| Description | This article describes how routing works in the FortiGate. |
| Scope | FortiGate. |
| Solution |
There are several ways to configure routing in FortiGate:
Policy Route: Policy routes set to the action Forward Traffic have precedence over static and dynamic routes. If a packet matches the policy route, FortiGate bypasses any routing table lookup. Policy routes are maintained in a separate routing table by FortiGate and have precedence over the regular routing table.
If the action is set to Stop Policy Routing, FortiGate will stop the policy route lookup process for matching packets and will perform a lookup in a regular routing table.
Remember that, for a policy route to forward traffic out a specific interface, there should be an active route for that destination using that interface in the routing table. Otherwise, the policy route will not work.
From GUI:
From CLI:
config router policy edit 1 set input-device "port3" set src "192.168.1.0/255.255.255.0" set dst "8.8.8.8/255.255.255.255" set gateway 10.47.15.254 set output-device "port1" next end
The example above will forward any traffic from interface port3 with source address 192.168.1.0/24 and destination address 8.8.8.8/32 to interface port1.
ISDB Route: ISDB routes are configured as static routes. However, they are actually policy routes and take precedence over any other routes in the routing table. As such, ISDB routes are added to the policy routing table and can be checked with the following command:
SD-WAN Route: SD-WAN rules make it possible to specify which traffic to route through which interface. It is possible to configure the SD-WAN rules to choose the egress interface based on a link's latency, jitter, or packet loss percentage that was configured under Performance SLA, SLA Targets.
If there is a policy route configured for some traffic dedicated to one WAN interface and SD-WAN for another WAN interface, the traffic will go through the policy route.
Regarding the use of SD-WAN routes, make sure to remove the static route about the dedicated WAN links and remember to remove the references to those WAN links.
A new SD-WAN route should be created with the interface as a virtual WAN link.
GUI:
CLI:
config router static edit 1 set dst 0.0.0.0 0.0.0.0 set sdwan-zone "virtual-wan-link" next end
Static Route: When a static route is configured, FortiGate is informed: 'When a packet is visible whose destination is within a specific range, send it through a specific network interface, towards a specific router.'
It is also possible to configure the distance and priority so that FortiGate can identify the best route to any destination matching multiple routes.
GUI:
CLI:
config router static edit 1 set dst 8.8.8.8 255.255.255.255 set gateway 10.47.31.254 set device "port2" next end
Dynamic Route: For large networks, manually configuring hundreds of static routes may not be practical. FortiGate can help by learning routes automatically. FortiGate supports several dynamic routing protocols:
In dynamic routing, FortiGate communicates with nearby routers to discover their paths and to advertise its own directly connected subnets. Discovered paths are automatically added to FortiGate’s routing table. So, verify that the neighbor routers are trusted and secured.
Note: If Policy Route and Dynamic route (BGP, OSPF) are not visible on the GUI, go to System -> Feature Visibility -> Advanced Routing.
To enable 'Advanced Routing' in the CLI:
config system settings set gui-dynamic-routing enable end
Troubleshooting: Use the following command on the Firewall CLI to verify the active routing information for any destination.
get router info routing-table details <Destination IP>
Note: The priority of BGP routes can be changed to prefer certain routes while keeping multiple valid routes for the same prefix in the routing table. The priority of routes learned using other dynamic routing protocols is hardcoded to 1.
In most cases, when setting priority in a BGP route-map, 'recursive-inherit-priority' in router bgp configuration should be disabled, to ensure the intended priority is not overwritten by the priority of a connected route used to select the next-hop.
config router bgp set recursive-inherit-priority disable end
Related documents: |
