is disabled.
SD-WAN enables administrators to direct WAN traffic based on their protocols, service, and application.
SD-WAN enable you to control outbound/egress traffic.
Fortinet uses Secure SD-WAN (includes security)
The following are common benefits of using SD-WAN:
Improve WAN usage
Improve application performance over WAN
Reduce cost
SD-WAN can be used to steer traffic over one Direct Internet Access (DIA) than another.
SD-WAN rules can be based on the following:
Matching traffic
Member preference (egress interfaces)
Member performance
SD-WAN rules are checked from top-to-bottom
Route lookup process:
FortiGate checks regular policy routes
ISDB entries
SD-WAN rules
FIB entries
To create an SD-WAN rule, use the following steps:
Go to, Network > SD-WAN > SD-WAN Rules > Create New
Source – The source of the traffic
Destination – Type of traffic such as Facebook
Criteria -
Member – Egress interfaces
This an IP spoofing feature on FortiGate.
This check is performed only on the first packet within a session and not on reply messages.
RPF operates in the following modes:
Feasible path – This is the default operating mode and is commonly used when the return path does not have the best route.
Strict – This mode is used when the return path must be the best route.
To enable RPF mode, use the following commands (disabled by default):
config system settings
set strict-src-check [enable | disable]
end
To disable RFP (enabled by default):
config system interface
edit <interface ID>
set src-check disable
end
FortiGate uses this features to identify links which are non-active.
The monitor send multiple probes up to 4 destination servers.
Link health monitor supports the following protocols:
TCP
UDP
HTTP
TWAMP
If 5 probes failed from all destination servers, the link is labelled as down.
After 5 probes successfully reach at one of the destination server, the link is live.
The number of probes can be adjusted, the default is 5.
Static routes are removed from the routing table if the link is dead.
Policy routes are skipped if they are dead.
To view the routing table, use the get router info routing-table all command.
To view the routing table database, use the get router info routing-table database command.
Use the command, diagnose sniffer packet <interface> <filter> <verbosity> <count> <timestamp> <frame size>
Capturing packets on the GUI, go to Network > Diagnostics > Packet Capture
For timestamps:
A – prints the absolute timestamp
L – prints the local timestamp
Verbosity levels:
1 – IP headers
2 – IP headers and Packet payloads
3 – IP headers, packet payloads and ethernet headers
4 – IP headers and interface name
5 – IP headers, packet payload and interface name
6 – IP headers, packet payload, ethernet headers and interface name