5.3 Routing

Why Routing Matters for NSE 4

A firewall policy decides whether a packet is allowed; routing decides where it goes next. Routing is roughly 15% of the NSE 4 exam, and the questions cluster tightly around static routes, administrative distance vs route priority, policy-based routing, and the routing table versus the FIB. Knowing the FortiOS default administrative-distance values cold is essential — they appear in selection questions every exam cycle.

Static Routes and the Default Route

A static route is a path you configure manually. It tells the FortiGate: "to reach destination network X, send the packet to next-hop gateway Y out interface Z." Static routes are predictable and use no protocol overhead, but they do not adapt automatically if a link fails.

The most important static route is the default route. Its destination is 0.0.0.0/0, which matches every destination. The FortiGate uses the default route as a gateway of last resort — when no more specific route matches a packet, it follows the default route, typically toward the internet-facing ISP gateway. A FortiGate uses longest-prefix match: a more specific route (for example 10.1.1.0/24) always wins over the default route for addresses it covers.

Connected Routes

When you assign an IP address and subnet mask to a FortiGate interface, FortiOS automatically creates a connected route for that subnet. Connected routes are never configured by hand and never need a next hop — the destination is directly attached. Because the FortiGate has firsthand knowledge of a directly attached network, connected routes are the most trusted route type and carry an administrative distance of 0.

Administrative Distance and Route Priority

When the FortiGate learns about the same destination from more than one source, it must choose. Two values decide the outcome, in this order:

1. Administrative Distance (chooses between route sources)

Administrative distance (AD) is a number from 0 to 255 that rates how trustworthy a route's source is. Lower is better. AD is compared first; the route from the source with the lowest AD is installed and the others are not. This is how a FortiGate prefers, say, a static route over an OSPF route to the same network.

FortiOS Default Administrative Distances

Note that the FortiOS default static-route AD is 10 — this differs from Cisco IOS, where static routes default to 1. The exam expects the FortiOS values.

2. Route Priority (chooses between routes with equal AD)

If two routes to the same destination have the same administrative distance (for example two static default routes), the FortiGate then compares route priority. Priority is a per-route value, and again lower wins. The route with the lower priority value is installed in the FIB as active; the higher-priority route stays inactive as a standby. If priority is also equal, both routes become active and the FortiGate load-balances across them with ECMP.

Floating Static Route

A floating static route is a backup route given a deliberately higher administrative distance than the primary route to the same destination. While the primary route is valid it wins on AD and the floating route stays out of the routing table. If the primary route fails, the floating route is the next-best candidate and takes over automatically — a simple, protocol-free form of failover.

Policy-Based Routes

A standard route makes its decision on destination address only. Policy-based routing (PBR) — configured under Network > Policy Routes — lets the FortiGate steer traffic on additional criteria: incoming interface, source address, destination address, protocol, and service/port.

The defining behavior for the exam: policy routes are evaluated before the regular routing table. If a packet matches a policy route, that route's next hop and outgoing interface are used and the routing table is skipped. A classic use case is sending guest-network traffic out a cheap broadband link while server traffic uses an MPLS circuit, even though both are headed for the same internet.

Important behavior: if a packet matches a policy route but the next hop specified in that policy route is unreachable, FortiGate (by default) drops the packet rather than falling back to the routing table. Candidates should know PBR does not silently fail over unless explicitly designed to.

Equal-Cost Multi-Path (ECMP)

Equal-cost multi-path (ECMP) occurs when two or more routes to the same destination have equal administrative distance and equal priority. Instead of choosing one, the FortiGate installs all of them and load-balances traffic across them, which increases total bandwidth and provides resilience — if one path goes down, the others keep forwarding.

FortiGate offers several ECMP load-balancing methods, including Source IP (default — all traffic from one source uses one path, keeping sessions consistent), Source-Destination IP, Weighted, and Usage/Spillover (fill one link, then overflow to the next).

The Routing Table vs the FIB

FortiOS routing lives in two layers:

• Routing table (RIB — Routing Information Base): the control-plane database of all candidate routes the FortiGate knows — static, connected, OSPF, BGP. It includes routes that did not win selection. View it with get router info routing-table all.
• Forwarding Information Base (FIB): the kernel forwarding table containing only the best, active routes actually used to forward packets at high speed. View it with get router info kernel.

Think of the RIB as the candidate pool and the FIB as the final hiring decision. A route can be in the RIB but absent from the FIB because it lost on administrative distance or priority. The FortiGate only forwards using what is in the FIB.

Reverse-Path Forwarding

Reverse-path forwarding (RPF), also called anti-spoofing, is a security check the FortiGate runs on incoming packets. When a packet arrives, the FortiGate asks: do I have a route back to this packet's source address, and does that route point out the interface the packet actually came in on? If not, the packet may be spoofed and is dropped.

FortiOS supports two RPF modes:

• Strict RPF — the return route must use the exact interface the packet arrived on.
• Loose (feasible) RPF — it is enough that any route to the source exists, on any interface. Loose mode is the FortiGate default and avoids dropping legitimate traffic in asymmetric-routing designs.

Dynamic Routing at the NSE 4 Level

NSE 4 expects awareness of dynamic routing, not deep design skill. Two protocols appear:

• OSPF (Open Shortest Path First) — an open-standard link-state interior gateway protocol. Each router builds a full map (link-state database) of its area and runs the SPF (Dijkstra) algorithm to compute shortest paths. OSPF uses areas to scale; Area 0 is the backbone, and an Area Border Router (ABR) connects other areas to it. OSPF converges quickly and is common inside an organization. FortiOS default AD: 110.
• BGP (Border Gateway Protocol) — the path-vector exterior gateway protocol that runs the internet, exchanging routes between autonomous systems (AS). BGP uses path attributes (AS-Path, MED, local preference) to choose routes. FortiOS default AD: 20 for EBGP, 200 for IBGP. On FortiGate, BGP is most often used for multi-homed internet links or large WAN/SD-WAN designs.

For the exam, remember the one-line distinction: OSPF is link-state and used within an organization; BGP is path-vector and used between organizations / autonomous systems.