TTechclick All lessons
Fortinet · FortiGate · Routing (OSPF + BGP)~60% interview hit-rate · #7 in frequency · network-engineer-leaning rolesInteractive · L1 / L2 / L3

FortiGate Routing — Static, Policy Route, OSPF, BGP, and the Lookup Order in 11 Minutes

Most candidates can recite "OSPF is link-state, BGP is path-vector" — and lose the round on the next question: "What does FortiGate check FIRST when a packet arrives?" Recruiters at an Indian enterprise, an Indian IT services firm, an Indian IT services firm, an Indian MSP and the banking IT team want you to walk the lookup order without thinking. This blog gets you there.

📅 2026-05-26 · ⏱ 11 min · 5 SVG infographics · 2 packet visualizers · 🏷 10-Q Bloom-tiered assessment + AI Tutor

Pick your path — jump to your weak spot

1

Lookup order map

Policy route → static → dynamic → SD-WAN — the exact priority FortiOS walks.

 2

Static + Policy route

Distance vs priority tiebreaker, ISDB routes, the blackhole anti-failover trap.

 3

OSPF deep-dive

Areas, LSAs, neighbor states — and the EXSTART trap (MTU mismatch).

 4

BGP for SD-WAN

eBGP, ebgp-multihop, AS-path / local-pref, route-maps for asymmetric paths.

Why this matters — the airport visa queue

Picture the immigration counter at Bangalore airport. Five queues feed one officer. Diplomatic-status passengers go first — the officer waves them through without checking the regular queue. Then the standard queue (most of us). Walk-ins (last-minute boarding) come after. And finally, if you have no ticket at all, you join the any-flight-will-do default queue near the gate. That's exactly how a FortiGate picks where a packet goes.

Five lookup tiers, walked top-to-bottom: policy route → static → dynamic (OSPF/BGP) → SD-WAN rule → default route. First match wins, evaluation stops. Get this one sentence right and the next 10 minutes of the interview belong to you.

Scenario · Karan — L3 network architect at a Bangalore banking IT team

Karan (L3 network engineer, 6 years in) designs dual-DC routing for a Tier-1 banking client. DC1 in Mumbai (FortiGate 10.60.0.1), DC2 in Hyderabad (10.70.0.1), OSPF area-0 backbone between them, plus an eBGP session to the ISP (203.0.113.50, AS 65001) for internet underlay. Branch traffic from 10.60.10.5 destined to the core banking VLAN in DC2 keeps taking the wrong path during failover.

Karan's first instinct: "OSPF should pick the best link." Wrong start point. FortiGate doesn't even reach OSPF until policy-route and static lookups fail. A stale policy route written six months ago was steering 10.60.10.0/24 out the secondary ISP — bypassing OSPF entirely. He fixed it in 8 minutes once he walked the order. We'll see the exact command at the end.

FortiGate routing table lookup order — top-to-bottom waterfall Vertical waterfall showing the five FortiGate routing tiers in evaluation order: 1 policy route table, 2 static route table, 3 dynamic route table (OSPF/BGP), 4 SD-WAN rule, 5 default route. Each tier has a "matched → forward" exit arrow on the right and a "no match → fall through" arrow downward. FortiGate routing-table lookup order — first match wins Packet arrives ① POLICY ROUTE match src + dst + service + incoming intf → set output intf / gateway ② STATIC ROUTE manually configured · default distance 10 · priority breaks ties ③ DYNAMIC (OSPF / BGP / RIP) OSPF dist=110 · iBGP dist=200 · eBGP dist=20 ④ SD-WAN RULE app-aware steering · performance SLA · ISDB match ⑤ DEFAULT ROUTE (last resort) 0.0.0.0/0 → wan1 · "any flight will do" match → fwd match → fwd match → fwd match → fwd match → fwd no route at all → dropped (no-route-to-host)
Figure 1. The five-tier routing table lookup order. First match wins — once Tier 1 finds a policy route for your packet, OSPF and BGP never even run for that flow. This is why a stray policy route can make every other table look broken.

The four words an interviewer wants to hear

Behind the waterfall sit four concepts that decide ties: distance, priority, metric, and administrative selection. Distance picks which table wins when the same prefix exists in multiple sources. Priority picks the winner inside the static table when two routes share the same distance — most engineers don't know this exists and that's the L3-grade trap. Metric is the cost the protocol itself uses (OSPF cost, BGP MED). Administrative selection covers ISDB / SD-WAN tie-breakers.

