Professional Documents
Culture Documents
Routing
FortiOS 6.0.0
© Copyright Fortinet Inc. All rights reserved. Last Modified: Sunday, October 04, 2020
Lesson Overview
Routing on FortiGate
Best Practices
Diagnostics
2
Routing on FortiGate
Objectives
• Identify the routing capabilities on FortiGate
• Configure static routing
• Implement policy based routes
• Control traffic for well-known Internet services
What is IP-Layer Routing?
• Routing is how packets are sent along a path—from point-to-point on the network—
from source to destination.
o If the destination is on a subnet that is not directly connected to the router, the packet is relayed to
another router that is closer.
o Entries in the routing table can be configured manually, dynamically, or both.
• A FortiGate in NAT mode, among other things, is an OSI layer 3 router.
4
Route Lookup
• For any session, FortiGate performs a routing table lookup twice:
o For the first packet sent by the originator
o For the first reply packet coming from the responder
• Routing information is written to the session table.
• All other packets for that session will use the same path.
o Exception: After a routing table change, route information is flushed from the sessions and must
be relearned.
5
Static Routes
• Configured manually, by an administrator
• Simple matching of packets to a route, based on the packet’s destination IP
address
Network > Static Routes
Default
Default route
route
6
Static Routes with Named Addresses
• Firewall addresses set to type IP/Netmask or FQDN can be used as destinations
for static routes.
7
Dynamic Routes
• Paths are automatically discovered
o FortiGate communicates with neighboring routers to find the best routes.
o Paths are also based on the packet’s destination IP address.
o Routing becomes somewhat self-organizing.
• FortiGate supports:
o Routing Information Protocol (RIP)
o Open Shortest Path First (OSPF)
o Border Gateway Protocol (BGP)
o Intermediate System to Intermediate System (IS-IS)
System > Feature Visibility
Advanced
Advanced Routing
Routing must
must be
be
enabled
enabled to
to display
display the
the GUI
GUI
configuration
configuration menus
menus for
for RIP,
RIP,
OSPF,
OSPF, and
and BGP.
BGP. IS-IS
IS-IS can
can be
be
configured
configured onon the
the CLI
CLI
8
Policy-Based Routes
Network > Policy Routes
• More granular matching than static
routes:
o Protocol
o Source address
o Source ports
o Destination ports
o Type of service (ToS) bits
• Manually configured
• Have precedence over the routing
table
o Maintained in a separate routing table
9
Policy-Based Routing Actions
Network > Policy Routes
• If traffic matches a policy-based route,
FortiGate either:
o Forwards traffic using the specified
outgoing interface to the specified gateway
o Stops policy routing and uses the routing
table instead
10
Internet Services Routing
• Route well-known Internet services through specific WAN interfaces
Policy & Objects > Internet Service
Database
Database
Database containing
containing IP
IP
addresses,
addresses, protocols,
protocols, and
and port
port
numbers
numbers used
used by
by most
most
common
common Internet
Internet services
services
11
IPv6 Routing
• Enable the IPv6 feature to support IPv6 routing configuration using the GUI
o Allows static and policy route configuration using IPv6 addresses
o Enables GUI configuration options of IPv6 versions of dynamic routing protocols
12
Knowledge Check
1. Which of the following objects can be used to create static routes?
A. ISDB objects
B. Service objects
2. What is the expected behavior when the Stop policy routing action is used in a
policy route?
A. FortiGate will skip over this policy route and try to match another in the list.
B. FortiGate will route the traffic based on the regular routing table.
13
Lesson Progress
Routing on FortiGate
Best Practices
Diagnostics
14
Routing Monitor and Route Attributes
Objectives
• Interpret the routing table on FortiGate
• Identify how FortiGate decides which routes are activated in the routing table
• Identify how FortiGate chooses the best route using route attributes
Routing Table Monitor
• Displays only active routes
Monitor > Routing Monitor
Manually
Manually configured
configured
Dynamic
Dynamic protocol
protocol
Directly
Directly connected
connected
ISDB
ISDB route
route
16
Route Attributes
• Each route in the routing table has the following attributes:
o Network Monitor > Routing Monitor
o Gateway IP
o Interfaces
o Distance
o Metric
o Priority
Metric
Metric column
column isis
FGT # get router info routing-table all hidden,
hidden, and
and must
must
...omitted output... be
be enabled
enabled using
using
the
the right-click
right-click
S* 0.0.0.0/0 [10/0] via 172.25.176.1, port1 menu
menu
O 10.200.2.0/24 [110/2] via 192.167.1.130, port2, 01:01:30
C 10.200.3.0/24 is directly connected, port3
B 10.250.2.0/24 [200/0] via 10.200.3.1, port3, 00:45:12
C 172.25.176.0/24 is directly connected, port1
C 192.167.1.0/24 is directly connected, port2
S 192.168.1.0/24 [10/0] via 192.167.1.130, port2, [25/0]
17
Distance
• Used to rank routes from most preferred (low distance value) to least preferred
(high distance value)
• If multiple routes for the same destination exists, the one with the lowest distance is
active, and the rest remain inactive.
