Fortinet black logo

Handbook

Routing concepts

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:691160
Download PDF

Routing concepts

Many routing concepts apply to static routing. However, without first understanding these basic concepts, it's difficult to understand the more complex dynamic routing.

Routing in VDOMs

Routing on FortiGate devices is configured per VDOM. This means if VDOMs are enabled, you must enter a VDOM to do any routing configuration. This allows each VDOM to operate independently, with its own default routes and routing configuration.

In this guide, the procedures assume that the FortiGate has VDOMs disabled. This is stated in the assumptions for the examples. If the FortiGate has VDOMs enabled, you'll need to perform the following steps in addition to the procedure steps.

To route in VDOMs - GUI:

Select the VDOM that you want to view or configure at the bottom of the main menu.

To route in VDOMs - CLI:

Before you follow any CLI routing procedures with VDOMs enabled, enter the following commands. For this example, it's assumed that you'll be working in the root VDOM. Change root to the name of your selected VDOM as needed.

config vdom

edit root

Following these commands, you can enter any routing CLI commands, as normal.

Default route

The default route is used if there are no other routes in the routing table or if none of the other routes apply to a destination. Including the gateway in the default route gives all traffic a next-hop address to use when leaving the local network. The gateway address is normally another router on the edge of the local network.

All routers, including FortiGate devices, are shipped with default routes in place. This allows you to set up and become operational more quickly. Beginner administrators can use the default route settings until a more advanced configuration is needed.

Adding or editing a static route

  1. Go to Network > Static Routes and select Create New.
  2. Enter the following information and select OK.
  3. Destination

    Enter the destination IP address and netmask.

    A value of 0.0.0.0/0.0.0.0 is universal.

    Interface

    Select the name of the interface that the static route will connect through.

    Gateway Address

    Enter the gateway IP address.

    Administrative Distance

    Enter the distance value, which will affect which routes are selected first by different protocols for route management or load balancing. The default is 10.

    Advanced Options

    Optionally, expand Advanced Options and enter a Priority, which will artificially weight the route during route selection. The higher the priority number, the less likely the route is to be selected over other routes. The default is 0.

Enabling or disabling individual static routes

You can enable or disable individual static routes.

To configure IPv4 static routes - CLI:

config router static

edit <sequence number>

set status {enable | disable}

next

end

To configure IPv6 static routes - CLI:

config router static6

edit <sequence number>

set status {enable | disable}

next

end

Configuring FQDNs as a destination address in static routes

You can configure FQDN firewall addresses as destination addresses in a static route, using either the GUI or the CLI.

In the GUI, to add an FQDN firewall address to a static route in the firewall address configuration, enable the Static Route Configuration option. Then, when you configure the static route, set Destination to Named Address.

In the CLI, use the following CLI commands:

First, configure the firewall FQDN address:

config firewall address

edit 'Fortinet-Documentation-Website'

set type fqdn

set fqdn docs.fortinet.com

set allow-routing enable

Next, add the FQDN address to a static route.

config router static

edit 0

set dstaddr Fortinet-Documentation-Website

...

end

Routing table

When two computers are directly connected, there's no need for routing because each computer knows exactly where to find the other computer, and they communicate directly.

Networking computers allows many computers to communicate with each other. This requires each computer to have an IP address to identify its location to the other computers. This is much like a mailing address, where you won't receive your postal mail at home if you don't have an address for people to send mail to. The routing table on a computer is much like an address book used to mail letters to people, where the routing table maintains a list of how to reach computers. Routing tables may also include information about the quality of service (QoS) of the route, and the interface associated with the route if the device has multiple interfaces.

Looking at routing as delivering letters is more simple than reality. In reality, routers lose power or have bad cabling, network equipment is moved without warning, and other such events happen that prevent static routes from reaching their destinations. When any changes, such as these, happen along a static route, traffic can no longer reach the destination and the route goes down. Dynamic routing can address these changes to ensure that traffic still reaches its destination. The process of realizing there's a problem, backtracking, and finding a route that is operational, is called convergence. If there's fast convergence in a network, users won't even know that re-routing is taking place.

The routing table for any device on the network has a limited size. For this reason, routes that aren't used are replaced by new routes. This method ensures the routing table is always populated with the most current and most used routes, which are the routes that have the best chance of being reused. Another method that's used to maintain the routing table’s size is if a route in the table and a new route are to the same destination, one of the routes is selected as the best route to that destination and the other route is discarded.

Routing tables are also used in unicast reverse path forwarding (uRPF). In uRPF, the router not only looks up the destination information but it also looks up the source information to ensure that it exists. If there's no source to be found, that packet is dropped because the router assumes it's an error or an attack on the network.

The routing table is used to store routes that are learned. The routing table for any device on the network has a limited size. For this reason, routes that aren't used are replaced by new routes. This method ensures the routing table is always populated with the most current and most used routes, which are the routes that have the best chance of being reused. Another method used to maintain the routing table’s size is if a route in the table and a new route are to the same destination, one of the routes is selected as the best route to that destination and the other route is discarded.

Viewing the routing table

You can view the routing table in the FortiGate GUI. By default, all routes are displayed in the Routing Monitor list. The default static route is defined as 0.0.0.0/0, which matches the destination IP address of “any/all” packets.

To display the routes in the routing table, go to Monitor > Routing Monitor. Select Static & Dynamic to view the routes.

You can also monitor policy routes. Select Policy to list the active policy routes on the FortiGate and view information about them. The active policy routes include policy routes that you create, SD-WAN rules, and Internet service static routes. It also supports downstream devices in the Security Fabric.

The following figure show an example of the static and dynamic routes in the Routing Monitor list:

The following figure show an example of the policy routes in the Routing Monitor list:

Field

Description

IP Version

Shows whether the route is IPv4 or IPv6.

IPv6 routes are displayed only if IPv6 is enabled in the FortiGate GUI.

Type

The type values assigned to FortiGate routes (Static, Connected, RIP, OSPF, or BGP).

  • All: All routes recorded in the routing table
  • Connected: All routes associated with direct connections to FortiGate interfaces
  • Static: The static routes that have been added to the routing table manually
  • RIP: All routes learned through RIP. For more information, see RIP.
  • RIPNG: All routes learned through RIP version 6 (which enables the sharing of routes through IPv6 networks)
  • BGP: All routes learned through BGP. For more information, see BGP.
  • OSPF: All routes learned through OSPF. For more information, see OSPF.
  • OSPF6: All routes learned through OSPF version 6 (which enables the sharing of routes through IPv6 networks)
  • IS-IS: All routes learned through IS-IS. For more information, see IS-IS.
  • HA: RIP, OSPF, and BGP routes synchronized between the primary unit and the subordinate units of a high availability (HA) cluster. HA routes are maintained on subordinate units and are visible only if you're viewing the router monitor from a virtual domain that is configured as a subordinate virtual domain in a virtual cluster.

For more information about HA routing synchronization, see Synchronizing kernel routing tables.

Subtype

If applicable, the subtype classification assigned to OSPF routes.

An empty string implies an intra-area route. The destination is in an area that the FortiGate is connected to.