🛣
Static route
tap to flip

Manually configured next-hop for a prefix. Default distance 10. Use for point-to-point known paths (DC-to-DC VPN tunnel, ISP next-hop). Set priority to break ties without changing distance.

🎯
Policy route
tap to flip

Steer by source / incoming intf / port — runs BEFORE the static table. Use to send "guest WiFi 10.99.0.0/24" out a different ISP. So what: a forgotten policy route silently breaks SD-WAN.

📚
ISDB route
tap to flip

Internet Service Database route — steer "Salesforce" or "Office365" by app identity instead of subnet. Lives inside the policy-route table. So what: traffic to known SaaS bypasses normal lookup.

🌐
OSPF
tap to flip

IGP. Link-state. Areas (0 = backbone), LSAs, SPF Dijkstra. Default distance 110. Fast convergence inside one AS. Needs matching MTU + Hello/Dead. So what: intra-DC + intra-WAN best friend.

🌍
BGP
tap to flip

EGP. Path-vector. AS_PATH + LOCAL_PREF + MED decide. eBGP dist=20, iBGP dist=200. Slow convergence (default keepalive 60s / hold 180s). So what: ISP peering and SD-WAN overlay/underlay.

🕳
Blackhole route
tap to flip

Static route to Null0 — silently drop traffic to a prefix. Use as anti-failover trap (kill leaked routes during failover testing) or to absorb DDoS-targeted IPs upstream.

Walking a packet — Karan's banking DC flow

Theory dies the moment you trace one real packet. Karan's branch user sits at 10.60.10.5; the core banking VLAN at DC2 lives on 10.70.20.0/24. Between them: FortiGate DC1 (10.60.0.1, OSPF area-0 ABR) and FortiGate DC2 (10.70.0.1). Here's the walk.

A packet from Karan's banking branch walks the FortiGate routing tables Horizontal flow showing a packet from 10.60.10.5 entering FortiGate DC1, missing the policy route table, missing the static route table, matching the OSPF table via area-0 ABR, and finally being forwarded over the OSPF-learned next hop to DC2. Karan's branch packet walks the routing tables Branch user 10.60.10.5 → 10.70.20.50 FortiGate DC1 (10.60.0.1) — table walk ① Policy route table — checked NO match (src 10.60.10.0/24 has no policy route) ② Static route table — checked NO match (no static for 10.70.20.0/24) ③ Dynamic (OSPF) — area-0 ABR has 10.70.20.0/24 MATCH ✓ via 10.99.0.2 (next-hop = DC2 FortiGate over backbone) ④ SD-WAN rule + ⑤ Default route — never reached (already matched)
Figure 2. Walking the table. Two tiers miss before OSPF picks up the prefix. The SD-WAN rule and default route are never evaluated — first-match wins. This is exactly why Karan's stale policy route (Tier 1) was hijacking the flow before OSPF got a turn.
Pause & Predict #1

Before you scroll — if Karan adds a static route 10.70.20.0/24 → 10.55.0.1 with distance 10 (default) and OSPF is already advertising the same prefix at distance 110, which table wins, and why?

Static wins — distance 10 beats OSPF's 110. Lower administrative distance always wins when the same prefix exists in multiple tables. The OSPF route is still learned (visible in get router info ospf database) but it sits inactive in the routing table because the static beat it. To force OSPF, raise the static's distance above 110 (set distance 120) — then OSPF becomes the active route and static is the backup.
Quick check · Q1 of 10

Riya at an Indian enterprise Pune sees two static default routes on her FortiGate: 0.0.0.0/0 → 203.0.113.1 (distance 10, priority 0) and 0.0.0.0/0 → 198.51.100.1 (distance 10, priority 5). Both are up. Which one is active in the routing table?

Correct: b. This is the FortiOS-specific gotcha most engineers miss. Distance picks the winning table; when distance ties between two static routes, priority breaks the tie — and lower priority wins. ECMP load-balancing only kicks in when distance AND priority both match. Option c inverts the rule. Option d would describe configuration order, which FortiOS does NOT use as a tiebreaker.

