Technical Tip: Routing behavior depending on distance and priority for static routes, and Policy Based Routes
Description
This article explains how the FortiGate routes traffic with two static default routes depending on various combination of administrative distance, priority, and if a Policy Based Route is present.
Network scenario used for this example :
[ FortiGate ]
[ PC ] -- LAN ------ [ switch port16 ] --- ISP1 (192.168.182.0/23)
(10.160.0.0/16) [ port13 ] --- ISP2 (172.31.224.0/23)
Note : the "priority" parameter is used to make a route preferred or in situation where a static route needs to be active in a routing table in order to accept reverse flow of the traffic going out and pass the RPF check (Reverse Path-check Failure or anti-spoofing). Please check related articles at the bottom for more details.
Preferences:
- Priority preference: The lowest value is preferred for the routing table.
- Distance preference: The lowest value is preferred for the routing table.
Scope
- All FortiGate model.
- FortiOS 4.1 and above.
- NAT mode only.
Solution
Scenario 1: same distance, same priority.
Configuration example:
config router static
edit 1
set device "port16"
set gateway 192.168.183.254
next
edit 2
set device "port13"
set gateway 172.31.225.254
next
end
The routing table contains the two static routes with default distance of 10 and ECMP will be applied (see the related article about ECMP at the bottom of this article):
FGT# get router info routing-table static
S* 0.0.0.0/0 [10/0] via 172.31.225.254, port13
[10/0] via 192.168.183.254, port16
Verify the traffic egress interface on a ping from the PC to 10.70.202.225 with a sniffer trace:
FGT# diagnose sniffer packet any "icmp" 4
6.748817 switch in 10.160.0.93 -> 10.70.202.225: icmp: echo request
6.748858 port16 out 192.168.182.200 -> 10.70.202.225: icmp: echo request
Scenario 2: different distance, same priority.
Configuration example:
config router static
edit 1
set device "port16"
set gateway 192.168.183.254
next
edit 2
set device "port13"
set distance 5
set gateway 172.31.225.254
next
end
The routing table contains only the static route active with the lowest distance of 5 while the other have distance of 10 (Default distance for static route) is inactive and will not be showing under routing table :
FGT# get router info routing-table static
S* 0.0.0.0/0 [5/0] via 172.31.225.254, port13
Scenario 3: same distance, different priority.
Configuration example:
config router static
edit 1
set device "port16"
set gateway 192.168.183.254
set priority 2
next
edit 2
set device "port13"
set gateway 172.31.225.254
set priority 5
next
end
The routing table contains the two static routes with default Administrative distance of 10 for both, but only the one with the lowest priority (port 16) will be preferred to route traffic out.
FGT# get router info routing-table static
S* 0.0.0.0/0 [10/0] via 192.168.183.254, port16, [2/0]
[10/0] via 172.31.225.254, port13, [5/0]
Verify the traffic egress interface on a ping from the PC to 10.70.202.225 with a sniffer trace:
FGT# diagnose sniffer packet any "icmp" 4
3.518463 switch in 10.160.0.93 -> 10.70.202.225: icmp: echo request
3.518481 port16 out 192.168.182.200 -> 10.70.202.225: icmp: echo request
Scenario 4: same distance, same priority, policy-based route.
The goal is to route all HTTP traffic over port13.
Configuration example:
config router static
edit 1
set device "port16"
set gateway 192.168.183.254
next
edit 2
set device "port13"
set gateway 172.31.225.254
next
end
config router policy
edit 1
set input-device "switch"
set protocol 6
set start-port 80
set end-port 80
set output-device "port13"
next
end
Note: No gateway is defined in the Policy Based route above. In this case, the FortiGate will lookup the best route in the routing on port13.
The routing table contains the two static routes and ECMP will be applied except for the traffic matching the Policy Based route routed on port13:
FGT# get router info routing-table static
S* 0.0.0.0/0 [10/0] via 172.31.225.254, port13
[10/0] via 192.168.183.254, port16
Verify the egress interface on a ping and HTTP from the PC to 10.70.202.225 with a sniffer trace:
FGT# diagnose sniffer packet any "icmp or port 80" 4
8.488361 switch in 10.160.0.93 -> 10.70.202.225: icmp: echo request
8.488409 port16 out 192.168.182.200 -> 10.70.202.225: icmp: echo request
19.346273 switch in 10.160.0.93.4090 -> 10.70.202.225.80: syn 3171174784
19.346326 port13 out 172.31.224.200.53106 -> 10.70.202.225.80: syn 3171174784
Scenario 5: Same distance, different priority, policy-based route.
The goal is to verify that all HTTP traffic is routed over port13 even though the static route priority in this interface is less preferred than on port 16.
Configuration example:
config router static
edit 1
set device "port16"
set gateway 192.168.183.254
set priority 2
next
edit 2
set device "port13"
set gateway 172.31.225.254
set priority 5
next
end
config router policy
edit 1
set input-device "switch"
set protocol 6
set start-port 80
set end-port 80
set output-device "port13"
next
end
Note: No gateway is defined in the Policy Based route above. In this case the FortiGate will lookup the best route in the routing on port13.
The routing table contains the two static routes but only the one with the lowest priority (port 16) is used for routing traffic, except for the traffic matching the Policy Based route which will be routed over port13:
FGT# get router info routing-table static
S* 0.0.0.0/0 [10/0] via 192.168.183.254, port16, [2/0]
[10/0] via 172.31.225.254, port13, [5/0]
Verify the egress interface on ping and HTTP from the PC to 10.70.202.225 with a sniffer trace:
FG200B3909600137 # diagnose sniffer packet any "icmp or port 80" 4
8.412794 switch in 10.160.0.93 -> 10.70.202.225: icmp: echo request
8.412839 port16 out 192.168.182.200 -> 10.70.202.225: icmp: echo request
14.282070 switch in 10.160.0.93.4102 -> 10.70.202.225.80: syn 4033500215
14.290198 port13 out 172.31.224.200.28814 -> 10.70.202.225.80: syn 403350021
Note : The routes which are present but are inactive due to higher Administrative distance can be checked with the command 'get router info routing-table database'
Related articles:
Technical Tip: How to create a static route on FortiGate from the GUI Interface
Technical Tip: Details about FortiOS RPF (Reverse Path Forwarding), also called Anti-Spoofing
Technical Tip: Redundant Internet connection without load-balancing