  • OSPF inter area: The destination is in the OSPF AS, but FortiGate isn't connected to that area.
  • External 1: The destination is outside the OSPF AS. This is known as OSPF E1 type. The metric of a redistributed route is calculated by adding the external cost and the OSPF cost together.
  • External 2: The destination is outside the OSPF AS. This is known as OSPF E2 type. In this case, the metric of the redistributed route is equivalent to the external cost only, expressed as an OSPF cost.
  • OSPF NSSA 1: Same as External 1, but the route was received through a not-so-stubby area (NSSA)
  • OSPF NSSA 2: Same as External 2, but the route was received through a not-so-stubby area

For more information about OSPF subtypes, see OSPF.

Network

The IP addresses and network masks of destination networks that the FortiGate can reach.

Gateway IP

The IP addresses of gateways to the destination networks.

Interfaces

The interface through which packets are forwarded to the gateway of the destination network.

Up Since

The total accumulated amount of time that a route learned through RIP, OSPF, or BGP has been reachable.

Distance

The administrative distance associated with the route. A value of 0 means the route is preferable compared to other routes to the same destination, and the FortiGate may routinely use the route to communicate with neighboring routers and access servers.

Modifying this distance for dynamic routes is route distribution. See BGP.

Metric

The metric associated with the route type. The metric of a route influences how the FortiGate dynamically adds it to the routing table. The following are types of metrics and the protocols they are applied to:

Hop count: Routes learned through RIP

Relative cost: Routes learned through OSPF

Multi-Exit Discriminator (MED): Routes learned through BGP. However, several attributes in addition to MED determine the best path to a destination network. For more information about BGP attributes, see BGP. By default, the MED value associated with a BGP route is zero. However, the MED value can be modified dynamically. If the value was changed from the default, the Metric column displays a non-zero value.

This field isn't displayed when IP version 6 is selected.

Copying DSCP value in GRE tunnels

You can enable an option to allow copying of the DSCP (Differentiated services code point) value in GRE tunnels. This feature enables the keeping of the DSCP marking in the packets after encapsulation for going through GRE tunnels.

To enable DSCP copying - CLI:

config system gre-tunnel

edit <name>

set dscp-copying enable

next

end

Configuring the maximum number of IP route cache entries

To configure the maximum number of route cache entries - CLI:

config system global

set max-route-cache-size <number_of_cache_entries>

end

where <number_of_cache_entries> is in the range 0 to 2147483647

Unsetting the field causes the value to be set to the kernel-calculated default:

config system global

unset max-route-cache-size

end

Viewing the routing table in the CLI

You can easily view the static routing table in the CLI. You can view the static routing table, just as in the GUI, or you can view the full routing table.

When you view the list of static routes using the get router static CLI command, the configured static routes are displayed. When you view the routing table using the get router info routing-table all CLI command, it's the entire routing table information that's displayed, including configured and learned routes of all types. The two commands show different information in different formats.

If VDOMs are enabled on the FortiGate, all routing-related CLI commands must be performed within a VDOM and not in the global context.

To view the routing table - CLI:

# get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP

O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default

S* 0.0.0.0/0 [10/0] via 192.168.183.254, port2

S 1.0.0.0/8 [10/0] via 192.168.183.254, port2

S 2.0.0.0/8 [10/0] via 192.168.183.254, port2

C 10.142.0.0/23 is directly connected, port3

B 10.160.0.0/23 [20/0] via 10.142.0.74, port3, 2d18h02m

C 192.168.182.0/23 is directly connected, port2

Examining an entry:

B 10.160.0.0/23 [20/0] via 10.142.0.74, port3, 2d18h02m

Value

Description

B

BGP. The routing protocol used.

10.160.0.0/23

The destination of this route, including netmask.

[20/0]

20 indicates an administrative distance of 20 out of a range of 0 to 255.

0 is an additional metric associated with this route, such as in OSPF.

10.142.0.74

The gateway or next hop.

port3

The interface that the route uses.

2d18h02m

The age of the route (in this example, it's almost three days old).

To view the kernel routing table - CLI:

# get router info kernel

tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.11.201.0/24 pref=10.11.201.4 gwy=0.0.0.0 dev=5(external1)

tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->172.20.120.0/24 pref=172.20.120.146 gwy=0.0.0.0 dev=6(internal)

The parts of the routing table entry are:

Value

Description

tab

Table number: This will be either 254 (unicast) or 255 (multicast).

vf

Virtual domain of the firewall: This is the VDOM index number. If VDOMs aren't enabled, this number is 0.

type

Type of routing connection: Valid values include:

0 - unspecific

1 - unicast

2 - local

3 - broadcast

4 - anycast

5 - multicast

6 - blackhole

7 - unreachable

8 - prohibited

proto

Type of installation: This indicates where the route came from. Valid values include:

0 - unspecific

2 - kernel

11 - ZebOS routing module

14 - FortiOS

15 - HA

16 - authentication based

17 - HA1

prio

Priority of the route. Lower priorities are preferred.

->10.11.201.0/24

(->x.x.x.x/mask)

The IP address and subnet mask of the destination

pref

Preferred next hop along this route

gwy

Gateway: The address of the gateway this route will use

dev

Outgoing interface index: This number is associated with the interface for this route. If VDOMs are enabled, the VDOM is also included here. If an interface alias is set for this interface, it is also displayed here.

Searching the routing table

You can apply a filter to search the routing table and display only certain routes. For example, you can display one or more static routes, connected routes, routes learned through RIP, OSPF, or BGP, and routes associated with the network or gateway that you specify.

If you want to search the routing table by route type and further limit the display according to network or gateway, all of the values that you specify as search criteria must match corresponding values in the same routing table entry in order for that entry to be displayed. An implicit AND condition is applied to all of the search parameters you specify.

For example, if the FortiGate is connected to network 172.16.14.0/24 and you want to display all directly connected routes to network 172.16.14.0/24, you must select Connected from the Type list, type 172.16.14.0/24 in the Network field, and then select Apply Filter to display the associated routing table entry or entries. Any entry that contains the word “Connected” in its Type field and the specified value in the Gateway field will be displayed.

In this example, you will apply a filter to search for an entry for static route to 10.10.10.10/24.

To search the routing table routing table - GUI:
  1. Go to Monitor > Routing Monitor.
  2. From the Type list, select the type of route to display. In this example, select Static.
  3. If you want to display routes to a specific network, type the IP address and netmask of the network in the Networks field. In our example, enter 10.10.10.10/24.
  4. If you want to display routes to a specific gateway, type the IP address of the gateway in the Gateway field.
  5. Select Apply Filter.

All of the values that you specify as search criteria must match corresponding values in the same routing table entry in order for that entry to be displayed.

To search the routing table - CLI:

FGT # get router info routing-table details 10.10.10.10

Routing entry for 10.10.10.10/24

Known via "static", distance 10, metric 0, best

If there are multiple routes that match your filter, they will all be listed and the best match will be at the top of the list and indicated by the word "best".

Building the routing table

In factory default configuration, the routing table on the FortiGate contains a single static default route. You can add routing information to the routing table by defining additional static routes.

It's possible that the routing table is faced with several different routes to the same destination - the IP addresses of the next-hop router specified in those routes or the FortiGate interfaces associated with those routes may vary. In this situation, the best route is selected from the table.

The FortiGate selects the best route for a packet by evaluating the information in the routing table. The best route to a destination is typically associated with the shortest distance between the FortiGate and the closest gateway, also known as a next-hop router. In some cases, the next best route may be selected if the best route is unavailable.

The FortiGate installs the best available routes in the forwarding table, which is a subset of the routing table. Packets are forwarded according to the information in the forwarding table.

Static routing security

Securing the information on your company network is a top priority for network administrators. Security is also required as the routing protocols used are internationally known standards that typically provide little or no inherent security by themselves.

The two reasons for securing your network are the sensitive and proprietary information on your network and also your external bandwidth. Hackers can steal not only your information, but they can also steal your bandwidth. Routing is a good low-level way to secure your network, even before UTM features are applied.

Routing provides security to your network in a number of ways including obscuring internal network addresses with NAT and blackhole routing, using RPF to validate traffic sources, and maintaining an access control list (ACL) to limit access to the network.

Network Address Translation

Network address translation (NAT) is a method of changing the address from which traffic appears to originate. This practice is used to hide the IP address on a company’s internal networks and helps prevent malicious attacks that use those specific addresses.

This is accomplished by the router connected to that local network changing all the IP addresses to its externally connected IP address before sending the traffic out to the other networks, such as the Internet. Incoming traffic uses the established sessions to determine which traffic goes to which internal IP address. This also has the benefit of requiring only the router to be very secure against external attacks, instead of the entire internal network, as would be the case without NAT. Securing the network is much cheaper and easier to maintain.

Configuring NAT on a FortiGate includes the following steps:

  1. Configure your internal network. For example, use the 10.11.101.0 subnet.
  2. Connect your internal subnet to an interface on the FortiGate. For example, use port1.
  3. Connect your external connection (for example, an ISP gateway of 172.20.120.2) to another interface on the Fortigate (for example, port2).

Configure security policies to allow traffic between port1 and port2 on the FortiGate, ensuring that the NAT feature is enabled.

The above steps show that traffic from your internal network will originate on the 10.11.101.0 subnet and pass on to the 172.20.120.0 network. The FortiGate moves the traffic to the proper subnet. In doing that, the traffic appears to originate from the FortiGate interface on that subnet and it doesn't appear to originate from where it actually came from.

NAT “hides” the internal network from the external network. This provides security through obscurity. If a hacker tries to directly access your network, they will find the Fortigate, but they won't know about your internal network. The hacker would have to get past the security-hardened FortiGate to gain access to your internal network. NAT won't prevent hacking attempts that piggy back on valid connections between the internal network and the outside world. However, other UTM security measures can deal with these attempts.

Another security aspect of NAT is that many programs and services have problems with NAT. Consider if someone on the Internet tries to initiate a chat with someone on the internal network. The outsider can access only the external interface on the FortiGate, unless the security policy allows the traffic through to the internal network. If allowed in, the correct internal user would respond to the chat. However, if it's not allowed, the request to chat will be refused or it will time out. This is accomplished in the security policy by allowing or denying different protocols.

Access control list

An access control list (ACL) is a table of addresses that have permission to send and receive data over a router’s interface or interfaces. The router maintains an ACL, and when traffic comes in on a particular interface it's buffered, while the router checks the ACL to see if that traffic is allowed over that port. If it's allowed on that incoming interface, the next step is to check the ACL for the destination interface. If the traffic also passes that check, the buffered traffic is delivered to its destination. If either of those steps fail the ACL check, the traffic is dropped and an error message may be sent to the sender. The ACL ensures that traffic follows expected paths and any unexpected traffic isn't delivered. This stops many network attacks. However, to be effective, the ACL must be kept up to date. When employees or computers are removed from the internal network, their IP addresses must also be removed from the ACL. For more information about the ACL, see router {access-list | access-list6}.

Blackhole routes

A blackhole route is a route that drops all traffic sent to it. It is very much like /dev/null in Linux programming.

Blackhole routes are used to dispose of packets instead of responding to suspicious inquiries. This provides added security since the originator won't discover any information from the target network.

Blackhole routes can also limit traffic on a subnet. If some subnet addresses aren't in use, traffic to those addresses, which may be valid or malicious, can be directed to a blackhole for added security and to reduce traffic on the subnet.

The loopback interface, which is a virtual interface that doesn't forward traffic, was added to allow easier configuration of blackhole routing. Similar to a regular interface, the loopback interface has fewer parameters to configure and all traffic sent to it stops there. Since it can't have hardware connection or link status problems, it's always available, making it useful for other dynamic routing roles. Once configured, you can use a loopback interface in security policies, routing, and other places that refer to interfaces. You configure this feature only from the CLI. For more information, see system interface.

Configuring IPv6 blackhole routes

You can configure IPv6 blackhole routes. In the FortiGate GUI, select Network > Static Routes and select Create New. In the Interface field, choose Blackhole.

Blackhole static routing

System administrators use blackhole routing to divert unwanted traffic, such as packets from a Denial of Service (DoS) attack or communications from an illegal source. The traffic is routed to a dead interface, or a host designed to collect information for investigation. This mitigates the impact of the attack on the network.

To enable blackhole routing - CLI:

config router {static|static6}

edit <sequence number>

set blackhole enable

next

end

Blackhole route priority

You can add a priority to a blackhole route to change its position relative to kernel routes in the routing table.

To add a blackhole route with a priority - CLI:

config router static

edit <sequence number>

set blackhole enable

set priority 200

next

end

Static routes and VRFs

You can configure static route support for multiple virtual routing and forwarding (VRFs) on a FortiGate.

To add VRFs for blackhole routes - CLI:

config router static

edit <sequence-number>

set vrf <VRF-ID>

end

where vrf is a value of 0 to 31. FortiOS supports 32 VRFs (numbered 0 to 31) per VDOM.

Reverse path lookup

Whenever a packet arrives at one of the interfaces on the FortiGate, the FortiGate determines whether the packet was received on a legitimate interface by doing a reverse lookup using the source IP address in the packet header. This is also called anti-spoofing. If the FortiGate can't communicate with the computer at the source IP address through the interface on which the packet was received, the FortiGate drops the packet as it's likely a hacking attempt.

If the destination address can be matched to a local address, and the local configuration permits delivery, the FortiGate delivers the packet to the local network. If the packet is destined for another network, the Fortigate forwards the packet to a next-hop router according to a policy route and the information stored in the FortiGate forwarding table.

Multipath routing and determining the best route

Multipath routing occurs when more than one entry to the same destination is present in the routing table. When multipath routing happens, the FortiGate may have several possible destinations for an incoming packet, forcing the FortiGate to decide which next-hop is the best one.

It should be noted that some IP addresses will be rejected by routing protocols. These are called Martian addresses. They are typically IP addresses that are invalid and not routable because they have been assigned an address by a misconfigured system, or are spoofed addresses.

