The Route Selection Process in FortiGate:

1. Policy-Based Routes (PBR):

• Definition: PBRs are user-defined rules that allow administrators to override the default routing behavior. They can direct traffic based on specific criteria such as source IP, destination IP, protocol, or port.
• Priority: PBRs are checked first in the route selection process. If a packet matches a PBR, it is routed according to that rule, and the process ends, bypassing the routing table.

Configuration Example:

config router policy
    edit 1
        set input-device "internal"
        set src 192.168.1.0 255.255.255.0
        set dst 10.0.0.0 255.255.255.0
        set output-device "wan2"
end

This PBR routes traffic from 192.168.1.0/24 to 10.0.0.0/24 via wan2, regardless of the routing table. If no PBR matches, FortiGate moves to SD-WAN rules (if applicable).

   2. Route for predefined internet services (ISDB): The Internet Service Database (ISDB) is an extensive and publicly accessible database that categorizes IP addresses based on various criteria, including IP address ranges, ownership information, associated service port numbers, and an evaluation of IP security credibility. This valuable data is sourced from the FortiGuard service system.

To establish a static route for specific internet services categorized under the ISDB, refer to the detailed guide provided in this article: Technical Tip: Creating a static route for Predefined Internet Services (ISDB).

Creating static routes for predetermined services enhances network management by allowing for more granular control over how traffic is directed based on service type.

In this context, ISDB operates as a policy route, which means that it follows the same set of rules and configurations typically applied to policy-based routing. This functionality allows network administrators to apply specific routing policies that optimize traffic flow based on service requirements.

To verify and audit the ISDB route configurations within the network environment, execute the command 'diagnose firewall proute list' in the device's command line interface.

  3. SD-WAN Rules:

• Definition: SD-WAN rules are used in environments with multiple WAN links to optimize traffic based on performance metrics like latency, jitter, or bandwidth.
• Priority: SD-WAN rules are evaluated after PBRs, but only if the FIB points to an SD-WAN interface. They influence routing by selecting the best-performing link.

Example:

A rule might direct VoIP traffic over the link with the lowest latency to ensure call quality. If no SD-WAN rule applies, FortiGate consults the FIB.

  4. Forwarding Information Base (FIB):

• Definition: The FIB is the main routing table, containing static routes, dynamic routes (e.g., OSPF, BGP), and directly connected routes.
• Priority: This is the final layer. If no PBR or SD-WAN rule matches, the FIB determines the route.
• Route Selection Criteria: FortiGate uses the following order to select the best route:
• Longest Prefix Match: More specific routes (e.g., /24) are preferred over less specific ones (e.g., /16).
• Administrative Distance (AD): Routes with lower AD are preferred. Default AD values:
  • Connected: 0
  • Static: 10
  • OSPF: 110
  • BGP: 20 (eBGP)

• Priority (Static Routes): For static routes with equal AD, the lowest priority value wins.
• Metric (Dynamic Routes): For routes from the same protocol, the best metric (for example, lowest OSPF cost) is chosen.
• Equal Cost Multi-Path (ECMP): If multiple routes are tied, traffic is load-balanced across them.
• Outcome: If no route is found, the packet is dropped.

Example:

If two static routes to 10.0.0.0/24 exist—one via wan1 (AD 10, priority 5) and one via wan2 (AD 10, priority 10), FortiGate chooses wan1 due to its lower priority.

Troubleshooting Route Prioritization:

When routing issues arise, FortiGate’s CLI provides powerful commands to diagnose and resolve problems. Below are key commands and their uses.

View All Routes in the FIB:

get router info routing-table all <----- Displays the entire routing table, including static, dynamic, and connected routes.

View Policy-Based Routes:

diagnose firewall proute list <----- Lists all configured PBRs, showing their IDs, conditions, and actions.

View Routing Table Database:

get router info routing-table database

Shows all known routes, including those not selected as the best path.

View Detailed Route Information for a Specific Destination:

get router info routing-table details <destination IP>

Provides in-depth information about how a specific destination is routed.

View SD-WAN Rules and Status:

diagnose sys sdwan service

Displays SD-WAN rule details and their current status.

View Dynamic Routing Information (for example, BGP):

get router info bgp neighbors

To find out the number of prefixes that have been accepted by a particular BGP neighbor.

Interpreting Command Outputs:

• PBR Output: Check if traffic matches any PBR. If a PBR is applied, it overrides other routing mechanisms.
• Routing Table Output: Look for the route with the longest prefix and lowest AD for a given destination.
• SD-WAN Output: Ensure that SD-WAN rules are correctly matching traffic and that link health is as expected.

Common Issues and Solutions:

• Misconfigured PBRs: Traffic may take unexpected paths if PBRs are not ordered correctly. Use the diagnose firewall proute list to verify.
• Conflicts Between Route Types: A static route might override a dynamic route due to a lower AD. Adjust AD values if needed.
• SD-WAN Rule Misapplication: Ensure that SD-WAN rules are correctly matching traffic and that link health checks are functioning.

Practical Examples:

Scenario 1: Using PBR to Direct Specific Traffic.

• Goal: Route all guest Wi-Fi traffic (192.168.20.0/24) through a secondary WAN link (wan2).
• Solution: Configure a PBR to match the guest subnet.

Command:

config router policy
    edit 1
        set input-device "guest-wifi"
        set src 192.168.20.0 255.255.255.0
        set dst 0.0.0.0 0.0.0.0
        set output-device "wan2"
end

• Result: Guest traffic uses wan2, as PBR takes precedence over other routing layers.

Scenario 2: SD-WAN Optimizing Path Selection:

• Goal: Ensure that VoIP traffic uses the WAN link with the lowest latency.
• Solution: Configure an SD-WAN rule to prioritize VoIP traffic based on latency.
• Verification:

diagnose system sdwan service

• Result: VoIP traffic is dynamically routed over the best-performing link.

Scenario 3: Resolving Route Conflicts in the FIB.

• Goal: Understand why a static route is preferred over an OSPF route to the same destination.
• Solution: Check the AD values: static routes (AD 10) are preferred over BGP routes.
• Verification:

get router info routing-table details <destination IP>

• Result: The static route is selected due to its lower AD.

Troubleshooting:

The following commands can be used to collect debug log to find out information matching with routes and Firewall policy

diagnose debug reset

diagnose debug flow trace stop

diagnose debug flow filter clear

diagnose debug flow filter addr <Source IP/Destination IP >

diagnose debug flow filter port <Port Number>

diagnose debug flow show function-name enable

diagnose debug console timestamp enable

diagnose debug flow trace start 1000

diagnose debug enable

To stop the debug:

diagnose debug disable

Related articles:

Technical Tip: Routing in FortiGate (route-lookup-process)

Technical Tip: How to Perform Routing Lookup from GUI and CLI