Scribd
Upload
219 views59 pages

FortiGate Inf 01 Routing

Uploaded by

gestradag-1
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
219 views59 pages

FortiGate Inf 01 Routing

Uploaded by

gestradag-1
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 59

FortiGate Infrastructure

Routing

FortiOS 7.0
© Copyright Fortinet Inc. All rights reserved. LastLast
Modified:
Modified:
Saturday,
Saturday,
August
August
19, 19,
20232023
Lesson Overview

Routing on FortiGate

Routing Monitor and Route Attributes

Equal Cost Multipath Routing (ECMP)

Reverse Path Forwarding (RPF)

Best Practices

Diagnostics

© Fortinet Inc. All Rights Reserved. 2


Routing on FortiGate

Objectives
• Identify the routing capabilities on FortiGate
• Configure static routing
• Implement policy-based routes
• Control traffic for well-known internet services

3
What Is IP-Layer Routing?
• Routing is how packets are sent along a path—from point-to-point on the network—from
source to destination
• If the destination is on a subnet that is not directly connected to the router, the packet is relayed to
another router that is closer
• Entries in the routing table can be configured manually, dynamically, or both
• A FortiGate in NAT mode, among other things, is an OSI Layer 3 router

© Fortinet Inc. All Rights Reserved. 4


Route Lookup
• For any session, FortiGate performs a routing table lookup twice:
• For the first packet sent by the originator
• For the first reply packet coming from the responder
• Routing information is written to the session table
• All other packets for that session will use the same path
• Exception: After a routing table change, route information is flushed from the sessions and must be
relearned

© Fortinet Inc. All Rights Reserved. 5


Static Routes
• Configured manually, by an administrator
• Simple matching of packets to a route, based on the packet destination IP address
Network > Static Routes

Default route

© Fortinet Inc. All Rights Reserved. 6


Static Routes With Named Addresses
• Firewall addresses set to type IP/Netmask or FQDN can be used as destinations for
static routes

Network > Static Routes


Policy & Objects > Addresses

© Fortinet Inc. All Rights Reserved. 7


Dynamic Routes
• Paths are automatically discovered
• FortiGate communicates with neighboring routers to find the best routes
• Paths are also based on the packet destination IP address
• Routing becomes somewhat self-organizing
• FortiGate supports:
• Routing Information Protocol (RIP)
• Open Shortest Path First (OSPF)
• Border Gateway Protocol (BGP)
• Intermediate System to Intermediate System (IS-IS)
System > Feature Visibility

You must enable Advanced Routing to


display the GUI configuration menus for
RIP, OSPF, BGP, Policy Routes, Routing
Objects, and Multicast. You can
configure IS-IS on the CLI.

© Fortinet Inc. All Rights Reserved. 8


Policy-Based Routes Network > Policy Routes

• More granular matching than static


routes:
• Protocol
• Source address
• Source ports
• Destination ports
• Type of service (ToS) bits
• Manually configured
• Have precedence over the routing table
• Maintained in a separate routing table

© Fortinet Inc. All Rights Reserved. 9


Policy-Based Routing Actions
Network > Policy Routes
• If traffic matches a policy-based route,
FortiGate either:
• Forwards traffic using the specified outgoing
interface to the specified gateway
• Stops policy routing and uses the routing table
instead

© Fortinet Inc. All Rights Reserved. 10


Internet Services Routing
• Route well-known internet services through specific WAN interfaces

Policy & Objects > Internet Service Network > Static Routes
Database

Database containing IP
addresses, protocols, and port
numbers used by most
common Internet services

© Fortinet Inc. All Rights Reserved. 11


IPv6 Routing
• Enable the IPv6 feature to support IPv6 routing configuration using the GUI
• Allows static and policy route configuration using IPv6 addresses
• Enables GUI configuration options of IPv6 versions of dynamic routing protocols

Network > Static Routes

System > Feature Visibility

© Fortinet Inc. All Rights Reserved. 12


Knowledge Check
1. Which objects can you use to create static routes?
A. ISDB objects
B. Service objects

2. When the Stop policy routing action is used in a policy route, which behavior is
expected?
A. FortiGate skips over this policy route and tries to match another in the list.
B. FortiGate routes the traffic based on the regular routing table.