Two methods to manually resolve multiple routes to the same destination are to lower the administrative distance of one route or to set the priority of both routes. For the FortiGate to select a primary (preferred) route, manually lower the administrative distance associated with one of the possible routes. Setting the priority on the routes is a FortiGate feature and may not be supported by routers that aren't Fortinet products.

Administrative distance is based on the expected reliability of a given route. It's determined through a combination of the number of hops from the source and the protocol used. A hop is when traffic moves from one router to the next. More hops from the source means more possible points of failure. The administrative distance can be in the range of 1 to 255, with lower numbers being preferred. A distance of 255 is seen as infinite and won't be installed in the routing table.

Here's an example to illustrate how administration distance works. If there are two possible routes traffic can take between two destinations, with administration distances of 5 (always up) and 31 (sometimes not available), the traffic will use the route with an administrative distance of 5. If for some reason the preferred route (admin distance of 5) isn't available, the other route will be used as a backup.

Different routing protocols have different default administrative distances. These different administrative distances are based on a number of factors of each protocol such as reliability, speed, and so on. You can configure the default administrative distances for any of these routing protocols.

Default administrative distances for routing protocols and connections

Routing protocol

Default administrative distance

Direct physical connection

1

Static

10

EBGP

20

OSPF

110

IS-IS

115

RIP

120

IBGP

200

Another method to determine the best route is to manually change the priority of both routes in question. If the next-hop administrative distances of two routes on the FortiGate are equal, it may not be clear which route the packet will take. Manually configuring the priority for each of those routes will make it clear which next-hop will be used in the case of a tie. The priority for a route can be set in the CLI, or when editing a specific static route, as described in the next section. Lower priority routes are preferred. Priority is a Fortinet value that may or may not be present in other brands of routers.

All entries in the routing table are associated with an administrative distance. If the routing table contains several entries that point to the same destination (the entries may have different gateways or interface associations), the FortiGate compares the administrative distances of those entries first, selects the entries having the lowest distances, and installs them as routes in the FortiGate forwarding table. As a result, the FortiGate forwarding table contains only those routes that have the lowest distances to every possible destination. While only static routing uses administrative distance as its routing metric, other routing protocols, such as RIP, can use metrics that are similar to administrative distance.

Route priority

After a FortiGate selects static routes for the forwarding table based on their administrative distances, the priority field of those routes determines routing preference. Priority is a Fortinet value that may or may not be present in other brands of routers.

You can configure the priority field through the CLI or the GUI. Priority values can range from 0 to 4 294 967 295. The route with the lowest value in the priority field is considered the best route. It's also the primary route.

To change the priority of a route - GUI:
  1. Go to Network > Static Routes.
  2. Select the route entry, and select Edit.
  3. Select Advanced Options.
  4. Enter the Priority value.
  5. Select OK.
To change the priority of a route - CLI:

The following command changes the priority to 5 for a route to the address 10.10.10.1 on the port1 interface.

config router static

edit 1

set device port1

set gateway 10.10.10.10

set dst 10.10.10.1

set priority 5

next

end

If there are other routes set to priority 10, the route set to priority 5 will be preferred. If there are routes set to priorities less than 5, those other routes will be preferred instead.

In summary, because you can use the CLI to specify which sequence numbers or priority field settings to use when defining static routes, you can prioritize routes to the same destination according to their priority field settings. For a static route to be the preferred route, you must create the route using the config router static CLI command and specify a low priority for the route. If two routes have the same administrative distance and the same priority, then they are equal-cost multi-path (ECMP) routes.

Since this means there is more than one route to the same destination, it can be confusing which route or routes to install and use. However, if you have enabled load balancing with ECMP routes, different sessions will resolve this problem by using different routes to the same address.

Use of firewall addresses for static route destinations

To help prevent false positive when scanning for duplicate static routes, the dst_addr field is also checked.

Removing RPF checks from the state evaluation process

You can remove RPF (reverse path forwarding) state checks without needing to enable asymmetric routing. You can disable state checks for traffic received on specific interfaces.

Disabling state checks makes a FortiGate less secure and should only be done with caution.

To remove RPF checks from the state evaluation process - CLI:

config system interface

edit <interface_name>

set src-check disable

next

end

Troubleshooting static routing

When there are problems with your network that you think are related to static routing, there are a few basic tools available to locate the problem. These tools include ping, traceroute, and examing routing table contents.

Ping

Beyond the basic connectivity information, ping can tell you the amount of packet loss (if any), how long it takes the packet to make the round trip, and the variation in that time from packet to packet.

If there's no packet loss detected, your basic network connectivity is okay.

If there's some packet loss detected, you should investigate:

  • Possible ECMP, split horizon, network loops
  • Cabling to ensure no loose connections

If there's total packet loss, you should investigate:

  • Hardware: Ensure cabling is correct, and all equipment between the two locations is accounted for
  • Addresses and routes: Ensure all IP addresses and routing information along the route is configured as expected
  • Firewalls: Ensure all firewalls are set to allow PING to pass through
To ping from a Windows PC:
  1. Go to a DOS prompt. Typically you go to Start > Run, enter cmd and select OK.
  2. Enter ping 10.11.101.100 to ping the default internal interface of the FortiGate with four packets.
To ping from an Apple computer:
  1. Open the Terminal.
  2. Enter ping 10.11.101.100.
  3. If the ping fails, it will stop after a set number of attempts. If it succeeds, it will continue to ping repeatedly. Press Control+C to end the attempt and see gathered data.
To ping from a Linux PC:
  1. Go to a command line prompt.
  2. Enter “/bin/etc/ping 10.11.101.101”.

Traceroute

Where ping will only tell you if it reached its destination and came back successfully, traceroute will show each step of its journey to its destination and how long each step takes. If ping finds an outage between two points, you can use traceroute to locate exactly where the problem is.

To use traceroute on a Windows PC:
  1. Go to a DOS prompt. Typically you go to Start > Run, enter “cmd” and select OK.
  2. Enter “tracert fortinet.com” to trace the route from the PC to the Fortinet website.
To use traceroute from an Apple computer:
  1. Open the Terminal.
  2. Enter traceroute fortinet.com.
  3. The terminal will list the number of steps made. Upon reaching the destination, it will list three asterisks per line. Press Control+C to end the attempt.
To use traceroute on a Linux PC:
  1. Go to a command line prompt.
  2. Enter “/bin/etc/traceroute fortinet.com”.
  3. The Linux traceroute output is very similar to the MS Windows traceroute output.

Examine routing table contents

The first place to look for information is the routing table.

The routing table is where all the currently used routes are stored for both static and dynamic protocols. If a route is in the routing table, it saves the time and resources of a lookup. If a route isn't used for a while and a new route needs to be added, the oldest least used route is bumped if the routing table is full. This ensures the most recently used routes stay in the table. Note that if a FortiGate is in transparent mode, you won't be able to perform this step.

If the FortiGate is running in NAT mode, verify that all desired routes are in the routing table: local subnets, default routes, specific static routes, and dynamic routing protocols.

To check the routing table in the GUI, use the Routing Monitor. Go to Monitor > Routing Monitor. In the CLI, use the get router info routing-table all command.

