[email protected]
0
[email protected]

Shopping cart

Subtotal:

$0.00
View cartCheckout

FCSS_EFW_AD-7.4 Routing

Routing

Detailed list of FCSS_EFW_AD-7.4 knowledge points

Routing Detailed Explanation

Routing is essential for directing traffic between networks. Below is a detailed breakdown of the key concepts and configurations for Static Routing, Dynamic Routing, Policy-Based Routing, and IPv6 and Multicast Routing.

4.1 Static Routing

Static routing involves manually configuring routes on the FortiGate device, suitable for smaller or less dynamic networks.

4.1.1 Configuring Static Routes

  1. Define Destination Networks, Gateways, and Distances:

    • A static route specifies the destination network, the next-hop gateway, and the interface to use. Here’s how to configure it:

      config router static
   edit 1
   set dst <Destination_Network> <Subnet_Mask>  # e.g., 192.168.2.0/24
   set gateway <Gateway_IP>  # e.g., 192.168.1.1
   set device <Interface_Name>  # e.g., port1
   end

    • Example:

      • Destination Network: 192.168.2.0/24
      • Gateway: 192.168.1.1
      • Interface: port1

  2. Verify the Route:

    • Use CLI to check the routing table:

      get router info routing-table all

4.1.2 Prioritize Routes Using Administrative Distance

  • Administrative Distance (AD) determines the priority of routes when multiple paths exist to the same destination.

  • A lower AD value means higher priority:

    config router static
    edit 2
    set dst <Destination_Network>
    set gateway <Backup_Gateway_IP>
    set distance <AD_Value>  # e.g., 20 (lower than the default 10 for higher priority)
    end

4.2 Dynamic Routing

Dynamic routing protocols automatically update the routing table when network changes occur, suitable for large or complex networks.

4.2.1 Configuring OSPF (Open Shortest Path First)

  1. Enable OSPF on Interfaces:

    • OSPF is a link-state routing protocol that calculates the shortest path based on cost.

      config router ospf
   config area
       edit 0.0.0.0  # Backbone area
       end
   config network
       edit 1
       set prefix <Network_Address> <Subnet_Mask>  # e.g., 192.168.0.0/16
       set area 0.0.0.0
       end
   end

  2. Assign Interface OSPF Parameters:

    • Set OSPF parameters like cost and priority:

      config router ospf
   config interface
       edit <Interface_Name>  # e.g., port1
       set cost <Value>  # Lower cost = higher preference
       set hello-interval <Interval>  # e.g., 10 seconds
       end
   end

  3. Verify OSPF Status:

    • Check OSPF neighbors:

      get router info ospf neighbor

    • View OSPF routes:

      get router info routing-table ospf

4.2.2 Configuring BGP (Border Gateway Protocol)

  1. Set BGP Parameters:

    • BGP is a path-vector protocol used for inter-AS communication.

      config router bgp
   set as <Your_AS_Number>  # Autonomous System Number
   config neighbor
       edit <Neighbor_IP>
       set remote-as <Remote_AS_Number>
       end
   end

  2. Advertise Networks:

    • Specify which networks to advertise:

      config router bgp
   config network
       edit 1
       set prefix <Network_Prefix>  # e.g., 10.1.0.0/16
       end
   end

  3. Verify BGP Peers:

    • Check the BGP neighbor relationship:

      get router info bgp neighbors

    • View BGP routes:

      get router info routing-table bgp

4.3 Policy-Based Routing

Policy-Based Routing (PBR) allows routing decisions based on conditions like source address, service, or application rather than the destination.

4.3.1 Direct Traffic Based on Conditions

  1. Create a Policy Route:

    • Define routing conditions:

      config router policy
   edit 1
   set input-device <Interface_Name>  # e.g., port1
   set src <Source_Network> <Subnet_Mask>  # e.g., 192.168.1.0/24
   set dst <Destination_Network> <Subnet_Mask>  # e.g., 10.0.0.0/8
   set gateway <Next_Hop_IP>  # e.g., 192.168.1.254
   set output-device <Interface_Name>  # e.g., port2
   end

  2. Apply Service-Specific Conditions:

    • Route traffic for a specific service (e.g., HTTP):

      set service <Service_Name>  # e.g., HTTP

4.3.2 Implement Backup Routes

  • Use a secondary route with a higher administrative distance:

    config router static
    edit 2
    set distance 20  # Higher value makes this a backup
    end

