NSE4 Part 9: Routing & SD-WAN
NSE4 Part 9: Routing & SD-WAN
Part 9 of the NSE4 series. This post covers Lessons 15 and 16 of the official curriculum — routing fundamentals on FortiOS, plus SD-WAN, which is just routing with a feedback loop.
Routing table lookup
Packet processing reaches the routing table after policy lookup. FortiOS uses a longest-prefix match, with two tiebreakers if multiple routes are equal length:
- Distance (administrative distance) — lower wins. Static = 10 by default, OSPF = 110, BGP iBGP = 200, BGP eBGP = 20.
- Priority — when distance is tied. Lower wins. Used to influence ECMP behaviour without touching distance.
Only the best route by distance enters the forwarding table (get router info routing-table all). Ties on distance + priority become ECMP candidates.
get router info routing-table all
get router info routing-table database ; all candidates, including not-bestThe database view is what to read in exam questions about which route would be installed.
Static routes
config router static
edit 1
set dst 0.0.0.0/0
set gateway 198.51.100.1
set device "wan1"
set distance 10
set priority 0
next
endImportant: a static route is only installed if its outgoing interface is up and the gateway IP is reachable. FortiGate auto-removes static routes whose interface goes down — the basis of WAN failover via priority.
Policy routes
Policy routes (PBR) override the routing table for matching traffic before the standard lookup. Match on source/dest IP, source/dest port, ToS, incoming interface; action is to set the egress interface and gateway.
config router policy
edit 1
set input-device "internal"
set src "10.10.1.0/24"
set dst "0.0.0.0/0"
set output-device "wan2"
set gateway 192.0.2.1
next
endUse sparingly — policy routes don’t appear in the standard routing table view, which makes troubleshooting harder. SD-WAN is the more maintainable alternative for “send X via this WAN”.
Reverse Path Forwarding (RPF)
For every received packet, FortiGate checks whether the source IP would be routed back out the same interface the packet arrived on. If not, the packet is dropped. Two modes:
- Strict (default) — the matching reverse route’s outgoing interface must equal the packet’s ingress interface.
- Loose / feasible — any route to the source IP qualifies, regardless of interface.
config system settings
set strict-src-check disable ; relaxes RPF to feasible
endYou’ll see reverse path check fail in flow trace when this drops asymmetric traffic. Tighten or loosen depending on whether asymmetric routing is a feature or a bug in your design.
OSPF basics
OSPF is a link-state IGP. Key NSE4-level facts:
- Hello packets every 10s, dead interval 40s on broadcast networks.
- Areas: area 0 (backbone) plus regular, stub, totally stubby, NSSA areas.
- Router IDs must be unique; FortiGate picks the highest interface IP if
router-idisn’t set explicitly.
config router ospf
set router-id 10.10.1.1
config area
edit 0.0.0.0
next
end
config network
edit 1
set prefix 10.10.1.0/24
set area 0.0.0.0
next
end
endBGP basics
BGP is a path-vector EGP, used for internet edge and overlay (e.g., ADVPN). Key bits:
- TCP/179 between peers; iBGP within an AS, eBGP between ASes.
- iBGP needs a full mesh or route reflectors — the default does not advertise iBGP-learned routes to other iBGP peers.
- Distance: eBGP 20, iBGP 200 — eBGP normally wins over OSPF (110), iBGP doesn’t.
config router bgp
set as 65001
config neighbor
edit 198.51.100.1
set remote-as 65000
next
end
endSD-WAN
SD-WAN treats multiple WAN interfaces as a single logical egress zone, then uses performance SLAs to steer per-application traffic to the best member. The pieces:
SD-WAN zones. A named group of member interfaces. The default zone virtual-wan-link is created for legacy compat; you can build named zones (e.g., sdwan-internet, sdwan-mpls) and use them as dstintf in firewall policies.
config system sdwan
set status enable
config members
edit 1
set interface "wan1"
set zone "sdwan-internet"
set gateway 198.51.100.1
next
edit 2
set interface "wan2"
set zone "sdwan-internet"
set gateway 192.0.2.1
next
end
endPerformance SLAs. Active probes (ping, HTTP, DNS, TWAMP) sent over each member, measuring jitter, latency, packet loss. A member is “in-SLA” if all measured values are under the configured thresholds.
config system sdwan
config health-check
edit "ping-1.1.1.1"
set server "1.1.1.1"
set members 1 2
set sla-fail-log-period 10
config sla
edit 1
set latency-threshold 100
set jitter-threshold 30
set packetloss-threshold 1
next
end
next
end
endSD-WAN rules. Steering policies that map source/dest/app/user to a preferred member or strategy. Strategies include:
manual— pin to a specific member.best-quality— pick the in-SLA member with the lowest measure for a chosen metric.lowest-cost— prefer the cheapest in-SLA member.maximize-bandwidth— load-balance across in-SLA members.
config system sdwan
config service
edit 1
set name "voip-priority"
set mode sla
set dst "voip-servers"
set health-check "ping-1.1.1.1"
config sla
edit "ping-1.1.1.1"
set id 1
next
end
set priority-members 1 2
next
end
endThe implicit SD-WAN rule (mode auto at the bottom) catches everything else.
Diagnostics
Routing:
get router info routing-table all
get router info routing-table database
get router info ospf neighbor
get router info bgp summary
diagnose ip rtcache list ; live route cacheSD-WAN:
diagnose sys sdwan member
diagnose sys sdwan service
diagnose sys sdwan health-checkThe health-check output shows current jitter / latency / packet loss per member and which members are in-SLA. Reading this output is a frequent exam task.
Part 10 covers High Availability — the last topic in the syllabus and the one most likely to be assessed via “interpret this output” rather than configuration questions.