Real config — static + policy route on Karan's FG

Here's the exact CLI Karan keeps in his runbook for new DC builds.

CLI — static route + policy route + blackhole 
config router static
    edit 1
        set dst 10.70.20.0 255.255.255.0
        set gateway 10.99.0.2
        set device "to-DC2-VPN"
        set distance 10
        set priority 0
        set comment "Primary path to DC2 core banking VLAN"
    next
    edit 2
        set dst 10.70.20.0 255.255.255.0
        set gateway 10.99.1.2
        set device "to-DC2-MPLS"
        set distance 10
        set priority 5
        set comment "Backup path — wins only if Route 1 goes down"
    next
    edit 99
        set dst 10.55.99.0 255.255.255.0
        set blackhole enable
        set comment "Anti-leak — drop test traffic during failover drills"
    next
end

config router policy
    edit 1
        set input-device "port5"
        set src "10.60.99.0/24"
        set dst "0.0.0.0/0"
        set protocol 0
        set output-device "wan2"
        set gateway 198.51.100.1
        set comment "Guest WiFi out the secondary ISP"
    next
end
Expected output of `get router info routing-table all` 
Codes: K - kernel, C - connected, S - static, R - RIP, O - OSPF, IA - OSPF inter-area
       B - BGP, * - candidate default, ia - SR isis-A, V - BGP VPNv4

S*   0.0.0.0/0 [10/0] via 203.0.113.1, wan1
C    10.60.0.0/24 is directly connected, port5
S    10.55.99.0/24 [10/0] is a summary, Null0   ← blackhole route
S    10.70.20.0/24 [10/0] via 10.99.0.2, to-DC2-VPN
O IA 10.70.30.0/24 [110/30] via 10.99.0.2, to-DC2-VPN, 04:12:35
B    203.0.114.0/24 [20/0] via 203.0.113.50, wan1, 02:08:17
The #1 routing trap Ram sees in interviews

Policy route runs BEFORE SD-WAN lookup. A stray policy route — say, written six months ago to test a guest subnet — makes your beautifully-tuned SD-WAN rules look broken. The packet matches Tier 1, gets steered out the wrong WAN, and never reaches Tier 4. Always run get router info policy-route as your first SD-WAN debug step.

Quick check · Q2 of 10

Aman at an Indian IT services firm Bangalore wires up SD-WAN with two ISPs (wan1, wan2) and a "send Office365 over wan2" SLA rule. The rule's health check is green but Office365 still egresses wan1. He runs get router info routing-table all — wan2 default is there. What does he run next?

Correct: c. SD-WAN rules sit at Tier 4 in the lookup order. If anything in Tier 1 (policy route) matches the flow first, SD-WAN is bypassed. Check policy route table first — usually a forgotten test entry. Option a is the right command for a different problem (SLA actually failing). Option d affects OSPF cost, not policy/SD-WAN.

OSPF — the IGP every interviewer drills

OSPF is FortiGate's default workhorse for intra-AS routing — campus, DC-to-DC over IPsec, multi-site WAN. Three things separate someone who has READ about OSPF from someone who has run it: areas, LSA types, and the neighbor state machine. Get all three on the whiteboard in 90 seconds and you've cleared an L2 round.

FortiGate OSPF sits at distance 110 by default. Areas scope flooding — Area 0 (backbone) glues everything together; non-zero areas (1, 2, …) connect through ABRs. LSAs are the protocol's payload — flood them to identical topology databases on every router in the area, then SPF (Dijkstra) computes shortest paths.

Decision tree — when to use which routing tool on FortiGate Branching tree starting from "what kind of routing decision do you need?", with five terminal branches leading to Static (point-to-point known paths), Policy Route (steer by source/port), OSPF (intra-AS dynamic), BGP (inter-AS or SD-WAN underlay), ISDB (steer by app), and Blackhole (anti-failover trap). Which routing tool should I reach for? What kind of decision do you need to make? STATIC ROUTE "I know the exact next-hop" VPN tunnel · ISP next-hop · DC link POLICY ROUTE / ISDB "steer by src/port/app" guest WiFi → ISP2 · O365 → wan2 OSPF "many subnets, one AS" campus · multi-site WAN · DC fabric BLACKHOLE ROUTE "drop silently to Null0" anti-leak · DDoS sinkhole · failover trap BGP "crossing AS boundaries" ISP peering · SD-WAN underlay · MPLS ⚠ Combine carefully — policy route TIER 1 silently overrides every other tier for the matched flow. Don't write policy routes you don't track in a runbook. Rule of thumb: STATIC for < 10 prefixes between known endpoints. OSPF for an enterprise WAN. BGP only when you cross an AS boundary OR you need fine policy control on your SD-WAN underlay.
Figure 3. The when-to-use-what decision tree. Six terminal branches, one shared gotcha (policy route hides everything else). Print this and stick it next to your lab box.