4.4 IPv6 and Multicast Routing

4.4.1 IPv6 Readiness

  1. Enable IPv6:

    • Configure IPv6 globally:

      config system global
   set ip6-status enable
   end

  2. Configure Dual-Stack (IPv4/IPv6):

    • Assign both IPv4 and IPv6 addresses to interfaces:

      config system interface
   edit <Interface_Name>
   set ip6 <IPv6_Address/Prefix_Length>  # e.g., 2001:db8::1/64
   end

  3. Add IPv6 Static Routes:

    • Define IPv6-specific static routes:

      config router static6
   edit 1
   set dst <IPv6_Network/Prefix_Length>  # e.g., 2001:db8:0:1::/64
   set gateway <Next_Hop_IPv6>  # e.g., fe80::1
   end

4.4.2 Multicast Routing

  1. Enable Multicast Forwarding:

    • Allow multicast traffic on the FortiGate:

      config system settings
   set multicast-forward enable
   end

  2. Configure PIM (Protocol Independent Multicast):

    • Enable PIM on interfaces:

      config router pim
   config interface
       edit <Interface_Name>
       set mode sparse-mode
       end
   end

  3. Configure IGMP (Internet Group Management Protocol):

    • Manage multicast group memberships:

      config router igmp
   edit <Interface_Name>
   set version 2
   end

Routing (Additional Content)

1. Dynamic Routing – BGP Route-Map and Prefix List for Outbound Filtering

While configuring BGP on FortiGate, it is often necessary to control which routes are advertised to peers. This can be done using prefix lists and route-maps, providing fine-grained outbound control—especially useful in multi-homed environments.

1.1 Why It Matters

  • Prefix lists and route-maps allow policy-based route advertisement.

  • Helps limit route propagation and comply with provider agreements.

  • While not always tested, it shows up in real-world deployments and advanced exams.

1.2 Prefix List + Route-Map Example

Step 1: Define a Prefix List

config router prefix-list
    edit "ADVERTISED_ROUTES"
    config rule
        edit 1
        set prefix 10.1.0.0 255.255.0.0
        set ge 16
        set le 24
    end
end

This matches 10.1.0.0/16 to /24 routes.

Step 2: Apply via Route-Map

config router route-map
    edit "EXPORT_FILTER"
    config rule
        edit 1
        set match-ip-address "ADVERTISED_ROUTES"
        set action permit
    end
end

Step 3: Bind Route-Map to BGP Neighbor

config router bgp
    config neighbor
        edit "203.0.113.1"
        set remote-as 65001
        set route-map-out "EXPORT_FILTER"
    end
end

Only routes matching the prefix list will be advertised to the BGP neighbor.

2. Policy-Based Routing (PBR) – Priority over Regular Routing Table

Policy-based routing (PBR) allows administrators to override the default routing decision made by the routing table. It enforces rules based on source IP, destination, service, or interface, directing traffic along a different path.

2.1 Key Insight: PBR Overrides Routing Table

PBR takes precedence over the normal route lookup.

This means that if a packet matches a PBR rule, the policy route will be used—even if the destination is reachable via a shorter or better-metric path in the routing table.

2.2 Use Case Example

Route HTTP traffic from a specific subnet via a different ISP:

config router policy
    edit 1
    set input-device "port1"
    set src 192.168.1.0 255.255.255.0
    set dst 0.0.0.0 0.0.0.0
    set service "HTTP"
    set output-device "wan2"
    set gateway 203.0.113.254
end

This routes only HTTP traffic from the 192.168.1.0/24 subnet through a second WAN link.

3. IPv6 and Multicast – FortiGate as a Forwarder, Not a Source

When configuring Multicast Routing or IPv6 Multicast, it’s important to understand the role of the FortiGate in multicast networks.

3.1 Key Concept: FortiGate is a Forwarder

FortiGate devices do not originate multicast traffic and do not act as multicast hosts.

Instead, FortiGate:

  • Forwards multicast traffic between interfaces (if multicast-forward is enabled).

  • Participates in multicast control plane protocols such as:

    • IGMP (Internet Group Management Protocol) – for group membership.

    • PIM (Protocol Independent Multicast) – for building multicast forwarding trees.

3.2 Practical Use Case

In a network with IPTV streaming servers:

  • FortiGate can receive IGMP reports from clients.

