Routing

Policy routes are viewed in a separate table called the policy route table.

The RIB contains active (or the best) connected, static, and dynamic routes.

Distance is the first tiebreaker that routers use to determine the best route for a particular destination, with the lowest-distance route being considered the best.

In the Destination drop-down list for static routes with named addresses.

NAT mode

Because it can lead to different results based on the timing of events.

FortiGate uses the same ECMP route to route sessions with the same source-destination IP address pair.

No, static routes are not needed for subnets to which FortiGate has direct Layer 2 connectivity.

RIP uses hop count, which is the number of routers the packet must pass through to reach the destination.

ECMP routes are routes of the same type that have the same destination, distance, metric, and priority, which FortiGate installs all of in the routing table.

The lowest-distance route is installed in the routing table, while other lower-distance routes are considered standby routes and are not installed in the routing table.

FortiGate writes the routing information to its session table, and subsequent packets are routed according to the session table, not the routing table.

If there is a change in the routing table that impacts the session, FortiGate removes the route information for the session table and performs additional route lookups to rebuild this information.

The metric, where a lower metric indicates a higher preference.

The next hop refers to the outgoing interface and gateway used for forwarding the packet, which can be the destination or another router along the path.

Static route configuration.

IP routing

The destination subnet value of 0.0.0.0/0.0.0.0 matches all addresses within any subnet.

Standby or inactive routes are not shown; they are present only in the routing table database.

FortiGate performs an RPF check only on the first packet of a new session.

FortiGate performs route lookups from the FIB, not the RIB.

RIB entries can be displayed on both the FortiGate GUI and CLI.

The Interfaces column lists the interface to use to deliver the packet.

FortiGate performs two route lookups: one for the first packet sent by the originator and another for the first reply packet from the responder.

The ISDB helps make routing easier by allowing entries to be applied to static routes, enabling selective routing of traffic through specific WAN interfaces.

A default route is used for all traffic not matching any other routes, typically configured to route traffic through the ISP internet router.

ISDB routes are added to the policy routing table and take precedence over any other routes.

It applies to static routes only and load balances sessions based on the route weight or the respective interface weight; the higher the weight, the more sessions routed through the selected route.

FortiGate sends sessions to the interface of the first ECMP route until the bandwidth of the interface reaches the configured spillover limit, then uses the interface of the next ECMP route.

FortiGate highlighted the static default route as the matching route.

The Strict mode verifies that the matching route is the best route in the routing table for the source address.

You can change the priority of BGP routes only; other dynamic routes are hardcoded to 1.

Implementing multiple paths for routing to optimize performance.

A static route is a manually configured route that directs packets with a specific destination range through a designated network interface towards a specific router.

The weight for dynamic routes is always zero.

The route with the lower distance is installed in the routing table, while the one with the higher distance is kept in the routing table database.

The RPF check protects FortiGate and the network from IP spoofing attacks by verifying a return path to the source in the routing table.

Static routes are manual routes that are configured by the administrator.

The two modes are Feasible path (loose) and Strict.

Pinging a device from FortiGate or connecting to FortiGuard to download definitions.

The default priority setting is 1.

FortiGate load balances the traffic among the ECMP routes.

The left-most column indicates the route source.

Load-balance-mode supports the volume algorithm, while v4-ecmp-mode does not.

They are defined on the SD-WAN member configuration.

The routing table includes static routes, connected routes, and dynamic routes.

They are defined on the static route and interface settings, respectively.

FortiGate automatically starts to forward traffic sourced from both users through port2.

It enables load balancing sessions across multiple links.

The more accurate term for the route lookup process is the FIB lookup process.

Subnet or FQDN.

The lesson focuses on ECMP static routes only.

It forwards packets between IP networks.

When SD-WAN is enabled, the v4-ecmp-mode setting is hidden and replaced with the load-balance-mode setting under config system sdwan.

You must configure the egress and ingress spillover thresholds, which are set to 0 by default, disabling spillover check.

FortiGate maintains the Routing Information Base (RIB) and the Forwarding Information Base (FIB).

Weights must be configured on the interface level or route level.

It verifies that the routing table contains a route that matches the source address of the packet and the incoming interface, but it doesn't have to be the best route.

If the routing table contains a matching route for the source address and incoming interface, but there is a better route through another interface, the RPF check fails.

You can view it on the routing table in the FortiGate CLI.

Connected and IS-IS routes cannot have their distance value changed as they are hardcoded.

The destination subnet, distance, metric, and priority must be the same for each ECMP group.

FortiGate installs the route that was learned last in the routing table.