© Fortinet Inc. All Rights Reserved. 13


Lesson Progress

Routing on FortiGate

Routing Monitor and Route Attributes

Equal Cost Multipath Routing (ECMP)

Reverse Path Forwarding (RPF)

Best Practices

Diagnostics

© Fortinet Inc. All Rights Reserved. 14


Routing Monitor and Route Attributes

Objectives
• Interpret the routing table on FortiGate
• Identify how FortiGate decides which routes are activated in the
routing table
• Identify how FortiGate chooses the best route using route
attributes

15
Routing Table Monitor Dashboard > Network > Routing > Policy
Policy and ISDB route

• Displays only active routes

• Policy routes and ISDB routes


are viewed in a separate table

Dashboard > Network > Routing > Static & Dynamic

Manually configured
policy route

Static and dynamic route

Manually configured

Directly connected

© Fortinet Inc. All Rights Reserved. 16


Routing Monitor Dashboard > Network > Static & Dynamic Routing
• Provides extended route lookup
• Checks both policy and regular
routing tables
• If the route matches the policy
route, GUI is redirected to policy
the route monitoring page
• You can search routes with:
• Destination IP/FQDN
• Destination port, source, protocol,
source interface

© Fortinet Inc. All Rights Reserved. 17


Route Attributes
• Each route in the routing table has the following attributes:
• Network Dashboard > Network > Static & Dynamic Routing
• Gateway IP
• Interfaces
• Distance
• Metric
• Priority

FGT # get router info routing-table all Metric column is


hidden. Use the
...omitted output... right-click menu
to enable it.
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.200.1.254, port1
[10/0] via 10.200.2.254, port2, [20/0]
C 10.0.1.0/24 is directly connected, port3
C 10.200.1.0/24 is directly connected, port1
C 10.200.2.0/24 is directly connected, port2

© Fortinet Inc. All Rights Reserved. 18


Distance
• Used to rank routes from most preferred (low distance value) to least preferred (high
distance value)
• If multiple routes for the same destination exist, the one with the lowest distance is
installed in the routing table (active), and the rest are not (standby)
Dashboard > Network > Routing > Static & Dynamic

© Fortinet Inc. All Rights Reserved. 19


Metric
• Used by dynamic routing protocols to identify the best route to a destination
• If multiple dynamic routes have the same distance, then the metric is used to break the
tie
• The route with the lowest metric is chosen
• The calculation method differs among routing protocols
Dashboard > Network > Routing > Static & Dynamic

© Fortinet Inc. All Rights Reserved. 20


Priority
• Used by static routes to determine the best route to a destination, when the distance is
the same
• If multiple static routes have the same distance, they are all installed in the routing table;
however, only the one with the lowest priority is considered the best path
Network > Static Routes

© Fortinet Inc. All Rights Reserved. 21


Knowledge Check
1. The Priority attribute applies to which type of routes?
A. Static
B. Dynamic

2. Which attribute does FortiGate use to determine the best route for a packet, if it
matches multiple dynamic routes that have the same Distance?
A. Priority
B. Metric

3. Which static route attribute does not appear on the GUI routing monitor?
A. Distance
B. Priority

© Fortinet Inc. All Rights Reserved. 22


Lesson Progress

Routing on FortiGate

Routing Monitor and Route Attributes

Equal Cost Multipath Routing (ECMP)

Reverse Path Forwarding (RPF)

Best Practices

Diagnostics

© Fortinet Inc. All Rights Reserved. 23


ECMP Routing

Objectives
• Identify the requirements for ECMP routing
• Implement route redundancy and load balancing

24
ECMP
• If multiple routes of the same type (static, OSPF, or BGP) have the same attributes, they
can all be installed in the routing table and FortiGate can distribute traffic across all of
them
• To be considered for ECMP, routes must have the same values for the following
attributes:
• Destination subnet
• Distance
• Metric
• Priority FGT # get router info routing-table all
…output omitted…

S* 0.0.0.0/0 [10/0] via 10.0.1.254, wan1


Both routes are for the same S 10.0.4.0/24 [10/0] via 10.0.3.254, port1, [5/0]
destination subnet, and both share [10/0] via 10.200.3.254, port2, [5/0]
the same distance and priority C 10.200.3.0/24 is directly connected, port2
values C 10.0.1.0/24 is directly connected, wan1
C 10.0.3.0/24 is directly connected, port1

