|Description||This article talks about how routing works in FortiGate firewall.|
|Scope||Fortios 5.6 and above.|
There are several ways to configure routing in FortiGate:
1) Policy route.
2) ISDB route.
3) SD-WAN route.
4) Static route.
5) Dynamic route (BGP, OSPF).
Policy routes set to the action Forward Traffic have precedence over static and dynamic routes.
So, if a packet matches the policy route, FortiGate bypasses any routing table lookup.
Policy routes are maintained in a separate routing table by FortiGate, and have precedence over the regular routing table.
Remember, for a policy route to forward traffic out a specific interface, there should be an active route for that destination using that interface in the routing table.
Otherwise the policy route will not work
ISDB routes are configured as static routes. However, they are actually policy routes and take precedence over any other routes in the routing table. As such, ISDB routes are added to the policy routing table and can be checked via:
SDWAN Route .
SD-WAN rules allow to specify which traffic you want to route through which interface.
It is possible to configure the SD-WAN rules to choose the egress interface based on a link’s latency, jitter, or packet loss percentage that you configured under Performance SLA, SLA Targets.
If there is a policy route configured for some traffic dedicated to one WAN interface and SD-WAN for another WAN interface, the traffic will go through the policy route ideally.
Regarding the use of SD-WAN routes, make sure to remove the static route pertaining to the dedicated WAN links and also do not forget to remove the references of those WAN links.
A New SD-WAN route should be created with the interface as a virtual WAN link.
When a static route is configured, this means to tell to FortiGate, 'When a packet is visible whose destination is within a specific range, send it through a specific network interface, towards a specific router.'
It is also possible to configure the distance and priority so that FortiGate can identify the best route to any destination matching multiple routes.
For large networks, manually configuring hundreds of static routes may not be practical.
FortiGate can help, by learning routes automatically. FortiGate supports several dynamic routing protocols:
In dynamic routing, FortiGate communicates with nearby routers to discover their paths, and to advertise its own directly connected subnets.
Discovered paths are automatically added to FortiGate’s routing table. So verify that the neighbor routers are trusted and secured.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.