Routing
Routing is one of the highest-value Core domains: static routes, PBR, ECMP, OSPF, BGP, redistribution, BFD, VRF, and asymmetric-path troubleshooting.
Mental model
Routing is the answer to one question: if this packet is allowed to move, where should it go next? On FortiGate, that answer can come from connected routes, static routes, policy routes, SD-WAN rules, OSPF, BGP, redistributed routes, VRFs, or route leaks. The practical skill is proving which mechanism won.
Route selection order
- Longest prefix match: the most specific route wins first.
- Administrative distance: lower distance wins among equal prefix lengths.
- Metric/cost: lower metric wins among equal distance candidates.
- ECMP: equal candidates can share traffic based on the configured ECMP mode.
Static routes and blackhole routes
Static routes are simple and predictable until they are not. Their main failure mode is false confidence: the route exists, but the next hop is not healthy, the wrong interface is selected, or a better route wins. Blackhole routes are useful for summary prefixes and VPN designs because they prevent traffic from leaking to a default route when a more specific tunnel route disappears.
PBR versus normal routing
Policy-based routing is an override. It can steer traffic by source, destination, protocol, or port before normal route lookup decides the final path. That makes it powerful for special cases and painful when forgotten, because it does not appear like a normal route in the routing table.
OSPF diagnostic map
| Symptom | Likely area | What to check |
|---|---|---|
| No neighbor | Interface, area, multicast, firewall, network type. | Interface config, OSPF network statements, packet capture. |
| Stuck in 2-Way | DR/BDR behavior on broadcast networks. | Network type and whether 2-Way is expected. |
| Stuck in Exstart/Exchange | MTU or DBD negotiation. | MTU mismatch and mtu-ignore only when appropriate. |
| Routes missing | Area design, redistribution, filters, or LSDB mismatch. | OSPF route table and database. |
BGP diagnostic map
| Symptom | Likely area | What to check |
|---|---|---|
| Idle / Active | TCP reachability, remote AS, source IP, local-in policy. | Ping, sniffer, BGP neighbor config, policy. |
| Established but no routes | Network statements, redistribution, filters, route maps. | Advertised/received routes and exact prefix existence. |
| Routes received but not installed | Next-hop reachability or better route exists. | BGP table, routing table, recursive route to next hop. |
| Wrong path selected | Attributes and policy. | Weight, local-pref, AS path, origin, MED, eBGP/iBGP, IGP metric. |
VRF and asymmetric routing
VRFs create separate routing tables. That solves segmentation problems, but it creates new troubleshooting paths: a service may source traffic from one VRF while the expected route exists only in another. Asymmetric routing adds another layer: the forward path and return path may cross different FortiGates or interfaces, causing stateful inspection to drop replies.
CLI anchors
get router info routing-table allFull routing table.
get router info routing-table details <prefix>Why a specific destination resolves the way it does.
get router info kernelForwarding table view.
diagnose ip router listAdditional route/FIB visibility.
get router info ospf neighborOSPF adjacency state.
get router info ospf databaseLSDB visibility.
get router info bgp summaryBGP neighbor state and received prefixes.
get router info bgp networkBGP best-path view.
get router info bfd neighborBFD session health.
diagnose debug flow show iprope enableRoute/policy trace detail during flow debugging.
NSE 8 WATCHPOINTS
- On FortiOS, static routes and OSPF intra-area routes can share the same default administrative distance. Do not assume static always wins.
- Link monitor targets should prove the path you care about, not only the directly connected ISP gateway.
- PBR can make the routing table look correct while traffic still exits somewhere else.
- OSPF over tunnels should often use point-to-point network type to avoid broadcast-network election behavior.
- BGP
networkstatements require the exact prefix to already exist in the routing table. - OSPF E1 and E2 external routes behave differently; E1 includes internal cost to the ASBR, E2 does not.
asymroute enablecan make traffic pass, but it weakens normal stateful inspection and should be a controlled exception.
Lab exam checkpoint
Goal: build a two-FortiGate routing lab with loopbacks. First static routes, then OSPF, then BGP. Break one variable at a time: wrong area, wrong network type, missing next-hop reachability, wrong AS, route-map denial, and asymmetric return path. For each failure, collect the command output that proves root cause.