The load-balance-mode setting replaces v4-ecmp-mode.

The first number is distance, and the second number is metric.

The default administrative distance for OSPF routes is 110.

It allows FortiGate to identify the best route to any destination that matches multiple routes.

ISDB routes are configured as static routes but function as policy routes, taking precedence over other routes in the routing table.

By clicking 'Route Lookup' and indicating at least the destination address, along with optional criteria like destination port, source address, source port, protocol, and source interface.

You need to know the Netflix IP addresses, configure a static route for them, and frequently check that none of the IP addresses have changed.

Source IP: FortiGate uses the same ECMP route to route sessions sourced from the same address.

A routing table contains a series of entries known as routes, each indicating the next hop for a particular destination.

Equal Cost Multipath

Both IPv4 and IPv6 routing.

FortiGate considers only the routing table entries and highlights the matching route, if any.

It installs the best route based on the lowest metric and keeps higher-metric routes in the routing table database.

FortiGate uses the default ECMP algorithm based on the source IP to select routes.

Firewall traffic and local-out traffic.

FortiGate load balances sessions based on the measured interface volume and the member weight.

FortiGate performs a route lookup to identify the best route, which is the most specific route to the destination, using various route attributes as tiebreakers if duplicate routes are found.

Connected routes are automatic routes added by FortiOS after an interface is assigned an IP address.

Inactive routes are static and connected routes whose interfaces are administratively down or whose links are down.

It selects the static route with the lowest priority among them.

The metric is used as a tiebreaker for same-protocol dynamic routes only.

The destination address was 8.8.8.8 and the protocol was TCP.

Dynamic routes are learned using a dynamic routing protocol such as BGP or OSPF.

SD-WAN offers additional benefits beyond what ECMP provides.

The Distance, Metric, and Priority attributes are used for route selection decisions.

FortiGate considers both routing table and policy table entries, and if a policy route matches, it redirects you to the policy route page and highlights the corresponding matching policy route.

Traffic generated by FortiGate, usually for management purposes.

FIB entries can only be displayed on the FortiGate CLI.

You must enable the priority column, which is disabled by default.

FortiGate routes sessions based on the weight value of each route in percentage value when v4-ecmp-mode is set to weight-based.

Routing occurs before most security features, meaning that routing precedes firewall policy evaluation, content inspection, traffic shaping, and source NAT (SNAT).

The FIB is mostly built out of RIB entries plus some system-specific entries required by FortiOS.

It displays the same route entries as the routing monitor widget on the FortiGate GUI.

OSPF uses cost, which is determined by the link bandwidth.

FortiGate installs all of them in the routing table.

The Network column lists the destination IP address and subnet mask to match.

Your security policy configuration must follow your routing configuration, not the opposite.

Standby routes are active routes that are removed from the routing table because they are duplicates and have higher distances.

Under the Advanced Options on the FortiGate GUI.

To provide high availability for mission-critical services and for bandwidth aggregation.

Routes that have the same distance and the same priority.

The command is 'get router info routing-table all'.

The key objectives include:

1. Implementing static routing
2. Understanding the routing table
3. Implementing routing load balancing

FortiGate operates in NAT mode by default, behaving as an IP router that forwards packets between IP networks. It performs IP routing to determine the next hop for packet forwarding based on the destination IP address.

FortiGate performs routing for two types of traffic:

1. Firewall traffic (user traffic) - Traffic that travels through FortiGate.
2. Local-out traffic - Traffic generated by FortiGate, typically for management purposes, such as pinging a device or connecting to FortiGuard for updates.

Local-out traffic refers to the traffic generated by FortiGate itself, usually for management purposes. Examples include:

• Pinging a device from FortiGate.
• Connecting to FortiGuard to download the latest definitions.

A routing table contains entries, known as routes, that indicate the next hop for a particular destination, guiding the forwarding of packets through the network.

The 'next hop' refers to the outgoing interface and gateway used for forwarding a packet, which can be either the destination of the packet or another router along the path to the destination.

FortiGate performs a route lookup to identify the best route, which is the most specific route to the destination. In case of duplicate routes, it uses various route attributes as tiebreakers.

Routing occurs before most security features, meaning that routing precedes firewall policy evaluation, content inspection, traffic shaping, and source NAT (SNAT).

Security policy configuration must follow routing configuration because the security actions performed by FortiGate depend on the outgoing interface determined by the routing process.

1. For the first packet sent by the originator
2. For the first reply packet coming from the responder

FortiGate writes the routing information to its session table, allowing subsequent packets to be routed according to the session table instead of the routing table.