Routing concepts

Many routing concepts apply to static routing. However, without first understanding these basic concepts, it's difficult to understand the more complex dynamic routing.

Routing in VDOMs

Routing on FortiGate devices is configured per VDOM. This means if VDOMs are enabled, you must enter a VDOM to do any routing configuration. This allows each VDOM to operate independently, with its own default routes and routing configuration.

In this guide, the procedures assume that the FortiGate has VDOMs disabled. This is stated in the assumptions for the examples. If the FortiGate has VDOMs enabled, you'll need to perform the following steps in addition to the procedure steps.

To route in VDOMs - GUI:

Select the VDOM that you want to view or configure at the bottom of the main menu.

To route in VDOMs - CLI:

Before you follow any CLI routing procedures with VDOMs enabled, enter the following commands. For this example, it's assumed that you'll be working in the root VDOM. Change root to the name of your selected VDOM as needed.

config vdom

edit root

Following these commands, you can enter any routing CLI commands, as normal.

Default route

The default route is used if there are no other routes in the routing table or if none of the other routes apply to a destination. Including the gateway in the default route gives all traffic a next-hop address to use when leaving the local network. The gateway address is normally another router on the edge of the local network.

All routers, including FortiGate devices, are shipped with default routes in place. This allows you to set up and become operational more quickly. Beginner administrators can use the default route settings until a more advanced configuration is needed.

Adding or editing a static route

  1. Go to Network > Static Routes and select Create New.
  2. Enter the following information and select OK.
  3. Destination

    Enter the destination IP address and netmask.

    A value of 0.0.0.0/0.0.0.0 is universal.

    Interface

    Select the name of the interface that the static route will connect through.

    Gateway Address

    Enter the gateway IP address.

    Administrative Distance

    Enter the distance value, which will affect which routes are selected first by different protocols for route management or load balancing. The default is 10.

    Advanced Options

    Optionally, expand Advanced Options and enter a Priority, which will artificially weight the route during route selection. The higher the priority number, the less likely the route is to be selected over other routes. The default is 0.

Enabling or disabling individual static routes

You can enable or disable individual static routes.

To configure IPv4 static routes - CLI:

config router static

edit <sequence number>

set status {enable | disable}

next

end

To configure IPv6 static routes - CLI:

config router static6

edit <sequence number>

set status {enable | disable}

next

end

Configuring FQDNs as a destination address in static routes

You can configure FQDN firewall addresses as destination addresses in a static route, using either the GUI or the CLI.

In the GUI, to add an FQDN firewall address to a static route in the firewall address configuration, enable the Static Route Configuration option. Then, when you configure the static route, set Destination to Named Address.

In the CLI, use the following CLI commands:

First, configure the firewall FQDN address:

config firewall address

edit 'Fortinet-Documentation-Website'

set type fqdn

set fqdn docs.fortinet.com

set allow-routing enable

Next, add the FQDN address to a static route.

config router static

edit 0

set dstaddr Fortinet-Documentation-Website

...

end

Routing table

When two computers are directly connected, there's no need for routing because each computer knows exactly where to find the other computer, and they communicate directly.

Networking computers allows many computers to communicate with each other. This requires each computer to have an IP address to identify its location to the other computers. This is much like a mailing address, where you won't receive your postal mail at home if you don't have an address for people to send mail to. The routing table on a computer is much like an address book used to mail letters to people, where the routing table maintains a list of how to reach computers. Routing tables may also include information about the quality of service (QoS) of the route, and the interface associated with the route if the device has multiple interfaces.

Looking at routing as delivering letters is more simple than reality. In reality, routers lose power or have bad cabling, network equipment is moved without warning, and other such events happen that prevent static routes from reaching their destinations. When any changes, such as these, happen along a static route, traffic can no longer reach the destination and the route goes down. Dynamic routing can address these changes to ensure that traffic still reaches its destination. The process of realizing there's a problem, backtracking, and finding a route that is operational, is called convergence. If there's fast convergence in a network, users won't even know that re-routing is taking place.

The routing table for any device on the network has a limited size. For this reason, routes that aren't used are replaced by new routes. This method ensures the routing table is always populated with the most current and most used routes, which are the routes that have the best chance of being reused. Another method that's used to maintain the routing table’s size is if a route in the table and a new route are to the same destination, one of the routes is selected as the best route to that destination and the other route is discarded.

Routing tables are also used in unicast reverse path forwarding (uRPF). In uRPF, the router not only looks up the destination information but it also looks up the source information to ensure that it exists. If there's no source to be found, that packet is dropped because the router assumes it's an error or an attack on the network.

The routing table is used to store routes that are learned. The routing table for any device on the network has a limited size. For this reason, routes that aren't used are replaced by new routes. This method ensures the routing table is always populated with the most current and most used routes, which are the routes that have the best chance of being reused. Another method used to maintain the routing table’s size is if a route in the table and a new route are to the same destination, one of the routes is selected as the best route to that destination and the other route is discarded.

Viewing the routing table

You can view the routing table in the FortiGate GUI. By default, all routes are displayed in the Routing Monitor list. The default static route is defined as 0.0.0.0/0, which matches the destination IP address of “any/all” packets.

To display the routes in the routing table, go to Monitor > Routing Monitor. Select Static & Dynamic to view the routes.

You can also monitor policy routes. Select Policy to list the active policy routes on the FortiGate and view information about them. The active policy routes include policy routes that you create, SD-WAN rules, and Internet service static routes. It also supports downstream devices in the Security Fabric.

The following figure show an example of the static and dynamic routes in the Routing Monitor list:

The following figure show an example of the policy routes in the Routing Monitor list:

Field

Description

IP Version

Shows whether the route is IPv4 or IPv6.

IPv6 routes are displayed only if IPv6 is enabled in the FortiGate GUI.

Type

The type values assigned to FortiGate routes (Static, Connected, RIP, OSPF, or BGP).

  • All: All routes recorded in the routing table
  • Connected: All routes associated with direct connections to FortiGate interfaces
  • Static: The static routes that have been added to the routing table manually
  • RIP: All routes learned through RIP. For more information, see RIP.
  • RIPNG: All routes learned through RIP version 6 (which enables the sharing of routes through IPv6 networks)
  • BGP: All routes learned through BGP. For more information, see BGP.
  • OSPF: All routes learned through OSPF. For more information, see OSPF.
  • OSPF6: All routes learned through OSPF version 6 (which enables the sharing of routes through IPv6 networks)
  • IS-IS: All routes learned through IS-IS. For more information, see IS-IS.
  • HA: RIP, OSPF, and BGP routes synchronized between the primary unit and the subordinate units of a high availability (HA) cluster. HA routes are maintained on subordinate units and are visible only if you're viewing the router monitor from a virtual domain that is configured as a subordinate virtual domain in a virtual cluster.

For more information about HA routing synchronization, see Synchronizing kernel routing tables.

Subtype

If applicable, the subtype classification assigned to OSPF routes.

An empty string implies an intra-area route. The destination is in an area that the FortiGate is connected to.