Monitor > Routing Monitor
18
Metric
• Used by dynamic routing protocols to determine the best route to a destination
• If multiple dynamic routes have the same distance, then metric is used to break the
tie. The route with the lowest metric is chosen.
• The calculation method differs among routing protocols.
Monitor > Routing Monitor
19
Priority
• Used by static routes to determine the best route to a destination, when the
distance is the same
• If multiple static routes have the same distance, they are all active; however, only
the one with the lowest priority is considered the best path.
Network > Static Routes
20
Knowledge Check
1. The Priority attribute applies to which type of routes?
A. Static
B. Dynamic
2. Which attribute does FortiGate use to determine the best route for a packet, if it
matches multiple dynamic routes that have the same Distance?
A. Priority
B. Metric
3. Which of the following route attributes does not appear on the GUI routing
monitor?
A. Distance
B. Priority
21
Lesson Progress
Routing on FortiGate
Best Practices
Diagnostics
22
Equal Cost Multipath (ECMP) Routing
Objectives
• Identify the requirements for equal cost multipath routing
• Implement route redundancy and load balancing
ECMP
• If multiple static, OSPF, or BGP routes have the same attributes, they are all active
and FortiGate distributes traffic across all of them.
• To be considered for ECMP, routes must have the same values for the following
attributes:
o Destination subnet
o Distance
o Metric
o Priority
FGT # get router info routing-table all
…output omitted…
24
ECMP Methods
• Source IP (default)
o Sessions from the same source IP address use the same route.
• Source-destination IP
o Sessions with the same source and destination IP use the same route.
• Weighted
o Sessions are distributed based on route, or interface weights.
• Usage (spillover)
o One route is used until the volume threshold is reached, then the next route is used.
25
Configuring ECMP
• The ECMP method is set on the CLI.
# config system settings
# set v4-ecmp-mode [ source-ip-based | weight-based | usage-based | source-dest-ip-based ]
# end
• For weight-based ECMP, weight values are configured per interface, or per route on
the CLI.
# config system interface # config router static
# edit <interface name> # edit <id>
# set weight <0 to 255> # set weight <0 to 255>
# end # end
• For spillover ECMP, spillover thresholds are configured per interface on the CLI.
# config system interface
# edit <interface name>
# set spillover-threshold <0 to 16776000>
# end
26
ECMP Example
User A
10.0.3.1/24
port1 10.0.1.0/24
10.0.4.0/24
10.0.2.0/24
10.0.3.0/24 port3
port2
User B
10.0.3.2/24 FGT # get router info routing-table all
…output omitted…
Distance Priority
27
Knowledge Check
1. What is the default ECMP method on FortiGate?
A. Weighted
B. Source IP
2. How does FortiGate load balance traffic when using the spillover method in
ECMP routing?
A. Sessions are distributed based on interface threshold.
B. Sessions are distributed based on route weight.
28
Lesson Progress
Routing on FortiGate
Best Practices
Diagnostics
29
Reverse Path Forwarding (RPF)
Objectives
• Identify how FortiGate detects IP spoofing
• Block traffic from spoofed IP addresses
• Differentiate between and implement the different RPF check methods
RPF
• Protects against IP spoofing attacks.
• The source IP address is checked against the routing table for a return path.
• RPF is only carried out on:
o The first packet in the session, not on a reply.
o The next packet in the original direction after a route change, not on a reply.
• Two methods:
o Loose
o Strict
31
RPF Checking
• RPF checks for an active route back to the source IP through the incoming
interface.
o User A traffic is accepted because there is an active route (the default route) back to the source.
o User B and C packets are denied because there are no active routes back to those sources.