FortiGate removes route information from the session table if there is a change in the routing table that impacts the session.

All packets that belong to the same session follow the same path as determined by the session table.

FortiGate performs additional route lookups to rebuild the routing information for the session after removing the old route information from the session table.

FortiGate maintains two tables for routing information: the Routing Information Base (RIB) and the Forwarding Information Base (FIB).

The Routing Information Base (RIB) contains active (or the best) connected, static, and dynamic routes, serving as the standard routing table.

FortiGate performs a route lookup by checking the Forwarding Information Base (FIB), which is primarily composed of entries from the Routing Information Base (RIB).

You can display the RIB entries on both the FortiGate GUI and CLI.

The FIB entries can be displayed on the FortiGate CLI only.

The RIB is the standard routing table containing active routes, while the FIB is the routing table from the kernel's perspective, built mostly from RIB entries plus system-specific entries required by FortiOS.

The route lookup process is often referred to as the routing table lookup process, but it is more accurately described as the FIB lookup process.

A static route in FortiGate is a manually configured route that directs packets with a specific destination range through a designated network interface towards a specific router. It allows the configuration of distance and priority to help FortiGate determine the best route when multiple routes match a destination.

A default route is used to route all traffic that does not match any other routes. In home networks, it is often configured automatically via DHCP, where the modem sends outgoing traffic through the ISP internet router. The destination subnet value for a default route is 0.0.0.0/0.0.0.0, which matches all addresses.

Static routes are not needed for subnets with direct Layer 2 connectivity because FortiGate can directly communicate with those subnets without needing to specify a route. The device can automatically forward packets to directly connected networks without additional configuration.

You must enable Static route configuration in the firewall address configuration.

After enabling it, the firewall address object becomes available for use in the Destination drop-down list for static routes with named addresses.

The Internet Service Database (ISDB) simplifies the routing of traffic to specific public internet services by allowing the application of ISDB entries to static routes. This enables selective routing of traffic through designated WAN interfaces, ensuring that certain services, like Netflix, can be routed through a specific ISP without needing to manually track IP address changes.

ISDB routes, while configured as static routes, function as policy routes and take precedence over other routes in the routing table. They are specifically designed to be added to the policy routing table, allowing for more flexible and dynamic traffic management based on service type.

To route Netflix traffic through a specific ISP, follow these steps:

1. Identify Netflix IP addresses: Obtain the current IP addresses used by Netflix.
2. Configure static routes: Set up static routes for the identified Netflix IP addresses to route them through the desired ISP.
3. Monitor IP addresses: Regularly check for any changes in Netflix's IP addresses to ensure continued routing effectiveness.
4. Utilize ISDB: Apply ISDB entries to the static routes to enhance routing efficiency and manage traffic effectively.

The routing table includes the following types of routes:

1. Static: Manual routes configured by the administrator.
2. Connected: Automatic routes added by FortiOS after an interface is assigned an IP address, referencing the interface IP address subnet.
3. Dynamic: Routes learned using dynamic routing protocols such as BGP or OSPF, which are installed automatically in the routing table.

The routing table does not contain the following routes:

1. Inactive routes: Static and connected routes whose interfaces are administratively down or whose links are down. Static routes are also marked inactive when their gateway is detected as dead by the link health monitor.
2. Standby routes: Active routes removed from the routing table due to being duplicates with higher distances.
3. Policy routes: These include regular policy routes, ISDB routes, and SD-WAN rules, which are viewed in a separate policy route table.

Administrative distance is the first tiebreaker that routers use to determine the best route for a particular destination. The route with the lowest administrative distance is considered the best and is installed in the routing table.

Routes with higher administrative distances are considered standby routes and are not installed in the routing table. Instead, they are kept in the routing table database.

FortiGate installs the route that was learned last in the routing table when it learns two equal-distance routes to the same destination from different protocols.

Configuring different-protocol routes with the same administrative distance can lead to unpredictable results based on the timing of events, as the route that is kept in the routing table depends on which one was learned last.

A dynamic routing protocol uses the metric as a tiebreaker to identify the best route. The lower the metric, the higher the preference. The best route is then installed in the routing table, while higher-metric routes are stored in the routing table database.

The metric serves as a tiebreaker for same-protocol dynamic routes. It helps determine the best route based on preference, with lower metrics being preferred over higher ones. However, it is not used to compare routes from different protocols.

RIP uses hop count as its metric, which counts the number of routers a packet must pass through to reach its destination. OSPF uses cost, which is determined by the link bandwidth.

FortiGate installs all of them in the routing table. If they also have the same priority, they are known as ECMP static routes.

