FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff
Description
In some situations and due to RPF (Reverse Path Forwarding) reasons, it is required that the FortiGate holds two default static routes over two external interfaces but with the following requirements:
  • Allow incoming traffic on both interfaces (wan1 and wan2 in the following example).
  • Have a preferred path for outgoing traffic (wan1 only), hence there is no requirement for ECMP (Equal Cost Multiple Path).

More information about RPF on FortiOS, also known as Anti Spoofing, can be found in the related article.


Solution
The solution is to configure the two default routes with the same distance, but with different priorities, as shown below. The route with the lowest value in the priority field is considered the best route, and it is also the primary route.
config router static
edit 1
set device "wan1"
set gateway 10.160.0.160
next
edit 2
set device "wan2"
set gateway 192.168.183.254
set priority 10
next
end
Note that defining no priority in route 1 will set a default value of 0.

The FortiGate will hold both routes in the routing table, but use only wan1 to send out traffic.  The route over wan2 will take over if wan1 fails.
FGT# get router info routing-table all

S* 0.0.0.0/0 [10/0] via 192.168.183.254, wan2
[10/0] via 10.160.0.160, wan1
C 10.160.0.0/23 is directly connected, wan1
C 192.168.182.0/23 is directly connected, wan2


The following command can be used to display the current priorities:
FGT# diagnose ip route list

tab=254 vf=0 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=10.160.0.160 dev=2(wan1)
tab=254 vf=0 scope=0 type=1 proto=11 prio=10 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=192.168.183.254 dev=4(wan2)

If two routes have the same administrative distance and the same priority, then they are Equal Cost Multi Path (ECMP) routes.

Related Articles

Technical Note: Details about FortiOS RPF (Reverse Path Forwarding), also called Anti-Spoofing

Technical Tip: FortiGate routing table conditions

List of most popular articles related to FortiOS Routing (ECMP, STATIC ROUTE, RIP, OSPF, BGP, BFD, ...

Technical Note: Routing behavior depending on distance and priority for static routes, and Policy Ba...

Contributors