FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
akileshc
Staff
Staff
Article Id 349511
Description This article describes the behavior of self-generated traffic in FortiGate devices with regards to Virtual Routing and Forwarding (VRF) instances. It outlines how FortiGate selects routes when multiple paths to a specific destination exist through different VRFs.
Scope FortiOS.
Solution

Route Selection Behavior: 

 

When a FortiGate includes multiple paths to reach a specific destination IP address via different VRFs, it follows a defined selection process. The device will always choose the route associated with the lowest VRF number. 

 

Example Scenario:

 

To illustrate this behavior, consider the following example where the FortiGate needs to reach the DNS server IP address '8.8.8.8'. The routing tables indicate that there are two available paths:

  1. Through port1 with VRF 11.
  2. Through port2 with VRF 30.

 

In this case, the FortiGate will select the route via 'Port1' (VRF 11) since it has the lower VRF number.

 

Routing Table Output:

 

The following command can be used to check the routing details for the destination IP address:

 

get router info routing-table details 8.8.8.8 <- The output will display the routing entries for both VRFs.

 

Routing table for VRF=11
Routing entry for 8.8.8.8/32
Known via "static", distance 10, metric 0, best
* vrf 11 10.5.63.254, via port1

Routing table for VRF=30
Routing entry for 8.8.8.8/32
Known via "static", distance 10, metric 0, best
* vrf 30 10.5.31.254, via port2

 

Packet Sniffer Output:

 

To observe the traffic flow, The sniffer command mentioned below can be used. (The command output confirms that the FortiGate is indeed routing traffic through the selected interface (port1)):


di sniffer packet any "host 8.8.8.8 and port 53" 4
Using Original Sniffing Mode
interfaces=[any]
filters=[host 8.8.8.8 and port 53]
5.175623 port1 out 10.5.63.82.1510 -> 8.8.8.8.53: udp 29
5.189339 port1 in 8.8.8.8.53 -> 10.5.63.82.1510: udp 45

 

Contributors