Description

This article describes that on some occasions routes learned by the kernel will need to be deleted manually. As a brief primer:

• The kernel routing table (aka the Forwarding Information Base or FIB) is what is used to make forwarding decisions for packets routed through the FortiGate.
• The kernel routing table receives routes from a variety of sources, such as the kernel itself (e.g. connected interfaces) or the ZebOS routing daemon (static routes, BGP routes, etc).
• Kernel routes are generally added/removed automatically based on the upstream sources (e.g. adding a static route in the FortiOS config, receiving/withdrawing BGP routes, etc.), but on rare occasions, it is possible for the upstream change not to be reflected in the kernel routes. In those scenarios, it may be necessary to manually delete these kernel routes.
  
  • Note that it is generally not possible to delete kernel routes that are still active in the upstream source (i.e. you will be unable to remove a kernel route based on a static route if the static route config is still present in FortiOS).
  • You can add routes directly to the kernel with diag ip route add [...], and you can also delete those added routes freely since they are standalone within the kernel. However, be aware that these routes will only appear in the kernel routing table and not the regular FortiOS routing table (get router info routing-table all), so adding routes in this way may cause confusion when troubleshooting.
• Refer to the FortiOS Admin Guide for additional information regarding the kernel routing table: https://docs.fortinet.com/document/fortigate/latest/administration-guide/139692/routing-concepts#Ker...

This example shows a route previously learned via BGP, now prioritized as learned via the 'add-route' feature of IPSEC Dial-up. The output has been colorized to match the later Solution section.

get route info kernel | grep 10.8.8.0
tab=254 vf=7 scope=0 type=1 proto=11 prio=100 0.0.0.0/0.0.0.0/0->10.8.8.0/24 pref=0.0.0.0 gwy=0.0.0.0 dev=30033(remote-dc-vpn)
tab=254 vf=7 scope=0 type=1 proto=18 prio=268435456 0.0.0.0/0.0.0.0/0->10.8.8.0/24 pref=0.0.0.0 gwy=10.9.8.7 dev=87(internal-dc)

Scope

FortiGate.

Solution

To delete the route, use the following command: diagnose ip route delete <interface name> <IP address> <subnet mask> <gateway> <distance> <priority> <vf number; not mandatory>.

Example:

diagnose ip route delete internal-dc 10.8.8.0 255.255.255.0 10.9.8.7 20 268435456

Note:

The command output from get router info kernel and diagnose ip route list will not show the (administrative) distance value. However, it is possible to check the distance in the routing table using the command get router info routing-table all, as well as get router info routing-table details <destination IP address>.

Example:

FortiGate # get router info routing-table details 123.0.0.1

Routing table for VRF=0
Routing entry for 123.0.0.1/32
  Known via "static", distance 10, metric 0, best
  * vrf 0 10.15.64.103, via Management

FortiGate # get router info routing-table all | grep 123.0.0
S 123.0.0.1/32 [10/0] via 10.15.64.103, Management, [1/0]

For reference, the following are the default distance values per route protocol/type:

• Directly connected     0.
• Static routes             10.
• EBGP routes             20.
• OSPF routes           110.
• RIP routes              120.
• IBGP routes            200.

In the case of SSL VPN, its source IPs are directly added to the Kernel and it is not possible to see them in the routing table.

SSL VPN source IPs are nothing but Directly connected routes, so it is necessary to use a distance value of 0 while forcibly deleting an SSL VPN Source IP route from the FortiOS kernel. Without the distance value, the command will fail.