  • OSPF inter area: The destination is in the OSPF AS, but FortiGate isn't connected to that area.
  • External 1: The destination is outside the OSPF AS. This is known as OSPF E1 type. The metric of a redistributed route is calculated by adding the external cost and the OSPF cost together.
  • External 2: The destination is outside the OSPF AS. This is known as OSPF E2 type. In this case, the metric of the redistributed route is equivalent to the external cost only, expressed as an OSPF cost.
  • OSPF NSSA 1: Same as External 1, but the route was received through a not-so-stubby area (NSSA)
  • OSPF NSSA 2: Same as External 2, but the route was received through a not-so-stubby area

For more information about OSPF subtypes, see OSPF.

Network

The IP addresses and network masks of destination networks that the FortiGate can reach.

Gateway IP

The IP addresses of gateways to the destination networks.

Interfaces

The interface through which packets are forwarded to the gateway of the destination network.

Up Since

The total accumulated amount of time that a route learned through RIP, OSPF, or BGP has been reachable.

Distance

The administrative distance associated with the route. A value of 0 means the route is preferable compared to other routes to the same destination, and the FortiGate may routinely use the route to communicate with neighboring routers and access servers.

Modifying this distance for dynamic routes is route distribution. See BGP.

Metric

The metric associated with the route type. The metric of a route influences how the FortiGate dynamically adds it to the routing table. The following are types of metrics and the protocols they are applied to:

Hop count: Routes learned through RIP

Relative cost: Routes learned through OSPF

Multi-Exit Discriminator (MED): Routes learned through BGP. However, several attributes in addition to MED determine the best path to a destination network. For more information about BGP attributes, see BGP. By default, the MED value associated with a BGP route is zero. However, the MED value can be modified dynamically. If the value was changed from the default, the Metric column displays a non-zero value.

This field isn't displayed when IP version 6 is selected.

Copying DSCP value in GRE tunnels

You can enable an option to allow copying of the DSCP (Differentiated services code point) value in GRE tunnels. This feature enables the keeping of the DSCP marking in the packets after encapsulation for going through GRE tunnels.

To enable DSCP copying - CLI:

config system gre-tunnel

edit <name>

set dscp-copying enable

next

end

Configuring the maximum number of IP route cache entries

To configure the maximum number of route cache entries - CLI:

config system global

set max-route-cache-size <number_of_cache_entries>

end

where <number_of_cache_entries> is in the range 0 to 2147483647

Unsetting the field causes the value to be set to the kernel-calculated default:

config system global

unset max-route-cache-size

end

Viewing the routing table in the CLI

You can easily view the static routing table in the CLI. You can view the static routing table, just as in the GUI, or you can view the full routing table.

When you view the list of static routes using the get router static CLI command, the configured static routes are displayed. When you view the routing table using the get router info routing-table all CLI command, it's the entire routing table information that's displayed, including configured and learned routes of all types. The two commands show different information in different formats.

If VDOMs are enabled on the FortiGate, all routing-related CLI commands must be performed within a VDOM and not in the global context.

To view the routing table - CLI:

# get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP

O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default

S* 0.0.0.0/0 [10/0] via 192.168.183.254, port2

S 1.0.0.0/8 [10/0] via 192.168.183.254, port2

S 2.0.0.0/8 [10/0] via 192.168.183.254, port2

C 10.142.0.0/23 is directly connected, port3

B 10.160.0.0/23 [20/0] via 10.142.0.74, port3, 2d18h02m

C 192.168.182.0/23 is directly connected, port2

Examining an entry:

B 10.160.0.0/23 [20/0] via 10.142.0.74, port3, 2d18h02m

Value

Description

B

BGP. The routing protocol used.

10.160.0.0/23

The destination of this route, including netmask.

[20/0]

20 indicates an administrative distance of 20 out of a range of 0 to 255.

0 is an additional metric associated with this route, such as in OSPF.

10.142.0.74

The gateway or next hop.

port3

The interface that the route uses.

2d18h02m

The age of the route (in this example, it's almost three days old).

To view the kernel routing table - CLI:

# get router info kernel

tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.11.201.0/24 pref=10.11.201.4 gwy=0.0.0.0 dev=5(external1)

tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->172.20.120.0/24 pref=172.20.120.146 gwy=0.0.0.0 dev=6(internal)

The parts of the routing table entry are:

Value

Description

tab

Table number: This will be either 254 (unicast) or 255 (multicast).

vf

Virtual domain of the firewall: This is the VDOM index number. If VDOMs aren't enabled, this number is 0.

type

Type of routing connection: Valid values include:

0 - unspecific

1 - unicast

2 - local

3 - broadcast

4 - anycast

5 - multicast

6 - blackhole

7 - unreachable

8 - prohibited

proto

Type of installation: This indicates where the route came from. Valid values include:

0 - unspecific

2 - kernel

11 - ZebOS routing module

14 - FortiOS

15 - HA

16 - authentication based

17 - HA1

prio

Priority of the route. Lower priorities are preferred.

->10.11.201.0/24

(->x.x.x.x/mask)

The IP address and subnet mask of the destination

pref

Preferred next hop along this route

gwy

Gateway: The address of the gateway this route will use

dev

Outgoing interface index: This number is associated with the interface for this route. If VDOMs are enabled, the VDOM is also included here. If an interface alias is set for this interface, it is also displayed here.

Searching the routing table

You can apply a filter to search the routing table and display only certain routes. For example, you can display one or more static routes, connected routes, routes learned through RIP, OSPF, or BGP, and routes associated with the network or gateway that you specify.

If you want to search the routing table by route type and further limit the display according to network or gateway, all of the values that you specify as search criteria must match corresponding values in the same routing table entry in order for that entry to be displayed. An implicit AND condition is applied to all of the search parameters you specify.

For example, if the FortiGate is connected to network 172.16.14.0/24 and you want to display all directly connected routes to network 172.16.14.0/24, you must select Connected from the Type list, type 172.16.14.0/24 in the Network field, and then select Apply Filter to display the associated routing table entry or entries. Any entry that contains the word “Connected” in its Type field and the specified value in the Gateway field will be displayed.

In this example, you will apply a filter to search for an entry for static route to 10.10.10.10/24.

To search the routing table routing table - GUI:
  1. Go to Monitor > Routing Monitor.
  2. From the Type list, select the type of route to display. In this example, select Static.
  3. If you want to display routes to a specific network, type the IP address and netmask of the network in the Networks field. In our example, enter 10.10.10.10/24.
  4. If you want to display routes to a specific gateway, type the IP address of the gateway in the Gateway field.
  5. Select Apply Filter.

All of the values that you specify as search criteria must match corresponding values in the same routing table entry in order for that entry to be displayed.

To search the routing table - CLI:

FGT # get router info routing-table details 10.10.10.10

Routing entry for 10.10.10.10/24

Known via "static", distance 10, metric 0, best

If there are multiple routes that match your filter, they will all be listed and the best match will be at the top of the list and indicated by the word "best".

Building the routing table

In factory default configuration, the routing table on the FortiGate contains a single static default route. You can add routing information to the routing table by defining additional static routes.

