Professional Documents
Culture Documents
Routing
FortiOS 6.2
© Copyright Fortinet Inc. All rights reserved. Last Modified: 2 November 2022
Routing on FortiGate
Objectives
• Identify the routing capabilities on FortiGate
• Configure static routing
• Implement policy-based routes
• Control traffic for well-known Internet services
What is IP-Layer Routing?
• Routing is how packets are sent along a path—from point-to-point on the network—
from source to destination
• If the destination is on a subnet that is not directly connected to the router, the packet is relayed to
another router that is closer
• Entries in the routing table can be configured manually, dynamically, or both
• A FortiGate in NAT mode, among other things, is an OSI Layer 3 router
4
Route Lookup
• For any session, FortiGate performs a routing table lookup twice:
• For the first packet sent by the originator
• For the first reply packet coming from the responder
• Routing information is written to the session table
• All other packets for that session will use the same path
• Exception: After a routing table change, route information is flushed from the sessions and must
be relearned
5
Static Routes
• Configured manually, by an administrator
• Simple matching of packets to a route, based on the packet’s destination IP address
Network > Static Routes
Default route
6
Dynamic Routes
• Paths are automatically discovered
• FortiGate communicates with neighboring routers to find the best routes
• Paths are also based on the packet’s destination IP address
• Routing becomes somewhat self-organizing
• FortiGate supports:
• Routing Information Protocol (RIP)
• Open Shortest Path First (OSPF)
• Border Gateway Protocol (BGP)
• Intermediate System to Intermediate System (IS-IS)
8
Policy-Based Routes
Network > Policy Routes
• More granular matching than static
routes:
• Protocol
• Source address
• Source ports
• Destination ports
• Type of service (ToS) bits
• Manually configured
• Have precedence over the routing
table
• Maintained in a separate routing table
9
Policy-Based Routing Actions
Network > Policy Routes
• If traffic matches a policy-based route,
FortiGate either:
• Forwards traffic using the specified
outgoing interface to the specified gateway
• Stops policy routing and uses the routing
table instead
10
Internet Services Routing
• Route well-known Internet services through specific WAN interfaces
Policy & Objects > Internet Service Database
Database containing IP
addresses, protocols, and port
numbers used by most
common Internet services
11
Knowledge Check
1. Which of the following objects can be used to create static routes?
A. ISDB objects
B. Service objects
2. What is the expected behavior when the Stop policy routing action is used in a
policy route?
A. FortiGate will skip over this policy route and try to match another in the list.
B. FortiGate will route the traffic based on the regular routing table.
13
Routing Monitor and Route Attributes
Objectives
• Interpret the routing table on FortiGate
• Identify how FortiGate decides which routes are activated in the
routing table
• Identify how FortiGate chooses the best route using route
attributes
Routing Table Monitor
• Displays only active routes
Monitor > Routing Monitor
Manually configured
Dynamic protocol
Directly connected
ISDB route
16
Routing Monitor
• Provides extended route lookup Monitor > Routing Monitor
17
Route Attributes
• Each route in the routing table has the following attributes:
• Network Monitor > Routing Monitor
• Gateway IP
• Interfaces
• Distance
• Metric
• Priority
Metric column is
FGT # get router info routing-table all hidden, and must
...omitted output... be enabled using
the right-click
S* 0.0.0.0/0 [10/0] via 10.200.1.254, port1 menu
C 10.0.1.0/24 is directly connected, port3
O E2 10.1.1.0/24 [110/10] via 10.0.1.252, port3, 00:23:06
C 10.200.1.0/24 is directly connected, port1
C 10.200.2.0/24 is directly connected, port2
O E2 192.168.3.0/24 [110/10] via 10.0.1.252, port3, 00:23:06
S 192.168.4.0/24 [10/0] via 192.168.4.1, port7
18
Distance
• Used to rank routes from most preferred (low distance value) to least preferred (high
distance value)
• If multiple routes for the same destination exist, the one with the lowest distance is
active, and the rest remain inactive
19
Metric
• Used by dynamic routing protocols to determine the best route to a destination
• If multiple dynamic routes have the same distance, then the metric is used to break
the tie
• The route with the lowest metric is chosen.
