FCP_FGT_AD-7.4 Routing

Routing Detailed Explanation

Routing in FortiGate involves managing the flow of traffic between different networks. This ensures efficient connectivity and optimal performance for users and applications.

4.1 Static Routing

Static routing is a manual way to define routes that specify how traffic should travel to reach a destination network.

Basic Configuration

1. Define Destination Networks and Next-Hop Gateways:

   • A static route maps a destination subnet to the next-hop IP address or interface that leads to the destination.
   • Example: Traffic destined for 192.168.2.0/24 should go via the next-hop gateway 192.168.1.1.

   CLI Configuration:

   config router static
   edit 1
   set dst 192.168.2.0/24
   set gateway 192.168.1.1
   set device "port1"
   end
   

   GUI Configuration:

   • Navigate to Network > Static Routes > Create New.
   • Define:
     • Destination: 192.168.2.0/24
     • Gateway: 192.168.1.1
     • Interface: The outgoing interface (e.g., port1).

2. Configure Route Priority and Distance:

   • Priority: Lower values take precedence for routes with the same destination.

   • Administrative Distance (AD): Indicates route reliability. Lower values are preferred.

   • Example CLI:

     set priority 10
     set distance 5
     

4.2 SD-WAN

SD-WAN simplifies and optimizes the use of multiple WAN links by dynamically selecting the best path for traffic based on performance.

Purpose of SD-WAN

1. Load Balancing:

   • Distribute traffic across multiple WAN connections to maximize bandwidth usage and reliability.
   • Example: Use WAN1 and WAN2 simultaneously to share the load.

2. Automatic Link Selection:

   • FortiGate can measure latency, jitter, and packet loss and automatically route traffic through the best-performing link.
   • Ideal for applications requiring stable connections (e.g., VoIP, video conferencing).

Configuration Steps

1. Define Member Interfaces:

   • Add WAN interfaces to the SD-WAN group.

   • CLI Example:

     config system sdwan
     config members
     edit 1
     set interface "wan1"
     set gateway 192.168.1.1
     next
     edit 2
     set interface "wan2"
     set gateway 192.168.2.1
     end
     

2. Set SLA Rules for Performance Criteria:

   • Define Service-Level Agreements (SLAs) based on acceptable latency, jitter, and packet loss thresholds.

   • Example:

     config system sdwan
     config service
     edit 1
     set name "VoIP Traffic"
     set dst "192.168.10.0/24"
     config sla
     edit 1
     set latency-threshold 50
     set jitter-threshold 10
     end
     end
     

3. Create Policies for SD-WAN Traffic:

   • Direct specific traffic (e.g., VoIP) through the best-performing link.
   • GUI: Policy & Objects > SD-WAN Rules.

4.3 Dynamic Routing Protocols

Dynamic routing protocols allow FortiGate to learn and share routes with other devices automatically. This is useful in large or frequently changing networks.

OSPF (Open Shortest Path First)

1. Configure Areas and Interfaces:

   • OSPF divides the network into areas, with Area 0 (Backbone) being mandatory.
   • Assign interfaces to the appropriate areas.

   Example CLI:

   config router ospf
   set router-id 1.1.1.1
   config area
   edit 0.0.0.0
   end
   config network
   edit 1
   set prefix 192.168.1.0/24
   set area 0.0.0.0
   end
   

2. Set Priority for Main and Backup Paths:

   • Assign OSPF interface priority to influence route selection.

   • Higher priority = more likely to be chosen as the designated router.

   • Example:

     config router ospf
     config ospf-interface
     edit "port1"
     set priority 100
     end
     

BGP (Border Gateway Protocol)

1. Define Neighbor Relationships:

   • BGP establishes peer connections with other routers (neighbors) for route exchange.

   • Example CLI:

     config router bgp
     set as 65001
     config neighbor
     edit "192.168.1.2"
     set remote-as 65002
     end
     

2. Use Filtering Policies to Optimize Routing Tables:

   • Use prefix lists or route maps to filter incoming or outgoing BGP routes.

   • Example CLI:

     config router prefix-list
     edit "block_private"
     config rule
     edit 1
     set prefix 192.168.0.0/16
     set action deny
     end
     end
     

   • Apply the prefix list to BGP:

     config router bgp
     config neighbor
     edit "192.168.1.2"
     set prefix-list-in "block_private"
     end
     

Summary

• Static Routing: Manually configure routes with next-hop gateways and priorities.
• SD-WAN: Automatically distribute traffic across multiple WAN links for optimized performance.
• Dynamic Routing (OSPF and BGP): Enable FortiGate to dynamically learn and share routes in complex networks.