The OSPF neighbor state machine — and the EXSTART trap

OSPF doesn't just "come up." It walks 7 states: Down → Init → 2-Way → ExStart → Exchange → Loading → Full. Most candidates stop at "Full = good." The L3-grade question is: where do tunnels get stuck, and why? Answer: EXSTART, almost always because of MTU mismatch.

▶ OSPF neighbor state machine — Down → Full

Watch what happens when Karan brings up OSPF area-0 between FG DC1 and FG DC2 over their IPsec tunnel.

① DOWN No Hello received yet. Interface configured for OSPF but neighbor unknown.
② INIT FG DC1 sees a Hello from 10.99.0.2 but its own Router-ID isn't yet listed in the Hello — one-way only.
③ 2-WAY Each side now sees its own Router-ID in the other's Hello list. On broadcast links, DR/BDR election happens here.
④ EXSTART Master/Slave decided by Router-ID (higher wins). DBD packets begin.
⚠ Stuck here? Almost always MTU mismatch between peers.
⑤ EXCHANGE Both peers swap DBD packets — summaries of their LSDB. Each side asks for missing LSAs via LSR.
⑥ LOADING LSU packets carry full LSAs to fill in the missing pieces. Both LSDBs converge.
⑦ FULL Adjacency complete. SPF runs. Routes appear in get router info routing-table all with code O.
Press Play to watch a fresh OSPF adjacency progress from Down to Full. Next advances one state at a time.

Real config — OSPF area-0 between Karan's DC FortiGates

CLI — FG DC1 (10.60.0.1) OSPF setup 
config router ospf
    set router-id 10.60.0.1
    config area
        edit 0.0.0.0
        next
    end
    config network
        edit 1
            set prefix 10.60.0.0 255.255.255.0
            set area 0.0.0.0
        next
        edit 2
            set prefix 10.99.0.0 255.255.255.0
            set area 0.0.0.0
        next
    end
    config interface
        edit "to-DC2-VPN"
            set hello-interval 10
            set dead-interval 40
            set mtu 1400
            set mtu-ignore enable
        next
    end
end
Expected output of `get router info ospf neighbor` 
OSPF process 0, VRF 0:
Neighbor ID     Pri   State           Dead Time   Address         Interface
10.70.0.1         1   Full/  -        00:00:35    10.99.0.2       to-DC2-VPN
Pro tip — distance vs priority breaks more ties than engineers realise

FortiOS uses distance for which protocol wins (static 10, OSPF 110, eBGP 20, iBGP 200). But when distance matches between two static routes, priority breaks the tie — and lower priority wins. Most engineers never set priority, so all routes default to 0 and ECMP kicks in. If you want a clean primary/backup with same distance, give the backup a higher priority (e.g. 5).

Quick check · Q3 of 10

Pooja at an Indian IT services firm Hyderabad brings up OSPF between two FortiGates over a fresh IPsec tunnel. get router info ospf neighbor shows the peer stuck in EXSTART/DR indefinitely. What's the most likely fix?

Correct: d. EXSTART hang = MTU mismatch nine times out of ten. DBD packets are sized at interface MTU, so a peer with MTU 1500 sends DBDs the IPsec side (1400) can't accept. Fix: align MTU (set mtu 1400 on both) or enable mtu-ignore. Option a affects cost calculations, not adjacency. Option c can mask the symptom but doesn't fix the root cause. Option d does nothing — the issue is symmetrical.

BGP — when SD-WAN underlay meets ISP peering

BGP is where Karan's design earns its money. The bank uses BGP to peer with two ISPs (AS 65001 + AS 65002) for internet redundancy, and again as the underlay for an SD-WAN overlay. Two flavours matter: eBGP for talking to the ISP, and iBGP for talking to another FortiGate in the same AS.