© Fortinet Inc. All Rights Reserved. 25


ECMP Methods
• Source IP (default)
• Sessions from the same source IP address use the same route
• Source-destination IP
• Sessions with the same source and destination IP use the same route
• Weighted
• Sessions are distributed based on route, or interface weights
• Usage (spillover)
• One route is used until the volume threshold is reached, then the next route is used

© Fortinet Inc. All Rights Reserved. 26


Configuring ECMP
• The ECMP method is set on the CLI
# config system settings
# set v4-ecmp-mode [ source-ip-based | weight-based | usage-based | source-dest-ip-based ]
# end
• For weight-based ECMP, weight values are configured per interface, or per route on the
CLI
# config system interface # config router static
# edit <interface name> # edit <id>
# set weight <0 to 255> # set weight <0 to 255>
# end # end

• For spillover ECMP, spillover thresholds are configured per interface on the CLI

# config system interface


# edit <interface name>
# set spillover-threshold <0 to 16776000>
# end

© Fortinet Inc. All Rights Reserved. 27


ECMP Example

User A
10.0.3.1/24

port1 10.0.1.0/24
10.0.4.0/24
10.0.2.0/24
10.0.3.0/24 port3
port2

User B
10.0.3.2/24 FGT # get router info routing-table all
…output omitted…

S 10.0.4.0/24 [10/0] via 10.0.1.254, port1, [5/0]


[10/0] via 10.0.2.254, port2, [5/0]
C 10.0.1.0/24 is directly connected, port1
C 10.0.2.0/24 is directly connected, port2
C 10.0.3.0/24 is directly connected, port3

Distance Priority

© Fortinet Inc. All Rights Reserved. 28


Knowledge Check
1. What is the default ECMP method on FortiGate?
A. Weighted
B. Source IP

2. How does FortiGate load balance traffic when using the spillover method in ECMP
routing?
A. Sessions are distributed based on interface threshold.
B. Sessions are distributed based on route weight.

© Fortinet Inc. All Rights Reserved. 29


Lesson Progress

Routing on FortiGate

Routing Monitor and Route Attributes

Equal Cost Multipath Routing (ECMP)

Reverse Path Forwarding (RPF)

Best Practices

Diagnostics

© Fortinet Inc. All Rights Reserved. 30


RPF

Objectives
• Identify how FortiGate detects IP spoofing
• Block traffic from spoofed IP addresses
• Differentiate between and implement the different RPF check
methods

31
RPF
• Protects against IP spoofing attacks
• The source IP address is checked against the routing table for a return path
• RPF is only carried out on:
• The first packet in the session, not on a reply
• Two methods:
• Loose
• Strict

© Fortinet Inc. All Rights Reserved. 32


RPF Checking
• RPF checks for an active route back to the source IP through the incoming interface
• User A traffic is accepted because there is an active route (the default route) back to the source
• User B and C packets are denied because there are no active routes back to those sources

User A
10.250.1.62
10.0.1.0/24
wan1

10.0.3.0/24
port1 10.0.2.0/24
wan2 User B
10.0.4.0/24 10.175.3.69

FGT # get router info routing-table all


…output omitted…

S* 0.0.0.0/0 [10/0] via 10.0.1.254, wan1


C 10.0.1.0/24 is directly connected, wan1
User C C 10.0.2.0/24 is directly connected, wan2
10.0.4.63 C 10.0.3.0/24 is directly connected, port1

© Fortinet Inc. All Rights Reserved. 33


RPF Checking (Contd)
• Solutions:
• Add a static route back to 10.0.4.0/24
• Add a second default route, with the same distance, for wan2
• Use different priority values if you don’t want ECMP
User A
10.250.1.62
10.0.1.0/24
wan1

10.0.3.0/24
port1 10.0.2.0/24
wan2 User B
10.0.4.0/24 10.175.3.69

FGT # get router info routing-table all


…output omitted…

S* 0.0.0.0/0 [10/0] via 10.0.1.254, wan1


[10/0] via 10.0.2.254, wan2, [5/0]
User C S 10.0.4.0/24 [10/0] via 10.0.3.254, port1
10.0.4.63 C 10.0.1.0/24 is directly connected, wan1
C 10.0.2.0/24 is directly connected, wan2
C 10.0.3.0/24 is directly connected, port1

© Fortinet Inc. All Rights Reserved. 34


RPF Methods
• Loose RPF (default)
• Checks the existence of at least one active route back to the source using the incoming interface
• strict-src-check disable

• Strict RPF
• Checks the best route back to the source uses the incoming interface
• strict-src-check enable

# config system settings


# set strict-src-check [ disable | enable ]
# end

• Two ways to disable RPF checking


• Enable asymmetric routing, which disables RPF checking system wide Reduces security!
Not recommended!