Each method provides unique benefits depending on the size and requirements of your network.

Routing (Additional Content)

1. Static Routing – Blackhole Routes and Route Monitoring

Blackhole Routes

A blackhole route is a type of static route that discards packets silently if the destination is unreachable or should not be forwarded. It is often used as a security measure or failover mechanism.

Use Cases:

• To drop traffic to specific destinations (e.g., known malicious IP ranges).
• As part of a route failover strategy with route monitoring.

CLI Example:

config router static
edit 10
set dst 10.10.10.0/24
set blackhole enable
end

Traffic destined for 10.10.10.0/24 will be dropped if no better route exists.

Route Monitoring (Ping Server or Link Health Check)

Static routes can be tied to a health check mechanism that disables the route if a specified target becomes unreachable.

Use Case:

• You want a static route to be removed automatically if the WAN gateway or remote server fails to respond to ICMP (ping).

CLI Example:

config router static
edit 1
set dst 192.168.50.0/24
set gateway 10.10.10.1
set device "wan1"
set ping-server 8.8.8.8
set distance 10
set priority 1
end

If 8.8.8.8 is unreachable, the static route will be withdrawn from the routing table.

2. SD-WAN – Zones and Rule Matching Order

SD-WAN Zones (Legacy Concept)

In earlier versions of FortiOS, SD-WAN Zones were used to group interfaces for easier policy management. In modern FortiOS (6.4+), this concept has largely been replaced by centralized SD-WAN policies and services, but the idea still appears in exam content or older documentation.

Zone-based management allowed you to:

• Define traffic flows between “zones” instead of individual interfaces.
• Apply firewall policies based on zone names, simplifying configuration.

SD-WAN Rule Matching Order

When using SD-WAN rules to control traffic flow (e.g., VoIP, video, general internet), FortiGate processes rules top-down, just like firewall policies.

Important Points:

• Rules are matched based on criteria such as source, destination, application, or service.
• The first matching rule determines the selected SD-WAN member (interface).
• SLA (Service Level Agreement) metrics (latency, jitter, packet loss) can affect whether a link is eligible.

Best Practice:

• Place more specific rules (e.g., for VoIP or business-critical apps) above general ones (e.g., default internet access).

3. Dynamic Routing Protocols – BGP Context and Route Maps

BGP as an Inter-AS Protocol

BGP (Border Gateway Protocol) is designed to operate between Autonomous Systems (ASes) and is the de facto routing protocol of the Internet.

Key Points:

• Used in large-scale or multi-organization networks.
• Operates over TCP port 179.
• More scalable and policy-driven than OSPF or RIP.
• In FortiGate, BGP is commonly used for:
  • Multi-homed internet connections
  • ISP peering
  • Advanced traffic engineering

Example Scenario (Exam-Oriented):

A FortiGate device at a data center uses BGP to advertise public prefixes to two ISPs and apply different preferences for route selection.

Route Maps in BGP

While prefix lists are used to filter which routes are allowed, route maps offer greater control by allowing:

• Conditional filtering
• Modifying route attributes, such as:
  • Local preference
  • Metric
  • Next-hop IP

Typical Usage:

• Prefer one ISP over another for specific prefixes.
• Prevent certain routes from being advertised to peers.

CLI Snippet (Basic Example):

config router route-map
edit "SetLocalPref"
config rule
edit 1
set match-ip-address "MyPrefixList"
set set-local-preference 200
next
end
next
end

Then apply the route-map to the neighbor in BGP:

config router bgp
config neighbor
edit "203.0.113.1"
set route-map-out "SetLocalPref"
end

Note for Exam: Even if detailed route-map syntax is not asked, you may need to understand what it’s used for and how it differs from prefix-lists.

Summary Table

Topic	Description	Exam Relevance
Blackhole Route	Drops traffic to specified destinations silently	Medium – config logic
Route Monitoring	Deactivates static routes on health check failure	High – real-world use
SD-WAN Zones	Interface grouping model for legacy SD-WAN control	Low – legacy concept
SD-WAN Rule Order	Rules matched top-down, first match wins	High – very testable
BGP Context	Internet-scale protocol for AS-to-AS routing	High – scenario-based
Route Maps	Modify/filter BGP routes with advanced logic	Medium – conceptual