  • Use PIM sparse-mode to forward multicast streams from the source (e.g., server behind a router) to clients on other VLANs.

Enable global multicast forwarding:

config system settings
    set multicast-forward enable
end

Enable PIM on specific interfaces:

config router pim
    config interface
        edit "lan"
        set mode sparse-mode
    end
end

Summary Table

Topic Key Concept Command Reference / Note
BGP Route-Map & Prefix-List Control route advertisement via policies route-map-out and prefix-list with BGP neighbors
PBR Priority Policy-based rules override routing table decisions PBR evaluated before static/dynamic routes
FortiGate & Multicast FortiGate forwards but does not originate multicast traffic Enable multicast-forward, use IGMP + PIM

Frequently Asked Questions

Why does a FortiGate show a BGP neighbor in the established state but no routes are installed in the routing table?

Answer:

Routes are typically filtered or rejected by policy, prefix filtering, or route-map configuration.

Explanation:

A BGP session being established only confirms that the TCP session and BGP negotiation succeeded. It does not guarantee that routes will be accepted or installed. On FortiGate, routes may be filtered by prefix lists, route maps, or inbound policies. Another common cause is the administrative distance or a more preferred route already existing in the routing table, such as a static route. In some cases, the BGP neighbor may not actually be advertising any prefixes. Administrators should verify received routes using diagnostic commands and confirm that no inbound filters are preventing route acceptance.

Demand Score: 88

Exam Relevance Score: 90

Why does an OSPF adjacency form successfully but routes are not learned?

Answer:

Routes are not advertised due to missing network statements, area mismatches, or route filtering.

Explanation:

OSPF neighbors may reach the FULL adjacency state even if route exchange is limited. If the interface networks are not included in the OSPF configuration, the device will not advertise them. Another frequent cause is area misconfiguration, where interfaces belong to different areas or stub settings conflict. Route filtering mechanisms such as distribute lists may also prevent routes from being installed. Administrators should check the OSPF LSDB and verify that networks are properly included in the OSPF process and that no filtering rules block the routes.

Demand Score: 79

Exam Relevance Score: 87

Why might FortiGate prefer a static route over a BGP route?

Answer:

Static routes typically have a lower administrative distance than BGP routes.

Explanation:

FortiGate selects routes based on administrative distance and priority. Static routes usually have a lower administrative distance, meaning they are considered more trustworthy than dynamic routes like BGP. When both routes exist for the same destination, the firewall installs the route with the lowest administrative distance into the routing table. If administrators want BGP routes to take precedence, they must adjust administrative distance values or remove the conflicting static route. Understanding this behavior is essential when integrating dynamic routing with manually configured routes.

Demand Score: 73

Exam Relevance Score: 85

What command can help verify whether BGP routes are being received from a neighbor?

Answer:

Use diagnostic commands to display received BGP routes and neighbor status.

Explanation:

When troubleshooting BGP, administrators must verify whether the firewall is actually receiving routes from the neighbor. Diagnostic commands can display the BGP table, neighbor status, and received prefixes. If routes appear in the received list but not the routing table, filtering or administrative distance issues are likely. If no routes appear at all, the neighbor may not be advertising prefixes or there may be policy restrictions preventing advertisement. Diagnostic outputs are essential to determine whether the problem is related to route advertisement, filtering, or installation.

Demand Score: 76

Exam Relevance Score: 86

Why is dynamic routing recommended in large enterprise FortiGate deployments?

Answer:

Dynamic routing automatically adapts to topology changes and simplifies network management.

Explanation:

In large enterprise environments, networks often contain multiple sites, redundant paths, and frequent topology changes. Managing static routes across many devices becomes complex and error-prone. Dynamic routing protocols such as OSPF and BGP allow routers and firewalls to automatically exchange routing information and adjust to network changes. If a link fails, the protocol recalculates routes and updates the routing tables without manual intervention. This improves network resilience, simplifies administration, and ensures optimal traffic paths across large infrastructures.

Demand Score: 70

Exam Relevance Score: 83

 FCSS_EFW_AD-7.4 Study Plan FCSS_EFW_AD-7.4 Study Methods And Exam Tips FCSS_EFW_AD-7.4 Training Details
FCSS_EFW_AD-7.4 Training Course
$68$29.99
Related Products
FCSS_EFW_AD-7.4 Training Course