User A
10.250.1.62
10.0.1.0/24
wan1
10.0.3.0/24
port1 10.0.2.0/24
wan2 User B
10.0.4.0/24 10.175.3.69
32
RPF Checking
• Solutions:
o Add a static route back to 10.0.4.0/24.
o Add a second default route, with the same distance, for wan2.
• Use different priority values if you don’t want ECMP.
User A
10.250.1.62
10.0.1.0/24
wan1
10.0.3.0/24
port1 10.0.2.0/24
wan2 User B
10.0.4.0/24 10.175.3.69
33
RPF Methods
# config system setting
# set strict-src-check [ disable | enable ]
# end
34
Loose RPF Example
• Traffic from 10.0.4.1 spoofing the source IP address 10.0.1.1 passes the loose
RPF check.
o The wan1 default route is a valid for the 10.0.1.0/24 subnet.
35
Strict RPF Example
• Traffic from 10.0.4.1 spoofing the source IP address 10.0.1.1 fails the strict
RPF check.
o The best route to 10.0.1.0/24 is not through wan1 because it has a higher distance.
SYN with
wan1 source IP 10.0.1.1
User C
10.0.1.0/24 port1 10.0.4.1
36
Knowledge Check
1. What is the default RPF check method on FortiGate?
A. Loose
B. Strict
2. Which of the following route lookup scenarios will satisfy the RPF check for a
packet?
A. Routing table has an active route for the destination IP of the packet.
B. Routing table has an active route for the source IP of the packet.
37
Lesson Progress
Routing on FortiGate
Best Practices
Diagnostics
38
Best Practices
Objectives
• Configure the link health monitor
• Implement route failover
• Apply network design best practices
• Apply static route configuration best practices
• Use the forward traffic logs
Link Health Monitor
• Mechanism for detecting when a router along the path is down.
o Periodically probes a server beyond the gateway.
• If FortiGate doesn’t receive replies within the failover threshold, all static routes
using the gateway are removed from the routing table.
• If standby routes are available, FortiGate activates and uses them instead.
40
Link Health Monitor Configuration
# config system link-monitor
# edit <name>
# set srcintf <interface>
Use a server IP located beyond
# set server <server ip> the ISP gateway
41
Route Failover Example
1.
1. Link
Link health
health monitor
monitor
probes the server
probes the server ISP1
located
located in
in the
the ISP1
ISP1
network.
network. ISP1-Server
wan1
ISP2
Internet
wan2
3.
3. FortiGate
FortiGate deactivates
deactivates the
the primary
primary 2.
2. The
The ISP1-Server
ISP1-Server
route
route and
and activates
activates the
the secondary
secondary route.
route. ISP2-Server does
does not
not respond
respond to
to
probes.
probes.
FGT # get router info routing-table all FGT # get router info routing-table all
…output omitted… …output omitted…
S 0.0.0.0/0 [10/0] via 10.0.1.254, wan1 S 0.0.0.0/0 [20/0] via 10.0.2.254, wan2
C 10.0.1.0/24 is directly connected, wan1 C 10.0.1.0/24 is directly connected, wan1
C 10.0.2.0/24 is directly connected, wan2 C 10.0.2.0/24 is directly connected, wan2
42
Best Practices—Network Design
• Apply proper network design practices.
o Discontiguous networks are difficult to manage with static routing.
10.4.0.254/24 10.4.0.254/16
CAUTION:
o If Enabling
multiple paths existasymmetric
for the samerouting support
destination, disables
use FortiGate’s
the distance stateful
attribute inspection.
to ensure only one route
is active at a time.
o C
MPLS
Two possible paths
for the same
destination
MPLS 10.4.0.254/16
43
Best Practices—Configuration
• Try to summarize host routes (/32 subnet masks) to supernets.
o Reduces routing table size, and the time it takes to do a route lookup.
• E.g. 10.4.0.100/32, 10.4.0.201/32, 10.4.0.69/32, 10.4.0.97/32 10.4.0.0/24
• E.g. 10.4.0.29/32, 10.4.0.30/32 10.4.0.28/30
44
Best Practices—Forward Traffic Logs
• Use the Destination Interface column in the Forward Traffic logs to determine the
egress interface for all traffic.
Log & Report > Forward Traffic
45
Knowledge Check
1. What is the purpose of the link health monitor setting update-static-route?
A. It creates a new static route for the backup interface.
B. It removes all static routes associated with the link health monitor’s interface.
2. When using link health monitoring, which route attribute must also be configured
to achieve route failover protection?
