Lab 1: Routing: Do Not Reprint © Fortinet
Lab 1: Routing: Do Not Reprint © Fortinet
© FORTINET
Lab 1: Routing
In this lab, you will configure the router settings, and try scenarios to learn how FortiGate makes routing
decisions.
Objectives
l Route traffic based on the destination IP address, as well as other criteria.
l Balance traffic among multiple paths.
l Implement route failover.
l Implement policy routing.
l Diagnose a routing problem.
Time to Complete
Estimated: 50 minutes
Prerequisites
Before beginning this lab, you must restore a configuration file to Local-FortiGate.
In the lab network, Local-FortiGate has two interfaces connected to the Internet: port1 and port2. During this
exercise, you will configure the port1 connection as the primary Internet link, and the port2 connection as the
backup Internet link. Local-FortiGate should use the port2 connection only if the port1 connection is down. To
achieve this objective, you will configure two default routes with different administrative distances, as well as
configure two link health monitors.
After you complete the challenge, see Configure a Second Default Route on page 19.
© FORTINET
Note that, by default, static routes have a Distance value of 10, and a Priority value of 0.
You will create a second default route using the port2 interface. To make sure this second default route remains
inactive, you will assign it a higher distance.
After you complete the challenge, see Configure the Firewall Policies on page 20.
© FORTINET
Field Value
Gateway 10.200.2.254
Interface port2
Administrative Distance 20
4. Click the plus (+) icon to expand the Advanced Options section.
5. In the Priority field, enter a value of 5.
6. Click OK.
A second default route is added.
You will modify the existing Full_Access firewall policy to log all sessions. You will also create a second firewall
policy to allow traffic through the secondary interface.
© FORTINET
Take the Expert Challenge!
l Continuing on Local-FortiGate, enable logging for all sessions in the existing Full_Access firewall policy.
l Create a second firewall policy named Backup_Access.
l Configure the Backup_Access policy to allow traffic from port3 to port2 with NAT enabled.
l Enable logging on the Backup_Access policy for all sessions.
If you require assistance, or to verify your work, use the step-by-step instructions that follow.
After you complete the challenge, see View the Routing Table on page 22
All Sessions logging ensures that all traffic is logged, and not just sessions inspected
by security profiles. This will assist in verifying traffic routing using the Forward
Traffic logs.
4. Click OK.
5. Click Create New.
6. Configure a second firewall policy with the following settings:
Field Value
Name Backup_Access
Source LOCAL_SUBNET
© FORTINET
Field Value
Destination all
Schedule always
Service ALL
Action Accept
NAT <enable>
The Local-FortiGate configuration now has two default routes with different distances. You will view the routing
table to see which one is active.
4. Enter the following CLI command to list both active and inactive routes:
get router info routing-table database
© FORTINET
Stop and think!
Why is the port2 default route inactive?
The port2 default route has a higher administrative distance than the port1 default route. When two or
more routes to the same destination have different distances, the lower distance route is always active.
You will configure two link health monitors to monitor the status of both the port1 and port2 routes.
First you will access various websites, and use the Forward Traffic logs to verify that port1 route is being used.
Next you will force a failover by reconfiguring the port1 link health monitor to ping an invalid IP address. You will
then generate some more traffic, and use the Forward Traffic logs to verify that the port2 route is being used.
© FORTINET
5. Open a few new tabs in the web browser, and go to a few websites:
l http://www.pearsonvue.com/fortinet
l http://cve.mitre.org
l http://www.eicar.org
4. Return to the browser tab where you are logged into the Local-FortiGate GUI, and click Log & Report > Forward
Traffic.
5. Click the refresh icon.
6. Locate the relevant log entries for the three websites you accessed, and verify that their Destination Interface
indicates port1.
© FORTINET
This verifies that the port1 route is currently active and in use.
© FORTINET
To verify traffic logs
1. Continuing on the Local-Windows VM, open a few new tabs in the web browser, and go to a few websites:
l http://www.pearsonvue.com/fortinet
l http://cve.mitre.org
l http://www.eicar.org
2. Return to the browser tab where you are logged into the Local-FortiGate GUI, and click Log & Report > Forward
Traffic.
3. Locate the relevant log entries for the three websites you accessed, and verify that their Destination Interface
indicates port2.
Before starting the next exercise, you will restore the port1 link health monitor's server configuration with a valid
host address, which will restore the port1 default route as the active route in the routing table.
© FORTINET
In this exercise, you'll configure equal cost multipath (ECMP) routing on Local-FortiGate to balance the Internet
traffic between port1 and port2. After that, you'll configure a policy route to route HTTPS traffic through port1
only.
