NSE7_EFW-7.2 Routing

Routing Detailed Explanation

Routing is a critical function in FortiGate that ensures traffic is directed efficiently through the network. It includes basic static routes, advanced dynamic routing protocols, and modern SD-WAN features to optimize traffic flow.

4.1 Static Routing

Static Routing involves manually defining routes for traffic to specific destinations. It’s the simplest form of routing but lacks the flexibility of dynamic routing.

4.1.1 Default and Destination-Specific Routes

• Default Route:

  • A route used when no specific route matches the destination. It typically points to the internet gateway.

  • Example Configuration:

    config router static
        edit 1
            set dst 0.0.0.0/0
            set gateway 192.168.1.254
        next
    end
    

  • Here, 0.0.0.0/0 means "all traffic," and the gateway is 192.168.1.254.

• Destination-Specific Route:

  • Used for traffic to a particular network or host.

  • Example Configuration:

    config router static
        edit 2
            set dst 10.0.0.0/24
            set gateway 192.168.2.1
        next
    end
    

4.1.2 ECMP (Equal Cost Multi-Path)

• What is ECMP?

  • ECMP allows FortiGate to use multiple paths for the same destination, improving bandwidth and redundancy.

• How to Configure ECMP:

  • Add multiple static routes with the same destination but different gateways:

    config router static
        edit 1
            set dst 0.0.0.0/0
            set gateway 192.168.1.254
            set distance 10
        next
        edit 2
            set dst 0.0.0.0/0
            set gateway 192.168.2.254
            set distance 10
        next
    end
    

  • FortiGate will load balance traffic across both gateways.

4.2 Dynamic Routing

Dynamic Routing uses protocols to automatically adjust routes based on network changes. FortiGate supports OSPF and BGP, two widely used protocols.

4.2.1 OSPF (Open Shortest Path First)

• Key Features:

  • OSPF divides networks into areas to optimize routing efficiency.
  • Neighbor relationships are established between OSPF-enabled routers to exchange routing information.

• Steps to Configure OSPF:

  1. Define OSPF Areas:

     • Example: Set up area 0 as the backbone area.

     config router ospf
        set router-id 1.1.1.1
        config area
            edit 0.0.0.0
            next
        end
     end
     

  2. Enable OSPF on Interfaces:

     • Assign networks to the OSPF process:

     config router ospf
        config network
            edit 1
                set prefix 192.168.1.0/24
                set area 0.0.0.0
            next
        end
     end
     

  3. Adjust OSPF Costs:

     • Lower costs prioritize specific routes.

     config system interface
        edit "port1"
            set ospf-cost 10
        next
     end
     

4.2.2 BGP (Border Gateway Protocol)

• Key Features:

  • BGP is used in larger networks, such as those connecting multiple ISPs.
  • It relies on neighbor relationships (peers) and AS (Autonomous System) numbers for route propagation.

• Steps to Configure BGP:

  1. Define BGP Neighbors:

     config router bgp
        set as 65001
        config neighbor
            edit "192.168.1.2"
                set remote-as 65002
            next
        end
     end
     

     • 65001 and 65002 are the AS numbers for local and remote devices.

  2. Advertise Networks:

     • Share networks with BGP peers:

     config router bgp
        config network
            edit 1
                set prefix 192.168.1.0/24
            next
        end
     end
     

  3. Apply Route Filters:

     • Control which routes are shared or accepted:

     config router access-list
        edit "filter1"
            config rule
                edit 1
                    set prefix 10.0.0.0/24
                    set action deny
                next
            end
        next
     end
     

4.3 SD-WAN

SD-WAN (Software-Defined WAN) is a modern approach to routing, offering dynamic traffic management and link optimization.

4.3.1 Load Balancing

• What It Does:

  • Dynamically distribute traffic across multiple WAN links based on performance metrics (e.g., latency, jitter, bandwidth).

• Steps to Configure Load Balancing:

  1. Go to Network > SD-WAN in the GUI.
  2. Add member interfaces (e.g., WAN1, WAN2).
  3. Create a performance-based rule:
     • Define thresholds for latency, jitter, and packet loss.

• CLI Example:

  config system sdwan
      config members
          edit 1
              set interface "wan1"
          next
          edit 2
              set interface "wan2"
          next
      end
  end
  

4.3.2 Monitoring and Optimization

• Health-Check Rules:

  • FortiGate can monitor the health of WAN links and dynamically reroute traffic if a link fails.