A. Distance
B. Metric
46
Lesson Progress
Routing on FortiGate
Best Practices
Diagnostics
47
Diagnostics
Objectives
• View active and inactive routes
• View policy routes on the CLI
• Use the built-in packet capture tools
Active Routes
# get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Distance/Metric
Distance/Metric
S* 0.0.0.0/0 [10/0] via 172.25.176.1, port1
O 10.200.2.0/24 [110/2] via 192.167.1.130, port2, 01:01:30
C 10.200.3.0/24 is directly connected, port3
B 10.250.2.0/24 [200/0] via 10.200.3.1, port3, 00:45:12
C 172.25.176.0/24 is directly connected, port1
C 192.167.1.0/24 is directly connected, port2 Priority/Weight
Priority/Weight
S 192.168.1.0/24 [10/0] via 192.167.1.130, port2, [25/0]
49
Active and Inactive Routes
# get router info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
> - selected route, * - FIB route, p - stale info
Inactive
Inactive route
route
S 0.0.0.0/0 [20/0] via 10.200.2.254, port2
S *> 0.0.0.0/0 [10/0] via 10.200.1.254, port1
C *> 10.0.1.0/24 is directly connected, port3
C *> 10.200.1.0/24 is directly connected, port1
C *> 10.200.2.0/24 is directly connected, port2
Active
Active routes
routes
50
Policy Routes and ISDB Routes
# diagnose firewall proute list
list route policy info(vf=root):
51
Packet Capture
• Can be used to verify the ingress and egress interface of packets
# diagnose sniffer packet <interface> '<filter>' <verbosity> <count> <timestamp> <frame size>
o <interface> can be any or a specific interface (i.e. port1 or internal)
o <filter> follows tcpdump format
o <level> specifies how much information to capture
o <count> number of packets to capture
o <timestamp> print time stamp information
• a – prints absolute timestamp
• l – prints local timestamp
o <frame size> specify length of up to a maximum size of 65K
52
Packet Capture Verbosity Level
Level IP Headers Packet Payload Ethernet Headers Interface Name
1 •
2 • •
3 • • •
4 • •
5 • • •
6 • • • •
53
Packet Capture Examples
# diagnose sniffer packet any 'port 443' 4 All
All traffic
traffic to
to or
or
from port
from port 443443
5.455914 port8 in 192.168.1.254.59785 -> 192.168.1.1.443: syn 457459
with
with verbosity
verbosity 44
5.455930 port8 out 192.168.1.1.443 -> 192.168.1.254.59785: syn 163440 ack 457460
5.455979 port8 out 192.168.1.1.443 -> 192.168.1.254.59773: 927943 ack 725411
5.456012 port8 out 192.168.1.1.443 -> 192.168.1.254.59773: 929403 ack 725411
5.456043 port8 out 192.168.1.1.443 -> 192.168.1.254.59773: psh 930863 ack 725411
All
All ICMP
ICMP traffic
traffic to
to or
or
# diagnose sniffer packet any 'host 192.168.1.254 and icmp' 3 from
from
192.168.1.254
192.168.1.254
interfaces=[any] with
with verbosity
verbosity 33
filters=[host 192.168.1.254 and icmp]
7.560352 192.168.1.254 -> 192.168.1.1: icmp: echo request
0x0000 0000 0000 0001 0050 56c0 0001 0800 4500 .......PV.....E.
0x0010 003c 0e85 0000 8001 a7ec c0a8 01fe c0a8 .<..............
0x0020 0101 0800 4d58 0001 0003 6162 6364 6566 ....MX....abcdef
0x0030 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 ghijklmnopqrstuv
0x0040 7761 6263 6465 6667 6869 wabcdefghi
54
Packet Capture from the GUI
• Captures are automatically converted into Wireshark format.
o Available on devices with internal storage
Network > Packet
Capture
Filters
Filters should
should be
be very
very
specific
specific toto make
make sure
sure only
only
the
the relevant
relevant packets
packets are
are
being
being captured.
captured.
55
Knowledge Check
1. What is the distance value for the following route?
10.200.2.0/24 [110/2] via 10.200.2.254, [25/0]
A. 110
B. 2
2. Which of the following CLI commands can you use to view inactive routes?
A. get router info routing-table all
B. get router info routing-table database
56
Lesson Progress
Routing on FortiGate
Best Practices
Diagnostics
57
Review