# config system settings


# set asymroute enable # config system interface
# end # edit <interface>
# set src-check [ enable | disable ]
• Disable RPF checking at the interface level # end

© Fortinet Inc. All Rights Reserved. 35


Loose RPF Example
• Traffic from 10.0.4.1 spoofing the source IP address 10.0.1.1 passes the loose
RPF check
• The wan1 default route is valid for the 10.0.1.0/24 subnet

User A # config system settings Loose


10.0.1.1/24 # set strict-src-check RPF
disable
# end

RST SYN/ACK SYN with


wan1 User C
source IP 10.0.1.1
10.0.1.0/24 port1 10.0.4.1

FGT # get router info routing-table all


User B …output omitted…
10.0.1.2/24
S* 0.0.0.0/0 [10/0] via 10.0.2.254, wan1
C 10.0.1.0/24 is directly connected, port1
C 10.0.2.0/24 is directly connected, wan1

© Fortinet Inc. All Rights Reserved. 36


Strict RPF Example
• Traffic from 10.0.4.1 spoofing the source IP address 10.0.1.1 fails the strict RPF
check
• The best route to 10.0.1.0/24 is not through wan1 because it has a higher distance

User A # config system settings Strict


10.0.1.1/24 # set strict-src-check enable RPF
# end

SYN with
wan1 source IP 10.0.1.1
User C
10.0.1.0/24 port1 10.0.4.1

FGT # get router info routing-table all


User B …output omitted…
10.0.1.2/24
S* 0.0.0.0/0 [10/0] via 10.0.2.254, wan1 Directly connected
C 10.0.1.0/24 is directly connected, port1 routes have a default
C 10.0.2.0/24 is directly connected, wan1 distance of 0

© Fortinet Inc. All Rights Reserved. 37


Knowledge Check
1. What is the default RPF check method on FortiGate?
A. Loose
B. Strict

2. Which route lookup scenario satisfies the RPF check for a packet?
A. Routing table has an active route for the destination IP of the packet
B. Routing table has an active route for the source IP of the packet

© Fortinet Inc. All Rights Reserved. 38


Lesson Progress

Routing on FortiGate

Routing Monitor and Route Attributes

Equal Cost Multipath Routing (ECMP)

Reverse Path Forwarding (RPF)

Best Practices

Diagnostics

© Fortinet Inc. All Rights Reserved. 39


Best Practices

Objectives
• Configure the link health monitor
• Implement route failover
• Apply network design best practices
• Apply static route configuration best practices
• Use the forward traffic logs

40
Link Health Monitor
• Mechanism for detecting when a router along the path is down
• Periodically probes a server beyond the gateway
• If FortiGate doesn’t receive replies within the failover threshold, all static routes using the
gateway are removed from the routing table
• If standby routes are available, FortiGate activates and uses them instead

© Fortinet Inc. All Rights Reserved. 41


Link Health Monitor Configuration
# config system link-monitor
# edit <name>
# set srcintf <interface>
Use a server IP located beyond
# set server <server ip> the ISP gateway
# set gateway-ip <gateway ip>
# set protocol [ ping | tcp-echo | udp-echo | twamp | http ]
# set update-static-route [ enable | disable ]
# next
Removes all static
# end routes associated
with the srcint in
the event of an
outage

© Fortinet Inc. All Rights Reserved. 42


Route Failover Example
1. Link health monitor
probes the server
located in the ISP1
ISP1
network
ISP1-Server
wan1

ISP2
Internet
wan2

2. The ISP1-Server
3. FortiGate deactivates the primary ISP2-Server does not respond to
route and activates the secondary route probes

Before Failover After Failover

FGT # get router info routing-table all FGT # get router info routing-table all
…output omitted… …output omitted…

