Routing Concepts and Troubleshooting Quiz

Questions and Answers

Which mode is the default mode for RPF check?

• Loose
• Feasible path (correct)
• Active
• Strict

In feasible path mode, the packet is accepted as long as there is one active route to the source IP through the incoming interface.

• Depends on the source IP
• Depends on the incoming interface
• True (correct)
• False

Does the packet from 10.4.0.1 to 10.1.0.1 get accepted?

• Depends on the interface
• No
• Depends on the route
• Yes (correct)

Does the packet from 172.16.1.1 to 10.1.0.1 get accepted?

No (B)

What was feasible path mode formerly known as?

Loose (B)

Does the packet need to take the best route in feasible path mode?

No (C)

Is there an active route to the IP-address 172.16.1.1 through port3?

No (A)

What is the destination IP of the packet that is accepted?

10.1.0.1 (A)

What is the destination IP of the packet that is not accepted?

172.16.1.1 (D)

What is the default route used for?

Accepting packets (A)

Which table does FortiGate go to if the action in a policy route is Stop Policy Routing?

Route Cache (D)

What is the purpose of the Forwarding Information Base (FIB)?

Packet Forwarding (D)

In a FortiGate high availability (H-A) cluster, which table exists only on the secondary FortiGate?

Forwarding Information Base (A)

What happens if there is no match in any of the routing tables?

Packet is dropped (C)

What is the first criteria used by FortiGate to select a route when there are multiple routes to a destination?

Longest netmask (D)

When does FortiGate use the lowest metric as the tiebreaker for dynamic routes?

When there are multiple routes with the same distance (C)

Which type of routes does FortiGate use the lowest priority as the tiebreaker?

Static routes (C)

What is equal cost multipath (ECMP) used for?

Traffic sharing (C)

Under what conditions does FortiGate add a static route to the routing table?

All of the above (D)

What does the reverse path forwarding (RPF) check protect against?

IP spoofing attacks (B)

FortiGate performs routing table lookup how many times for any session?

Twice (D)

What happens to the route information in the session table after a routing change?

It is flushed from affected sessions and route cache (D)

How many routing lookups does FortiGate usually perform for a traffic session?

Two (D)

When would FortiGate perform additional routing table lookups?

After a routing change (B)

How does FortiGate decide routes?

Based on the routing modules (D)

Which command can be used to view FortiGate's policy routes?

diagnose firewall proute list (D)

How many routing modules does FortiGate have?

One (A)

What does FortiGate do with the routing information after performing routing lookups for a session?

It stores the routing information in the session table (C)

What happens to the route information in the session table after a routing change?

It is flushed from affected sessions and route cache (B)

Is FortiGate a stateful or stateless device?

Stateful (D)

Flashcards are hidden until you start studying

Study Notes

RPF Check

• The default mode for RPF check is feasible path mode.

Feasible Path Mode

• In feasible path mode, a packet is accepted as long as there is one active route to the source IP through the incoming interface.
• Feasible path mode was formerly known as "asymmetric routing".
• The packet does not need to take the best route in feasible path mode.

Packet Acceptance

• The packet from 10.4.0.1 to 10.1.0.1 gets accepted.
• The packet from 172.16.1.1 to 10.1.0.1 gets accepted.

Route Information

• There is no active route to the IP address 172.16.1.1 through port3.
• The destination IP of the packet that is accepted is 10.1.0.1.
• The destination IP of the packet that is not accepted is not specified.

Routing

• The default route is used for routing packets when there is no specific route.
• When the action in a policy route is Stop Policy Routing, FortiGate goes to the Kernel routing table.
• The purpose of the Forwarding Information Base (FIB) is to facilitate routing decisions.
• In a FortiGate high availability (H-A) cluster, the secondary FortiGate has a dedicated routing table.
• If there is no match in any of the routing tables, FortiGate uses the default route.
• The first criteria used by FortiGate to select a route when there are multiple routes to a destination is the longest prefix match.
• FortiGate uses the lowest metric as the tiebreaker for dynamic routes when there are multiple routes with the same prefix length.
• FortiGate uses the lowest priority as the tiebreaker for static routes.
• Equal cost multipath (ECMP) is used for load balancing and redundancy.

Route Addition

• FortiGate adds a static route to the routing table when the route is configured manually.

RPF Protection

• The reverse path forwarding (RPF) check protects against spoofing attacks.

Routing Table Lookup

• FortiGate performs routing table lookup only once for any session.
• The route information in the session table is updated after a routing change.
• FortiGate usually performs one routing lookup for a traffic session.
• FortiGate performs additional routing table lookups when the routing table changes or the session is re-established.

Route Decision

• FortiGate decides routes based on the routing table and policy routes.

Policy Routes

• The command to view FortiGate's policy routes is "diag debug appl cs-route".

Routing Modules

• FortiGate has two routing modules: the kernel routing table and the FIB.

Routing Information

• After performing routing lookups for a session, FortiGate stores the routing information in the session table.
• The route information in the session table is updated after a routing change.
• FortiGate is a stateful device.