  • Example Configuration:

    config system sdwan
        config health-check
            edit "internet-check"
                set server "8.8.8.8"
                set interval 500
                set failtime 3
                set recoverytime 5
            next
        end
    end
    

Practical Example Workflow

Here’s how routing features might be applied in a real-world scenario:

1. Static Routing:
   • Configure a default route for internet traffic and a specific route for internal subnets.
2. Dynamic Routing:
   • Use OSPF to manage routes between branch offices and adjust costs to prioritize specific paths.
3. SD-WAN:
   • Distribute traffic between two ISPs based on link performance, ensuring optimal user experience.

Why Routing is Important

Routing ensures that data packets reach their destinations efficiently. Mastering static, dynamic, and SD-WAN routing allows you to design resilient and high-performance networks. Start with simple static routes and gradually explore dynamic protocols and SD-WAN for more advanced use cases.

Routing (Additional Content)

1. Policy-Based Routing (PBR)

What Is Policy-Based Routing?

Policy-Based Routing (PBR) allows you to override the routing table and direct traffic based on custom criteria such as:

• Source IP address or subnet
• Destination IP address
• Services or applications
• Incoming interface

Unlike regular routing, which chooses the path based on the destination IP and routing table, PBR gives control to the administrator to route traffic differently based on needs.

Use Cases:

• In a dual-WAN scenario: Force specific users or applications (e.g., VoIP, video) through a preferred ISP.
• In SD-WAN: Fine-tune traffic steering without relying solely on performance SLAs.
• When integrating with MPLS/private circuits and needing traffic segmentation.

Configuration Example:

config router policy
    edit 1
        set input-device "port1"
        set src 192.168.1.0 255.255.255.0
        set dst 0.0.0.0 0.0.0.0
        set gateway 10.10.10.1
        set output-device "wan2"
    next
end

Explanation:

This rule forces all traffic from 192.168.1.0/24 entering from port1 to use the gateway 10.10.10.1 through wan2, regardless of the default routing table.

2. Route Lookup and Diagnostic Commands

Troubleshooting routing issues is an essential skill. These CLI commands help determine how FortiGate is making routing decisions and are commonly used in both real-world troubleshooting and exams.

Useful CLI Commands:

• View all routes:

  get router info routing-table all
  

• List current active routes (kernel routing table):

  diagnose ip route list
  

• Trace the path to a destination:

  execute traceroute <destination-ip>
  

• Check OSPF neighbor status:

  get router info ospf neighbor
  

• Check BGP peer and route status:

  get router info bgp summary
  

Exam Scenario:

You may get questions such as:

“Which command shows whether FortiGate has learned a specific route via OSPF?”
Correct answer: get router info ospf neighbor (or specific route checks via the routing table)

3. Route Preference and Administrative Distance

What Is Administrative Distance?

Administrative Distance (AD) determines the priority of a route when multiple routing protocols provide paths to the same destination.

AD Comparison Table:

Route Type	Default AD (Lower = Higher Priority)
Directly Connected	0
Static Route	10
eBGP	20
OSPF	110
iBGP	200

Route Selection Logic:

If a route to 10.0.0.0/24 exists in both OSPF and static routes:

• FortiGate will prefer the static route due to a lower AD (10 < 110).

CLI Example to Set Distance:

config router static
    edit 1
        set dst 10.0.0.0/24
        set gateway 192.168.1.1
        set distance 5
    next
end

This overrides the default static route preference, giving it the highest priority.

4. BGP Route Map (Advanced Use Case)

What Is a Route Map?

A BGP route map is used to filter, modify, or influence routing updates. It's FortiGate's way of controlling which routes are advertised or accepted, and how they're treated (e.g., modifying attributes like local preference or MED).

Use Cases:

• Block the advertisement of private routes.
• Prefer one BGP peer over another.
• Change route metrics for traffic engineering.

Basic Configuration Example:

1. Define an IP prefix list:

config router prefix-list
    edit "BLOCKED-PREFIX"
        config rule
            edit 1
                set prefix 10.0.0.0/24
                set ge 24
                set le 24
            next
        end
    next
end

2. Create the route map:

config router route-map
    edit "BLOCK-NET"
        config rule
            edit 1
                set match-ip-address "BLOCKED-PREFIX"
                set action deny
            next
        end
    next
end

3. Apply the route map to the BGP neighbor:

config router bgp
    config neighbor
        edit "192.168.1.2"
            set route-map-out "BLOCK-NET"
        next
    end
end

Summary Table

Topic	Purpose	Exam Relevance
Policy-Based Routing	Override route table using traffic policies	High (real-world + exam use)
Routing Diagnostics	Command-line tools to trace and validate routing decisions	Very High
Route Preference & AD	Determines which route is preferred	High (common trick questions)
BGP Route Maps	Filter or modify advertised/received routes	Medium (bonus points topic)