| Description | This article describes how routing works in FortiGate firewall. |
| Scope | Fortios 5.6 and above. |
| Solution |
There are several ways to configure routing in FortiGate:
Policy Route:
Policy routes set to the action Forward Traffic have precedence over static and dynamic routes. If a packet matches the policy route, FortiGate bypasses any routing table lookup. Policy routes are maintained in a separate routing table by FortiGate, and have precedence over the regular routing table.
Note that, if the action is set to Stop Policy Routing, FortiGate will stop the policy route lookup process for matching packets and will perform a lookup in a regular routing table.
Remember that, for a policy route to forward traffic out a specific interface, there should be an active route for that destination using that interface in the routing table. Otherwise, the policy route will not work.
GUI:
CLI:
config router policy edit 1 set input-device "port3" set src "192.168.1.0/255.255.255.0" set dst "8.8.8.8/255.255.255.255" set gateway 10.47.15.254 set output-device "port1" next end
The example above will forward any traffic from interface port3 with source address 192.168.1.0/24 and destination address 8.8.8.8/32 to interface port1.
ISDB Route.
ISDB routes are configured as static routes. However, they are actually policy routes and take precedence over any other routes in the routing table. As such, ISDB routes are added to the policy routing table and can be checked with the following command:
SDWAN Route:
SD-WAN rules make it possible to specify which traffic to route through which interface. It is possible to configure the SD-WAN rules to choose the egress interface based on a link's latency, jitter, or packet loss percentage that was configured under Performance SLA, SLA Targets.
If there is a policy route configured for some traffic dedicated to one WAN interface and SD-WAN for another WAN interface, the traffic will go through the policy route.
Regarding the use of SD-WAN routes, make sure to remove the static route pertaining to the dedicated WAN links and remember to remove the references of those WAN links.
A new SD-WAN route should be created with the interface as a virtual WAN link.
GUI:
Static Route.
When a static route is configured, FortiGate is informed: 'When a packet is visible whose destination is within a specific range, send it through a specific network interface, towards a specific router.'
It is also possible to configure the distance and priority so that FortiGate can identify the best route to any destination matching multiple routes.
GUI:
Dynamic Route.
For large networks, manually configuring hundreds of static routes may not be practical. FortiGate can help, by learning routes automatically. FortiGate supports several dynamic routing protocols:
In dynamic routing, FortiGate communicates with nearby routers to discover their paths, and to advertise its own directly connected subnets. Discovered paths are automatically added to FortiGate’s routing table. So verify that the neighbor routers are trusted and secured.
Related article: |