S 0.0.0.0/0 [10/0] via 10.0.1.254, wan1 S 0.0.0.0/0 [20/0] via 10.0.2.254, wan2
C 10.0.1.0/24 is directly connected, wan1 C 10.0.1.0/24 is directly connected, wan1
C 10.0.2.0/24 is directly connected, wan2 C 10.0.2.0/24 is directly connected, wan2

© Fortinet Inc. All Rights Reserved. 43


Best Practices—Network Design
• Apply proper network design practices
• Discontiguous networks are difficult to manage with static routing

10.4.0.0/24 port1 port2 10.4.0.0/16

10.4.0.254/24 10.4.0.254/16

• If multiple paths exist for the same destination, use the distance attribute to ensure only one route is
CAUTION:
active at a timeEnabling asymmetric routing support disables FortiGate stateful inspection

MPLS
Two possible paths
for the same
destination
MPLS 10.4.0.254/16

© Fortinet Inc. All Rights Reserved. 44


Best Practices—Configuration
• Try to summarize host routes (/32 subnet masks) to supernets
• Reduces routing table size, and the time it takes to do a route lookup
• For example, 10.4.0.100/32, 10.4.0.201/32, 10.4.0.69/32, 10.4.0.97/32 10.4.0.0/24
• For example, 10.4.0.29/32, 10.4.0.30/32 10.4.0.28/30
• Configure policy routes as an exception
• Large policy route tables are difficult to troubleshoot
• If ECMP routing is not possible to achieve route redundancy, use the link health monitor
• Can be used in conjunction with the distance attribute to achieve route failover protection

© Fortinet Inc. All Rights Reserved. 45


Best Practices—Forward Traffic Logs
• Use the Destination Interface column in the Forward Traffic logs to determine the
egress interface for all traffic

Log & Report > Forward Traffic

© Fortinet Inc. All Rights Reserved. 46


Knowledge Check
1. What is the purpose of the link health monitor setting update-static-route?
A. It creates a new static route for the backup interface.
B. It removes all static routes associated with the link health monitor’s interface.

2. When using link health monitoring, which route attribute must you also configure to
achieve route failover protection?
A. Distance
B. Metric

© Fortinet Inc. All Rights Reserved. 47


Lesson Progress

Routing on FortiGate

Routing Monitor and Route Attributes

Equal Cost Multipath Routing (ECMP)

Reverse Path Forwarding (RPF)

Best Practices

Diagnostics

© Fortinet Inc. All Rights Reserved. 48


Diagnostics

Objectives
• View active, standby, and inactive routes
• View policy routes on the CLI
• Use the built-in packet capture tools

49
Active Routes
# get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

Distance/Metric
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 172.25.176.1, port1
O 10.200.2.0/24 [110/2] via 192.167.1.130, port2, 01:01:30
C 10.200.3.0/24 is directly connected, port3
B 10.250.2.0/24 [200/0] via 10.200.3.1, port3, 00:45:12
C 172.25.176.0/24 is directly connected, port1
C 192.167.1.0/24 is directly connected, port2 Priority/Weight
S 192.168.1.0/24 [10/0] via 192.167.1.130, port2, [25/0]

© Fortinet Inc. All Rights Reserved. 50


Active, Standby and Inactive Routes
# get router info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
> - selected route, * - FIB route, p - stale info
Routing table for VRF=0
S 0.0.0.0/0 [20/0] via 10.200.2.254, port2 Standby route
S *> 0.0.0.0/0 [10/0] via 10.200.1.254, port1
C *> 10.0.1.0/24 is directly connected, port3
C *> 10.200.1.0/24 is directly connected, port1
C *> 10.200.2.0/24 is directly connected, port2
S 8.8.4.5/32 [10/0] via 10.255.255.5, port4 inactive Inactive route

Active routes

© Fortinet Inc. All Rights Reserved. 51


Policy Routes and ISDB Routes
# diagnose firewall proute list
list route policy info(vf=root):
id=1 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=6 sport=1-65535
iif=5 dport=443 oif=3(port1) gwy=10.200.1.254
source wildcard(1): 10.0.1.10/255.255.255.255
destination wildcard(1): 0.0.0.0/0.0.0.0 Policy route for a
hit_count=77 last_used=2021-04-06 12:08:54 single source
address

id=2113929219 static_route=3 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00


protocol=0 sport=0-0 iif=0 dport=1-65535 oif=3(port1) gwy=10.200.1.254
source wildcard(1): 0.0.0.0/0.0.0.0
destination wildcard(1): 0.0.0.0/0.0.0.0
ISDB route for
internet service(1): Amazon-AWS(393320,0,0,0) Amazon web
services
hit_count=3 last_used=2021-04-06 11:37:07