It's possible that the routing table is faced with several different routes to the same destination - the IP addresses of the next-hop router specified in those routes or the FortiGate interfaces associated with those routes may vary. In this situation, the best route is selected from the table.

The FortiGate selects the best route for a packet by evaluating the information in the routing table. The best route to a destination is typically associated with the shortest distance between the FortiGate and the closest gateway, also known as a next-hop router. In some cases, the next best route may be selected if the best route is unavailable.

The FortiGate installs the best available routes in the forwarding table, which is a subset of the routing table. Packets are forwarded according to the information in the forwarding table.

Static routing security

Securing the information on your company network is a top priority for network administrators. Security is also required as the routing protocols used are internationally known standards that typically provide little or no inherent security by themselves.

The two reasons for securing your network are the sensitive and proprietary information on your network and also your external bandwidth. Hackers can steal not only your information, but they can also steal your bandwidth. Routing is a good low-level way to secure your network, even before UTM features are applied.

Routing provides security to your network in a number of ways including obscuring internal network addresses with NAT and blackhole routing, using RPF to validate traffic sources, and maintaining an access control list (ACL) to limit access to the network.

Network Address Translation

Network address translation (NAT) is a method of changing the address from which traffic appears to originate. This practice is used to hide the IP address on a company’s internal networks and helps prevent malicious attacks that use those specific addresses.

This is accomplished by the router connected to that local network changing all the IP addresses to its externally connected IP address before sending the traffic out to the other networks, such as the Internet. Incoming traffic uses the established sessions to determine which traffic goes to which internal IP address. This also has the benefit of requiring only the router to be very secure against external attacks, instead of the entire internal network, as would be the case without NAT. Securing the network is much cheaper and easier to maintain.

Configuring NAT on a FortiGate includes the following steps:

  1. Configure your internal network. For example, use the 10.11.101.0 subnet.
  2. Connect your internal subnet to an interface on the FortiGate. For example, use port1.
  3. Connect your external connection (for example, an ISP gateway of 172.20.120.2) to another interface on the Fortigate (for example, port2).

Configure security policies to allow traffic between port1 and port2 on the FortiGate, ensuring that the NAT feature is enabled.

The above steps show that traffic from your internal network will originate on the 10.11.101.0 subnet and pass on to the 172.20.120.0 network. The FortiGate moves the traffic to the proper subnet. In doing that, the traffic appears to originate from the FortiGate interface on that subnet and it doesn't appear to originate from where it actually came from.

NAT “hides” the internal network from the external network. This provides security through obscurity. If a hacker tries to directly access your network, they will find the Fortigate, but they won't know about your internal network. The hacker would have to get past the security-hardened FortiGate to gain access to your internal network. NAT won't prevent hacking attempts that piggy back on valid connections between the internal network and the outside world. However, other UTM security measures can deal with these attempts.

Another security aspect of NAT is that many programs and services have problems with NAT. Consider if someone on the Internet tries to initiate a chat with someone on the internal network. The outsider can access only the external interface on the FortiGate, unless the security policy allows the traffic through to the internal network. If allowed in, the correct internal user would respond to the chat. However, if it's not allowed, the request to chat will be refused or it will time out. This is accomplished in the security policy by allowing or denying different protocols.

Access control list

An access control list (ACL) is a table of addresses that have permission to send and receive data over a router’s interface or interfaces. The router maintains an ACL, and when traffic comes in on a particular interface it's buffered, while the router checks the ACL to see if that traffic is allowed over that port. If it's allowed on that incoming interface, the next step is to check the ACL for the destination interface. If the traffic also passes that check, the buffered traffic is delivered to its destination. If either of those steps fail the ACL check, the traffic is dropped and an error message may be sent to the sender. The ACL ensures that traffic follows expected paths and any unexpected traffic isn't delivered. This stops many network attacks. However, to be effective, the ACL must be kept up to date. When employees or computers are removed from the internal network, their IP addresses must also be removed from the ACL. For more information about the ACL, see router {access-list | access-list6}.

Blackhole routes

A blackhole route is a route that drops all traffic sent to it. It is very much like /dev/null in Linux programming.

Blackhole routes are used to dispose of packets instead of responding to suspicious inquiries. This provides added security since the originator won't discover any information from the target network.

Blackhole routes can also limit traffic on a subnet. If some subnet addresses aren't in use, traffic to those addresses, which may be valid or malicious, can be directed to a blackhole for added security and to reduce traffic on the subnet.

The loopback interface, which is a virtual interface that doesn't forward traffic, was added to allow easier configuration of blackhole routing. Similar to a regular interface, the loopback interface has fewer parameters to configure and all traffic sent to it stops there. Since it can't have hardware connection or link status problems, it's always available, making it useful for other dynamic routing roles. Once configured, you can use a loopback interface in security policies, routing, and other places that refer to interfaces. You configure this feature only from the CLI. For more information, see system interface.

Configuring IPv6 blackhole routes

You can configure IPv6 blackhole routes. In the FortiGate GUI, select Network > Static Routes and select Create New. In the Interface field, choose Blackhole.

Blackhole static routing

System administrators use blackhole routing to divert unwanted traffic, such as packets from a Denial of Service (DoS) attack or communications from an illegal source. The traffic is routed to a dead interface, or a host designed to collect information for investigation. This mitigates the impact of the attack on the network.

To enable blackhole routing - CLI:

config router {static|static6}

edit <sequence number>

set blackhole enable

next

end

Blackhole route priority

You can add a priority to a blackhole route to change its position relative to kernel routes in the routing table.

To add a blackhole route with a priority - CLI:

config router static

edit <sequence number>

set blackhole enable

set priority 200

next

end

Static routes and VRFs

You can configure static route support for multiple virtual routing and forwarding (VRFs) on a FortiGate.

To add VRFs for blackhole routes - CLI:

config router static

edit <sequence-number>

set vrf <VRF-ID>

end

where vrf is a value of 0 to 31. FortiOS supports 32 VRFs (numbered 0 to 31) per VDOM.

Reverse path lookup

Whenever a packet arrives at one of the interfaces on the FortiGate, the FortiGate determines whether the packet was received on a legitimate interface by doing a reverse lookup using the source IP address in the packet header. This is also called anti-spoofing. If the FortiGate can't communicate with the computer at the source IP address through the interface on which the packet was received, the FortiGate drops the packet as it's likely a hacking attempt.

If the destination address can be matched to a local address, and the local configuration permits delivery, the FortiGate delivers the packet to the local network. If the packet is destined for another network, the Fortigate forwards the packet to a next-hop router according to a policy route and the information stored in the FortiGate forwarding table.

Multipath routing and determining the best route

Multipath routing occurs when more than one entry to the same destination is present in the routing table. When multipath routing happens, the FortiGate may have several possible destinations for an incoming packet, forcing the FortiGate to decide which next-hop is the best one.

It should be noted that some IP addresses will be rejected by routing protocols. These are called Martian addresses. They are typically IP addresses that are invalid and not routable because they have been assigned an address by a misconfigured system, or are spoofed addresses.