• The calculation method differs among routing protocols.
20
Priority
• Used by static routes to determine the best route to a destination, when the distance
is the same
• If multiple static routes have the same distance, they are all active; however, only
the one with the lowest priority is considered the best path
21
Knowledge Check
1. The Priority attribute applies to which type of routes?
A. Static
B. Dynamic
2. Which attribute does FortiGate use to determine the best route for a packet, if it
matches multiple dynamic routes that have the same Distance?
A. Priority
B. Metric
3. Which of the following static route attributes does not appear on the GUI routing
monitor?
A. Distance
B. Priority
22
Diagnostics
Objectives
• View active and inactive routes
• View policy routes on the CLI
• Use the built-in packet capture tools
Active Routes
# # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Distance/Metric
S* 0.0.0.0/0 [10/0] via 172.25.176.1, port1
O 10.200.2.0/24 [110/2] via 192.167.1.130, port2, 01:01:30
C 10.200.3.0/24 is directly connected, port3
B 10.250.2.0/24 [200/0] via 10.200.3.1, port3, 00:45:12
C 172.25.176.0/24 is directly connected, port1
C 192.167.1.0/24 is directly connected, port2
S 192.168.1.0/24 [10/0] via 192.167.1.130, port2, [25/0] Priority/Weight
50
Active and Inactive Routes
# # get router info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
> - selected route, * - FIB route, p - stale info
Active routes
51
Policy Routes and ISDB Routes
# diagnose firewall proute list
list route policy info(vf=root):
52
Packet Capture
• Can be used to verify the ingress and egress interface of packets
# diagnose sniffer packet <interface> '<filter>' <verbosity> <count> <timestamp> <frame size>
• <interface> can be any or a specific interface (that is port1 or internal)
• <filter> follows tcpdump format
• <level> specifies how much information to capture
• <count> number of packets to capture
• <timestamp> print time stamp information
• a – prints absolute timestamp
• l – prints local timestamp
• <frame size> specify length of up to a maximum size of 65K
53
Packet Capture Verbosity Level
Level IP Headers Packet Payload Ethernet Headers Interface Name
1 •
2 • •
3 • • •
4 • •
5 • • •
6 • • • •
• The most common levels are:
• 4 – Prints the ingress and egress interfaces
• You can verify how traffic is being routed, or if FortiGate is dropping packets
• 3 or 6 – Prints the packet payload
• You can convert this output to a packet capture (pcap) file that can be opened with a packet analyzer
• If you don’t specify a level, the sniffer uses level 1 by default
54
Packet Capture Examples
# diagnose sniffer packet any 'port 443' 4 All traffic to or
5.455914 port8 in 192.168.1.254.59785 -> 192.168.1.1.443: syn 457459 from port 443
with verbosity 4
5.455930 port8 out 192.168.1.1.443 -> 192.168.1.254.59785: syn 163440 ack 457460
5.455979 port8 out 192.168.1.1.443 -> 192.168.1.254.59773: 927943 ack 725411
5.456012 port8 out 192.168.1.1.443 -> 192.168.1.254.59773: 929403 ack 725411
5.456043 port8 out 192.168.1.1.443 -> 192.168.1.254.59773: psh 930863 ack 725411
55
Packet Capture from the GUI
• Captures are automatically converted into Wireshark format
• Available on devices with internal storage
56
Knowledge Check
1. What is the distance value for the following route?
10.200.2.0/24 [110/2] via 10.200.2.254, [25/0]
A. 110
B. 2
2. Which of the following CLI commands can you use to view inactive routes?
A. get router info routing-table all
B. get router info routing-table database
57
Review
Configure static routing
Implement policy-based routes
Control traffic for well-known Internet services
Interpret the routing table on FortiGate
Implement ECMP routing
Block traffic from spoofed IP addresses
Apply network design and static routing best practices
Implement route failover
View active and inactive routes
Use the built-in sniffer tools