© Fortinet Inc. All Rights Reserved. 52


Packet Capture
• Can be used to verify the ingress and egress interface of packets
# diagnose sniffer packet <interface> '<filter>' <verbosity> <count> <timestamp> <frame size>
• <interface> can be any or a specific interface (that is port1 or internal)
• <filter> follows tcpdump format
• <verbosity> specifies how much information to capture
• <count> number of packets to capture
• <timestamp> print time stamp information
• a – prints absolute timestamp
• l – prints local timestamp
• <frame size> specify length of up to a maximum size of 65K

© Fortinet Inc. All Rights Reserved. 53


Packet Capture Verbosity Level
Level IP Headers Packet Payload Ethernet Headers Interface Name
1 •
2 • •
3 • • •
4 • •
5 • • •
6 • • • •
• The most common levels are:
• 4 – Prints the ingress and egress interfaces
• You can verify how traffic is being routed, or if FortiGate is dropping packets
• 3 or 6 – Prints the packet payload
• You can convert this output to a packet capture (pcap) file that can be opened with a packet analyzer
• If you don’t specify a level, the sniffer uses level 1 by default

© Fortinet Inc. All Rights Reserved. 54


Packet Capture Examples
# diagnose sniffer packet any 'port 443' 4 All traffic to or
5.455914 port8 in 192.168.1.254.59785 -> 192.168.1.1.443: syn 457459 from port 443
with verbosity 4
5.455930 port8 out 192.168.1.1.443 -> 192.168.1.254.59785: syn 163440 ack 457460
5.455979 port8 out 192.168.1.1.443 -> 192.168.1.254.59773: 927943 ack 725411
5.456012 port8 out 192.168.1.1.443 -> 192.168.1.254.59773: 929403 ack 725411
5.456043 port8 out 192.168.1.1.443 -> 192.168.1.254.59773: psh 930863 ack 725411

All ICMP traffic to or


# diagnose sniffer packet any 'host 192.168.1.254 and icmp' 3 from
192.168.1.254
interfaces=[any] with verbosity 3
filters=[host 192.168.1.254 and icmp]
7.560352 192.168.1.254 -> 192.168.1.1: icmp: echo request
0x0000 0000 0000 0001 0050 56c0 0001 0800 4500 .......PV.....E.
0x0010 003c 0e85 0000 8001 a7ec c0a8 01fe c0a8 .<..............
0x0020 0101 0800 4d58 0001 0003 6162 6364 6566 ....MX....abcdef
0x0030 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 ghijklmnopqrstuv
0x0040 7761 6263 6465 6667 6869 wabcdefghi

© Fortinet Inc. All Rights Reserved. 55


Packet Capture From the GUI
• Captures are automatically converted into Wireshark format
• Available on devices with internal storage
Network > Packet
Capture

The any interface is not


available on the GUI
packet capture

Filters should be very


specific to make sure only
the relevant packets are
being captured

© Fortinet Inc. All Rights Reserved. 56


Knowledge Check
1. What is the distance value for this route?
10.200.2.0/24 [110/2] via 10.200.2.254, [25/0]
A. 110
B. 2

2. Which CLI commands can you use to view standby and inactive routes?
A. get router info routing-table all
B. get router info routing-table database

3. Which CLI packet capture verbosity level prints interface names?


A. 3
B. 4

© Fortinet Inc. All Rights Reserved. 57


Lesson Progress

Routing on FortiGate

Routing Monitor and Route Attributes

Equal Cost Multipath Routing (ECMP)

Reverse Path Forwarding (RPF)

Best Practices

Diagnostics

© Fortinet Inc. All Rights Reserved. 58


Review
 Configure static routing
 Implement policy-based routes
 Control traffic for well-known internet services
 Interpret the routing table on FortiGate
 Implement ECMP routing
 Block traffic from spoofed IP addresses
 Apply network design and static routing best practices
 Implement route failover
 View active, standby, and inactive routes
 Use the built-in sniffer tools

© Fortinet Inc. All Rights Reserved. 59

You might also like