Two methods to manually resolve multiple routes to the same destination are to lower the administrative distance of one route or to set the priority of both routes. For the FortiGate to select a primary (preferred) route, manually lower the administrative distance associated with one of the possible routes. Setting the priority on the routes is a FortiGate feature and may not be supported by routers that aren't Fortinet products.

Administrative distance is based on the expected reliability of a given route. It's determined through a combination of the number of hops from the source and the protocol used. A hop is when traffic moves from one router to the next. More hops from the source means more possible points of failure. The administrative distance can be in the range of 1 to 255, with lower numbers being preferred. A distance of 255 is seen as infinite and won't be installed in the routing table.

Here's an example to illustrate how administration distance works. If there are two possible routes traffic can take between two destinations, with administration distances of 5 (always up) and 31 (sometimes not available), the traffic will use the route with an administrative distance of 5. If for some reason the preferred route (admin distance of 5) isn't available, the other route will be used as a backup.

Different routing protocols have different default administrative distances. These different administrative distances are based on a number of factors of each protocol such as reliability, speed, and so on. You can configure the default administrative distances for any of these routing protocols.

Default administrative distances for routing protocols and connections

Routing protocol

Default administrative distance

Direct physical connection

1

Static

10

EBGP

20

OSPF

110

IS-IS

115

RIP

120

IBGP

200

Another method to determine the best route is to manually change the priority of both routes in question. If the next-hop administrative distances of two routes on the FortiGate are equal, it may not be clear which route the packet will take. Manually configuring the priority for each of those routes will make it clear which next-hop will be used in the case of a tie. The priority for a route can be set in the CLI, or when editing a specific static route, as described in the next section. Lower priority routes are preferred. Priority is a Fortinet value that may or may not be present in other brands of routers.

All entries in the routing table are associated with an administrative distance. If the routing table contains several entries that point to the same destination (the entries may have different gateways or interface associations), the FortiGate compares the administrative distances of those entries first, selects the entries having the lowest distances, and installs them as routes in the FortiGate forwarding table. As a result, the FortiGate forwarding table contains only those routes that have the lowest distances to every possible destination. While only static routing uses administrative distance as its routing metric, other routing protocols, such as RIP, can use metrics that are similar to administrative distance.

Route priority

After a FortiGate selects static routes for the forwarding table based on their administrative distances, the priority field of those routes determines routing preference. Priority is a Fortinet value that may or may not be present in other brands of routers.

You can configure the priority field through the CLI or the GUI. Priority values can range from 0 to 4 294 967 295. The route with the lowest value in the priority field is considered the best route. It's also the primary route.

To change the priority of a route - GUI:
  1. Go to Network > Static Routes.
  2. Select the route entry, and select Edit.
  3. Select Advanced Options.
  4. Enter the Priority value.
  5. Select OK.
To change the priority of a route - CLI:

The following command changes the priority to 5 for a route to the address 10.10.10.1 on the port1 interface.

config router static

edit 1

set device port1

set gateway 10.10.10.10

set dst 10.10.10.1

set priority 5

next

end

If there are other routes set to priority 10, the route set to priority 5 will be preferred. If there are routes set to priorities less than 5, those other routes will be preferred instead.

In summary, because you can use the CLI to specify which sequence numbers or priority field settings to use when defining static routes, you can prioritize routes to the same destination according to their priority field settings. For a static route to be the preferred route, you must create the route using the config router static CLI command and specify a low priority for the route. If two routes have the same administrative distance and the same priority, then they are equal-cost multi-path (ECMP) routes.

Since this means there is more than one route to the same destination, it can be confusing which route or routes to install and use. However, if you have enabled load balancing with ECMP routes, different sessions will resolve this problem by using different routes to the same address.

Use of firewall addresses for static route destinations

To help prevent false positive when scanning for duplicate static routes, the dst_addr field is also checked.

Removing RPF checks from the state evaluation process

You can remove RPF (reverse path forwarding) state checks without needing to enable asymmetric routing. You can disable state checks for traffic received on specific interfaces.

Disabling state checks makes a FortiGate less secure and should only be done with caution.

To remove RPF checks from the state evaluation process - CLI:

config system interface

edit <interface_name>

set src-check disable

next

end

Troubleshooting static routing

When there are problems with your network that you think are related to static routing, there are a few basic tools available to locate the problem. These tools include ping, traceroute, and examing routing table contents.

Ping

Beyond the basic connectivity information, ping can tell you the amount of packet loss (if any), how long it takes the packet to make the round trip, and the variation in that time from packet to packet.

If there's no packet loss detected, your basic network connectivity is okay.

If there's some packet loss detected, you should investigate:

  • Possible ECMP, split horizon, network loops
  • Cabling to ensure no loose connections

If there's total packet loss, you should investigate:

  • Hardware: Ensure cabling is correct, and all equipment between the two locations is accounted for
  • Addresses and routes: Ensure all IP addresses and routing information along the route is configured as expected
  • Firewalls: Ensure all firewalls are set to allow PING to pass through
To ping from a Windows PC:
  1. Go to a DOS prompt. Typically you go to Start > Run, enter cmd and select OK.
  2. Enter ping 10.11.101.100 to ping the default internal interface of the FortiGate with four packets.
To ping from an Apple computer:
  1. Open the Terminal.
  2. Enter ping 10.11.101.100.
  3. If the ping fails, it will stop after a set number of attempts. If it succeeds, it will continue to ping repeatedly. Press Control+C to end the attempt and see gathered data.
To ping from a Linux PC:
  1. Go to a command line prompt.
  2. Enter “/bin/etc/ping 10.11.101.101”.

Traceroute

Where ping will only tell you if it reached its destination and came back successfully, traceroute will show each step of its journey to its destination and how long each step takes. If ping finds an outage between two points, you can use traceroute to locate exactly where the problem is.

To use traceroute on a Windows PC:
  1. Go to a DOS prompt. Typically you go to Start > Run, enter “cmd” and select OK.
  2. Enter “tracert fortinet.com” to trace the route from the PC to the Fortinet website.
To use traceroute from an Apple computer:
  1. Open the Terminal.
  2. Enter traceroute fortinet.com.
  3. The terminal will list the number of steps made. Upon reaching the destination, it will list three asterisks per line. Press Control+C to end the attempt.
To use traceroute on a Linux PC:
  1. Go to a command line prompt.
  2. Enter “/bin/etc/traceroute fortinet.com”.
  3. The Linux traceroute output is very similar to the MS Windows traceroute output.

Examine routing table contents

The first place to look for information is the routing table.

The routing table is where all the currently used routes are stored for both static and dynamic protocols. If a route is in the routing table, it saves the time and resources of a lookup. If a route isn't used for a while and a new route needs to be added, the oldest least used route is bumped if the routing table is full. This ensures the most recently used routes stay in the table. Note that if a FortiGate is in transparent mode, you won't be able to perform this step.

If the FortiGate is running in NAT mode, verify that all desired routes are in the routing table: local subnets, default routes, specific static routes, and dynamic routing protocols.

To check the routing table in the GUI, use the Routing Monitor. Go to Monitor > Routing Monitor. In the CLI, use the get router info routing-table all command.