To establish ECMP, first you will configure multiple static routes with the same administrative distance.
After you complete the challenge, see Change the ECMP Load Balancing Method on page 29.
5. Click OK.
© FORTINET
To verify the routing table
1. Continuing on the Local-FortiGate GUI, click Monitor > Routing Monitor.
2. Verify that both default routes are now active:
By default, the ECMP load balancing method is based on source IP. This works well when there are multiple
clients generating traffic. In the lab network, because you have only one client (Local-Windows), the source IP
method will not balance any traffic to the second route. Only one route will always be used. For this reason, you
will change the load balancing method to use both source and destination IP. Using this method, as long as the
traffic goes to multiple destination IP addresses, FortiGate will balance the traffic across both routes.
You will generate some HTTP traffic and verify traffic routing using the Forward Traffic logs.
© FORTINET
Take the Expert Challenge!
l On Local-Windows, open a few new browser tabs and generate some HTTP traffic.
l Verify the traffic routing on Local-FortiGate using the Forward Traffic logs.
l Identify why all the outgoing packets are still being routed through port1.
If you require assistance, or to verify your work, use the step-by-step instructions that follow.
After you complete the challenge, see Configure Priority on page 30.
Why are all the outgoing packets still being routed through port1?
Configure Priority
You will change the priority value for the port2 route to match the port1 route.
© FORTINET
Take the Expert Challenge!
On Local-FortiGate, modify the static routing configuration so both default routes are eligible for ECMP.
If you require assistance, or to verify your work, use the step-by-step instructions that follow.
To configure priority
1. Continuing on the Local-FortiGate GUI, click Network > Static Routes.
2. Double-click the port2 default route to edit it.
3. Click the plus (+) icon to expand the Advanced Options section.
4. Change the Priority value to 0.
5. Click OK.
Verify ECMP
Now that both port1 and port2 routes share the same distance and priority values, they are eligible for
ECMP. First, you will verify the routing table, and then verify traffic routing using the Forward Traffic logs.
© FORTINET
To configure the CLI sniffer
1. Continuing on the LOCAL-FORTIGATE PuTTY session, enter the following CLI commands:
diagnose sniffer packet any 'tcp[13]&2==2 and port 80' 4
The filter 'tcp[13]&2==2' matches packets with the SYN flag on, so the output will show
all SYN packets to port 80 (HTTP).
The SYN packets are egressing both port1 and port2. This verifies that Local-FortiGate is now load
balancing all Internet traffic across both routes.
You will force all HTTPS traffic to egress through port1 using a policy route. All other traffic should remain
unaffected and balanced between port1 and port2. To implement this, you will configure a policy route.
© FORTINET
To configure a policy route for HTTPS traffic
1. Return to the browser tab where you are logged into the Local-FortiGate GUI, and click Network > Policy
Routes.
2. Click Create New.
3. Configure the following settings:
Field Value
Protocol TCP
4. Click OK.
© FORTINET
Verify the Policy Route
First, you will verify the routing table, and then verify policy routing by generating HTTPS traffic and viewing the
CLI sniffer output.
3. Verify that the policy route is added to the policy route table.
As before, this sniffer filter matches packets with the SYN flag on, but this time for port
443 (HTTPS).
2. On the Local-Windows VM, open new tabs in the web browser, and then go to a few HTTPS websites:
l https://www.fortiguard.com
l https://support.fortinet.com
3. Return to the LOCAL-FORTIGATE PuTTY session, and then press Ctrl+C to stop the sniffer.
4. Analyze the sniffer output:
© FORTINET
The SYN packets are egressing port1 only. This verifies that Local-FortiGate is applying the policy route for
HTTPS traffic.
2. On the Local-Windows VM, open new tabs in the web browser, and then go to a few HTTP websites:
l http://www.pearsonvue.com/fortinet/
l http://cve.mitre.org
l http://www.eicar.org
3. Return to the open LOCAL-WINDOWS PuTTY session, and press Ctrl+C to stop the sniffer.
4. Analyze the sniffer output:
HTTP (port 80) traffic remains unaffected by the policy route, and is still load balanced across both port1 and
port2 routes.
© FORTINET
Stop and think!
The Local-FortiGate configuration still has the two link health monitors for port1 and port2. Do they also
enable routing failover for ECMP scenarios?
Yes. If Local-FortiGate detects a problem in any of the routes, the link monitor will remove the
corresponding route, and all Internet traffic will be routed through the remaining route.