Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jiahoong112
Staff
Staff

Created on ‎01-11-2023 10:31 PM Edited on ‎01-11-2023 10:31 PM By Community Manager

Article Id 242693

Technical Tip: How to Perform Routing Lookup from GUI and CLI

Description This article describes how to perform routing lookup on FortiGate from GUI and CLI and also covers the difference between the lookup on the GUI and CLI.
Scope

FortiGate

- Access to the Routing Widget.
Solution

On version 6.0.x, 6.2.x or below: Go to Monitor -> Routing Monitor.

 

jiahoong112_1-1673497376169.png

 

 On version 6.4.x and above: Go to Dashboard -> Network -> Routing.

 

jiahoong112_0-1673496827247.png

 

Related link:

https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/655407/static-dynamic-routin...

 

Why use the Routing Lookup in the Routing Widget instead of CLI:

The CLI version of this is this command ' get router info routing-table <ip>'. The output of this command will only show the routes taken by the FIB. It will not show whether the traffic will get routed through Policy Routes or not. 

The advantage of using the Routing Lookup on the GUI is that if the route matches a Policy Route or SDWAN Rule, it will show that it gets matched. Furthermore, it is possible to specify Source IP and/or Source Interface on the Routing Lookup Widget.

This is beneficial if we want to see how traffic from a specific VLAN, source IP etc is getting routed. 

 

Local-Out Traffic aka Fortigate Self-Originating Traffic.

 

1) After opening the widget, select Route Lookup. As visible here, only the Destination IP field is mandatory to be filled up.

 

jiahoong112_2-1673497583617.png

 

2) If only the Destination IP is entered, the result will show how FortiGate would route the traffic by Default.

This is important especially when multiple WAN links or SD-WAN are used.

The default route shown here also tells that this is the route that FortiGuard services will use, DNS, FortiCloud logging and etc. 

 

This is an example where Policy Routes/SD-WAN Rules are taken instead of the FIB.

In Fortigate's Routing Precedence, Policy Routes and SD-WAN Rules are similar.

Policy Routes take higher precedence than SD-WAN Rules.

 

1) SD-WAN Rule is configured here.

 

jiahoong112_3-1673499835790.png

 

2) Route Lookup - 8.8.8.8.

 

jiahoong112_4-1673499874667.png

 

3) Policy Route is chosen.

 

jiahoong112_5-1673499908182.png

 

4) When referring to the FIB from CLI, it is showing that traffic to 8.8.8.8 will usually take port1 first.

 

jiahoong112_6-1673499998901.png

 

This is evident when both existing SDWAN Rules had been Disabled:

 

jiahoong112_7-1673500069916.png

 

 

More information about Fortigate's Route Lookup Process:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Routing-in-FortiGate-route-lookup-process/... 
Labels:
8813
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.