Fortinet NSE 4 7.2 — Precedence of Policy Routes over FIB Routes

This is the next in a series of Fortinet NSE 4 labs that I designed and implemented. The question arose in a recent training session of whether a policy route will take precedence over a Connected route in the RIB/FIB of a Fortigate. This document tests the behavior of the Fortigate 61E.

Topology:
Microsoft Surface, IP address 10.10.12.2 (VLAN 12), connected to Fortigate 61E and acting as SSH client
Linux server, 10.10.10.2, connected to DMZ port of same Fortigate 61E, and acting as SSH server

Initial verification that the client can successfully initiate an SSH connection to the Linux server.

Log entry of the connection. Note destination interface of “dmz”

Routing table noting connected route for 10.10.10.0/24 (dmz) and no policy routes currently configured.

Next, we add a policy route for traffic with a source of vlan12 (10.10.12.0/24) and a destination of 10.10.10.0/24 to use outgoing interface of wan1. We are essentially sending traffic to the dmz IP range toward the Internet.

Retry the SSH session and receive a timeout.

Check the log and note that traffic to 10.10.10.2 is now being directed out wan1, toward the Internet.

Routing table noting we still have a connected route to 10.10.10.0/24 and the new policy route.

We have confirmed that a policy route will take precedence over a connected route in the RIB/FIB.