FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 207197


Description This article talks about how routing works in FortiGate firewall.
Scope Fortios 5.6 and above.

There are several ways to configure routing in FortiGate:


1) Policy route.

2) ISDB route.

3) SD-WAN route.

4) Static route.

5) Dynamic route (BGP, OSPF).


Policy Route.


Policy routes set to the action Forward Traffic have precedence over static and dynamic routes.

So, if a packet matches the policy route, FortiGate bypasses any routing table lookup. 

Policy routes are maintained in a separate routing table by FortiGate, and have precedence over the regular routing table.


Remember, for a policy route to forward traffic out a specific interface, there should be an active route for that destination using that interface in the routing table.

Otherwise the policy route will not work


ISDB Route.


ISDB routes are configured as static routes. However, they are actually policy routes and take precedence over any other routes in the routing table. As such, ISDB routes are added to the policy routing table and can be checked via:

# diagnose firewall proute lis


SDWAN Route .


SD-WAN rules allow to specify which traffic you want to route through which interface.

It is possible to configure the SD-WAN rules to choose the egress interface based on a link’s latency, jitter, or packet loss percentage that you configured under Performance SLA, SLA Targets. 


If there is a policy route configured for some traffic dedicated to one WAN interface and SD-WAN for another WAN interface, the traffic will go through the policy route ideally.


Regarding the use of SD-WAN routes, make sure to remove the static route pertaining to the dedicated WAN links and also do not forget to remove the references of those WAN links.


A New SD-WAN route should be created with the interface as a virtual WAN link.


Static Route.


When a static route is configured, this means to tell to FortiGate, 'When  a packet is visible whose destination is within a specific range, send it through a specific network interface, towards a specific router.'


It is also possible to configure the distance and priority so that FortiGate can identify the best route to any destination matching multiple routes.


Dynamic Route.


For large networks, manually configuring hundreds of static routes may not be practical.

FortiGate can help, by learning routes automatically. FortiGate supports several dynamic routing protocols:


- RIP.


- BGP.

- IS-IS.


In dynamic routing, FortiGate communicates with nearby routers to discover their paths, and to advertise its own directly connected subnets.

Discovered paths are automatically added to FortiGate’s routing table. So verify that the neighbor routers are trusted and secured.


Related article: