Routing Flashcards
(16 cards)
When does route lookup occur
On the first packet that the originator sends
and
On the first reply packet that the responder sends
Route Lookup Process
Matches route in this order:
Regular Policy Routes
ISDB Routes
SD-WAN Rules
(To check these first three, run command diagnose firewall proute list)
Route Cache (diagnose ip rtcache list)
FIB (get router info kernel)
If match to any of those, forwards packet. If not, drop.
For connected, static, dynamic routes, Routing table (get router info routing-table all)
Route Selection Process if there is more than one route to a destination:
- Most Specific Route
- Lowest Distance
- Lowest Metric (dynamic routes)
- Lowest priority (static routes)
- ECMP (static, BGP, and OSPF routes)
FGT places a configured static route in the routing table if:
All of these are met: The outgoing interface is up
There is no duplicate route with a lower distance
The link health monitor (if configured) is up
RPF
Reverse Path Forwarding-
Protects against IP spoofing attacks and routing loops
Checks the source IP address, carried out on the first packet when the session is created.
RPF - Feasible Mode
config system settings
set strict-src-check disable
Checks the routing table for a route that matches the src address and incoming interface of the first original packet
RPF - Strict
In addition to what feasible checks, strict checks if the matching route is the best route to the source
config system settings
set strict-src-check enable
Return Packet Routing
FGT remembers the interface to the source for the return packets
Return packets are routed through that interface, even if there is a better route through a different interface
This ensures symmetric routing
Asymmetric Routing is not allowed when:
The server sends an echo request to the PC but bypasses FGT
The PC responds with an echo reply through FGT
The the echo reply is dropped-no session is matched
all subsequent echo replies are also blocked
to allow this:
config system settings
set asymroute enable
end
Routing changes without SNAT default behavior
config system interface
edit (interface)
set preserve-session-route disable
end
routing info is flushed
Routing lookups are done again for the next packets (interface and gateway information is removed in the session list)
Session is flagged as dirty
set preserve-session-route enable means
FGT marks existing session routing information as persistent, and applies only the modified routes to new sessions. Flagged as route_preserve
Current route must still be present in the FIB, otherwise, the session will be flagged as dirty
ECMP Acceleration with Auxiliary Session
when:
config system settings
set auxiliary-session enable
end
FGT accelerates ECMP traffic to the NP6 processor
Two sessions are created in case of a route change (main and auxiliary)
Can offload both if policy allows
This is to prevent CPU from handling too many dirty sessions
Routing Table summary
get router info routing-table all
First column is the source using codes shown above the table
Route attributes are shown in brackets
After first subnet, first brackets are Distance/metric
Second set of brackets are Priority/Weight
Routing Table Database
To view active, standby, and inactive routes.
Asterisk means they are better routes and therefore are FIB entries and are active routes
Standby routes are when there are other, better routes available to the same destination
Inactive routes are when the corresponding interface is administratively down, its link is down, or when link health monitor detected it as down and the update static route action is enabled
FIB command
get router info kernel
priority is noted at ‘prio=#’
All active routes are here, but there may others that are not in the routing table that FGT has added automatically (Ex. SSL VPN routes that are added dynamically)
Policy Route Table
diagnose firewall proute list
Regular Policy routes (ID <= 65535)
ISDB Routes (ID > 65535 and no vwl_service field)
SD-WAN Rule (ID > 65535 and vwl_service field is present)
