30 Questions
Which mode is the default mode for RPF check?
Feasible path
In feasible path mode, the packet is accepted as long as there is one active route to the source IP through the incoming interface.
True
Does the packet from 10.4.0.1 to 10.1.0.1 get accepted?
Yes
Does the packet from 172.16.1.1 to 10.1.0.1 get accepted?
No
What was feasible path mode formerly known as?
Loose
Does the packet need to take the best route in feasible path mode?
No
Is there an active route to the IP-address 172.16.1.1 through port3?
No
What is the destination IP of the packet that is accepted?
10.1.0.1
What is the destination IP of the packet that is not accepted?
172.16.1.1
What is the default route used for?
Accepting packets
Which table does FortiGate go to if the action in a policy route is Stop Policy Routing?
Route Cache
What is the purpose of the Forwarding Information Base (FIB)?
Packet Forwarding
In a FortiGate high availability (H-A) cluster, which table exists only on the secondary FortiGate?
Forwarding Information Base
What happens if there is no match in any of the routing tables?
Packet is dropped
What is the first criteria used by FortiGate to select a route when there are multiple routes to a destination?
Longest netmask
When does FortiGate use the lowest metric as the tiebreaker for dynamic routes?
When there are multiple routes with the same distance
Which type of routes does FortiGate use the lowest priority as the tiebreaker?
Static routes
What is equal cost multipath (ECMP) used for?
Traffic sharing
Under what conditions does FortiGate add a static route to the routing table?
All of the above
What does the reverse path forwarding (RPF) check protect against?
IP spoofing attacks
FortiGate performs routing table lookup how many times for any session?
Twice
What happens to the route information in the session table after a routing change?
It is flushed from affected sessions and route cache
How many routing lookups does FortiGate usually perform for a traffic session?
Two
When would FortiGate perform additional routing table lookups?
After a routing change
How does FortiGate decide routes?
Based on the routing modules
Which command can be used to view FortiGate's policy routes?
diagnose firewall proute list
How many routing modules does FortiGate have?
One
What does FortiGate do with the routing information after performing routing lookups for a session?
It stores the routing information in the session table
What happens to the route information in the session table after a routing change?
It is flushed from affected sessions and route cache
Is FortiGate a stateful or stateless device?
Stateful
Study Notes
RPF Check
- The default mode for RPF check is feasible path mode.
Feasible Path Mode
- In feasible path mode, a packet is accepted as long as there is one active route to the source IP through the incoming interface.
- Feasible path mode was formerly known as "asymmetric routing".
- The packet does not need to take the best route in feasible path mode.
Packet Acceptance
- The packet from 10.4.0.1 to 10.1.0.1 gets accepted.
- The packet from 172.16.1.1 to 10.1.0.1 gets accepted.
Route Information
- There is no active route to the IP address 172.16.1.1 through port3.
- The destination IP of the packet that is accepted is 10.1.0.1.
- The destination IP of the packet that is not accepted is not specified.
Routing
- The default route is used for routing packets when there is no specific route.
- When the action in a policy route is Stop Policy Routing, FortiGate goes to the Kernel routing table.
- The purpose of the Forwarding Information Base (FIB) is to facilitate routing decisions.
- In a FortiGate high availability (H-A) cluster, the secondary FortiGate has a dedicated routing table.
- If there is no match in any of the routing tables, FortiGate uses the default route.
- The first criteria used by FortiGate to select a route when there are multiple routes to a destination is the longest prefix match.
- FortiGate uses the lowest metric as the tiebreaker for dynamic routes when there are multiple routes with the same prefix length.
- FortiGate uses the lowest priority as the tiebreaker for static routes.
- Equal cost multipath (ECMP) is used for load balancing and redundancy.
Route Addition
- FortiGate adds a static route to the routing table when the route is configured manually.
RPF Protection
- The reverse path forwarding (RPF) check protects against spoofing attacks.
Routing Table Lookup
- FortiGate performs routing table lookup only once for any session.
- The route information in the session table is updated after a routing change.
- FortiGate usually performs one routing lookup for a traffic session.
- FortiGate performs additional routing table lookups when the routing table changes or the session is re-established.
Route Decision
- FortiGate decides routes based on the routing table and policy routes.
Policy Routes
- The command to view FortiGate's policy routes is "diag debug appl cs-route".
Routing Modules
- FortiGate has two routing modules: the kernel routing table and the FIB.
Routing Information
- After performing routing lookups for a session, FortiGate stores the routing information in the session table.
- The route information in the session table is updated after a routing change.
- FortiGate is a stateful device.
Test your knowledge on routing concepts and troubleshooting with this quiz. Learn about route lookup in FortiGate and how routing information is stored in session tables and route cache. Find out what happens to route information after a routing change.
Make Your Own Quizzes and Flashcards
Convert your notes into interactive study material.
Get started for free
