FortiGate Routing Modes Quiz

Questions and Answers

Which interface does FortiGate route packets through if the session originates from the other side?

• port4
• port2
• port1 (correct)
• port3

Which interface does the return packet arrive at if the session originated from the local workstation?

• port4
• port2 (correct)
• port3
• port1

What is the result of the return traffic following a different path than the originating traffic?

• Security inspection is affected
• Asymmetric routing (correct)
• FortiGate rejects the return packet
• Packets are dropped

Which routing mode checks that the best route to the source IP-address is through the incoming interface?

Strict RPF (B)

Which routing mode accepts traffic from a specific subnet only when a specific incoming interface is used?

Strict RPF (B)

Which routing mode ensures that the return packets are routed through the same interface they originated from, even if there is a better route through a different interface?

Return packet routing (C)

Which device in the network topology is directly connected to FortiGate port2?

Local router (D)

What is the default gateway for the local workstation?

10.1.0.254 (D)

What is the purpose of FortiGate remembering the interface to source?

To improve routing efficiency (C)

Why does FortiGate route the return packet through port2 instead of port1, even though port1 is the better route?

To maintain traffic flow symmetry (A)

What are the three network devices in the local network 10.1.0.0/24?

local workstation, local router, and FortiGate port1

Which interface is directly connected to the local router?

FortiGate port2

What is the IP address of the remote server?

10.4.0.1

What is the default gateway for the local workstation?

10.1.0.254

Why does FortiGate remember the interface to source?

To route the return packets through the same interface they originated from

What happens when an ICMP echo request is sent from the local workstation to the remote server?

The packet goes to the local router first, then to FortiGate, then to the remote router, and finally to the destination

Which interface does the ICMP packet arrive at when it reaches FortiGate?

port2

What is stored in the session information for the originating traffic?

The next hop to the destination

Which interface does FortiGate route the return packet through?

port2

What is the objective of keeping the traffic flow symmetric?

To ensure that the return packets follow the same path as the originating traffic

What is the purpose of strict mode in FortiGate routing?

To check that the best route to the source IP-address is through the incoming interface and that it is the best route.

What happens to traffic from 172.16.1.1 to 10.1.0.1 in strict mode?

It is blocked because there is no route to the source IP-address through the incoming interface.

What happens to traffic from 10.4.0.1 to 10.1.0.1 in strict mode?

It is also blocked because there is an active route to 10.4.0.1 through a different interface, but it is not the best route to the source IP-address.

What does the unit do during the second routing lookup?

The unit finds the next hop (or gateway) to the source.

What is the purpose of return packet routing in FortiGate?

To ensure that the return packet is routed through the same interface it originated from, even if there is a better route through a different interface.

What IP address is added to the session during the second routing lookup?

The IP address of the next hop is added to the session.

Why is symmetric routing important for content inspection in FortiGate?

It ensures that traffic follows the same path in both directions, allowing for effective content inspection.

What can prevent FortiGate from inspecting traffic content?

Asymmetric routing, where traffic follows different paths in each direction.

What is the initial value of the session before the second routing lookup?

The initial value of the session is 0.0.0.0.

What is the default routing behavior in FortiGate?

Routing is kept symmetric as much as possible.

What happens if the traffic originates from the server side instead of the other side?

If the traffic originates from the server side, FortiGate uses the best route to the source IP-address.

Which interface does FortiGate route packets through if the session originates from the other side?

The interface that the return packets originated from.

What happens if the ICMP echo request arrives at FortiGate when there is no session yet?

FortiGate uses the best route to the source IP-address.

What does FortiGate remember about the interface to source?

The interface to route the return packets through.

What is the result of the return packet arriving through a different interface?

The result is asymmetric routing, where the return traffic follows a different path than the originating traffic.

What is the purpose of routing traffic symmetrically in FortiGate?

To ensure that the same route path is used for both directions of the traffic (symmetric routing).

What is the default gateway for the local workstation in the example shown on this slide?

The default gateway for the local workstation is 10.1.0.254.

Where does the ICMP echo reply go first after arriving at the local workstation?

The ICMP echo reply goes to the local router first.

Which interface does the return packet arrive at in the example shown on this slide?

The return packet arrives at FortiGate port2.

What is the result of FortiGate accepting the return packet that arrives through a different interface?

The result is asymmetric routing, where the return traffic follows a different path than the originating traffic.