FortiGate selects the static route with the lowest priority among all the equal-distance duplicate static routes. The lower the priority value, the higher the preference.

The default priority setting for static routes in FortiGate is 1.

You can change the priority of BGP routes only; the priority of other dynamic routes is hardcoded to 1.

The priority setting for static routes can be configured under the Advanced Options on the FortiGate GUI.

You can view the priority in the routing monitor widget by enabling the priority column, and also on the routing table in the FortiGate CLI.

The left-most column indicates the route source.

The first number is distance, which applies to both dynamic and static routes, and the second number is metric, which applies to dynamic routes only.

The static route with the lower distance is installed in the routing table, while the one with the higher distance is kept in the routing table database.

Static and dynamic routes have priority and weight attributes, with the weight for dynamic routes always being zero.

The CLI command displays all entries in the routing table, showing the best active routes to a destination, but does not show standby or inactive routes.

The routing table in FortiGate includes the following attributes:

• Network: Lists the destination IP address and subnet mask to match.
• Interfaces: Specifies the interface to use for delivering the packet.
• Distance: Used to determine the preference of a route; lower values are preferred.
• Metric: Represents the cost of using a route; lower metrics are preferred.
• Priority: Helps in making route selection decisions based on the defined priority levels.

The command to display the routing table on the FortiGate CLI is:

get router info routing-table all

The route lookup feature allows users to find matching routes based on specified criteria such as destination address, destination port, source address, source port, protocol, and source interface.

The RPF check protects FortiGate and the network from IP spoofing attacks by verifying if there is a return path to the source in the routing table. If no valid route exists for the source address through the incoming interface, the packet is dropped to prevent potential forgery or incorrect routing.

The two modes of RPF check in FortiGate are:

1. Feasible path: This is the default mode where FortiGate checks if the routing table contains a route that matches the source address and the incoming interface, without needing it to be the best route.

2. Strict: In this mode, FortiGate verifies that the matching route is the best route in the routing table. If a better route exists through another interface, the RPF check fails.

FortiGate performs an RPF check only on the first packet of a new session. Once the first packet passes the RPF check and the session is accepted, no additional RPF checks are performed on that session.

Equal cost multipath (ECMP) routes are multiple routes that have the same destination, distance, metric, and priority. FortiGate installs all of these routes in the routing table and load balances the traffic among them.

When the destination subnet, distance, metric, and priority are the same for ECMP routes in FortiGate, both routes of each ECMP group are installed in the routing table.

The default algorithm is Source IP, where FortiGate uses the same ECMP route to route sessions sourced from the same address.

The Source-destination IP algorithm routes sessions using the same ECMP route for sessions with the same source-destination IP address pair.

The Weighted algorithm applies to static routes and load balances sessions based on the route weight or the respective interface weight. A higher weight means more sessions are routed through the selected route.

The Usage (spillover) algorithm sends sessions to the interface of the first ECMP route until the bandwidth reaches the configured spillover limit. Once the limit is reached, it uses the interface of the next ECMP route.

When SD-WAN is enabled, the v4-ecmp-mode setting is hidden and replaced with the load-balance-mode setting under config system sdwan. This means that the ECMP algorithm is controlled through the load-balance-mode setting instead of v4-ecmp-mode.

To enable spillover in FortiGate's SD-WAN, you must configure the egress and ingress spillover thresholds. By default, these thresholds are set to 0, which disables the spillover check.

When using a weighted ECMP algorithm and setting v4-ecmp-mode to weight-based, FortiGate routes sessions based on the weight value of each route, which is expressed as a percentage value.

When the route over port1 is removed, FortiGate automatically starts to forward traffic sourced from both users and destined to 10.0.4.0/24 through port2.

1. High availability for mission-critical services.
2. Bandwidth aggregation by load balancing sessions across multiple links.

SD-WAN provides additional benefits such as intelligent path control, application awareness, and dynamic link management, which enhance performance and reliability beyond basic load balancing.

The setting that replaces v4-ecmp-mode is load-balance-mode.

The main difference is that load-balance-mode supports the volume algorithm, while v4-ecmp-mode does not.

When SD-WAN is enabled, weight and spillover thresholds are defined on the SD-WAN member configuration.

The volume algorithm tracks the cumulative number of bytes of each member and distributes sessions based on the member weight; higher weight results in more traffic being sent to that interface.

When SD-WAN is disabled, weight and spillover thresholds are defined on the static route and interface settings, respectively.

The key skills learned include:

1. Configuring routes on FortiGate.
2. Monitoring routes to ensure proper functionality.
3. Load balancing routes for optimal performance.