OSPF vs BGP — comparison matrix across six attributes A two-column comparison table comparing OSPF and BGP across six attributes: protocol type, algorithm, scope, decision metric, convergence speed, and default administrative distance. OSPF vs BGP — six attributes side-by-side Attribute OSPF BGP Protocol type "who is this for?" IGP (Interior Gateway Protocol) inside one AS EGP (Exterior Gateway) between ASes (also iBGP variant) Algorithm "how does it decide?" Link-state (Dijkstra SPF) full topology, then shortest path Path-vector attributes + AS_PATH Decision metric "why this path?" Cost (bandwidth-derived) lower cost wins Local-pref → AS-path → MED policy-driven, not bandwidth-driven Convergence "how fast after a flap?" Fast — seconds SPF re-runs on LSA change Slow — tens of seconds keepalive 60s / hold 180s default Default admin distance "who wins ties?" 110 loses to static (10), eBGP (20) eBGP 20 · iBGP 200 eBGP beats OSPF Best fit on FortiGate "when do I pick it?" DC ↔ DC over IPsec campus · WAN · multi-site fabric ISP peering · SD-WAN underlay policy control over path choice
Figure 4. OSPF vs BGP at a glance. The key shift: OSPF is bandwidth-driven, BGP is policy-driven. Inside one AS, OSPF converges in seconds; crossing AS boundaries, BGP gives you LOCAL_PREF and route-maps to engineer paths.

Real config — eBGP peering to the ISP

Karan peers FG DC1 (AS 65100) with ISP edge router (AS 65001) at 203.0.113.50. ISP demands MD5 password auth and rejects sessions with default TTL=1 if the FortiGate sits behind a small CPE — hence ebgp-multihop.

CLI — eBGP peering, route-map for asymmetric SD-WAN 
config router bgp
    set as 65100
    set router-id 10.60.0.1
    config neighbor
        edit "203.0.113.50"
            set remote-as 65001
            set password "banking-isp-md5"
            set ebgp-multihop enable
            set ebgp-multihop-ttl 5
            set route-map-in "rm-isp-in"
            set route-map-out "rm-isp-out"
        next
    end
    config network
        edit 1
            set prefix 203.0.114.0 255.255.255.0
        next
    end
end

config router route-map
    edit "rm-isp-in"
        config rule
            edit 10
                set match-ip-address "ACL-Default"
                set set-local-preference 200
            next
        end
    next
end
Expected output of `get router info bgp summary` 
VRF 0 BGP router identifier 10.60.0.1, local AS number 65100
BGP table version is 47, main routing table version 47

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
203.0.113.50    4 65001    8421    7912       47    0    0 02:08:17        352

Total number of neighbors 1
The BGP "peer won't come up" trap

If get router info bgp summary shows State/PfxRcd = Active (not "Established"), your eBGP session is failing. Top causes, in order: (1) TTL too low — peer is more than 1 hop away, fix with set ebgp-multihop enable; (2) firewall policy blocking TCP/179 in the transit zone; (3) password mismatch; (4) local AS misconfigured. Always check in that order.

▶ Watch a packet evaluated through the routing tiers — policy route wins

Same FG DC1, different source — Karan's guest WiFi subnet 10.60.99.0/24. A leftover policy route steers it out wan2 before OSPF or BGP even get a vote.

① ARRIVE 10.60.99.42:512348.8.8.8:443 arrives on port5 (guest VLAN)
② TIER 1 — POLICY ROUTE Match: src 10.60.99.0/24, in-intf port5 → output wan2 via 198.51.100.1
Match found. Evaluation halts here.
③ TIER 2 — STATIC Never reached. Static 0.0.0.0/0 → 203.0.113.1 is ignored for this flow.
④ TIER 3 — OSPF Never reached. OSPF-learned routes don't influence this packet at all.
⑤ TIER 4 — SD-WAN Never reached. Karan's beautifully-tuned SD-WAN steering rule for guest traffic is bypassed.
⑥ EGRESS via wan2 Packet leaves wan2 with source NAT'd to 198.51.100.5. Karan's monitoring shouts "wrong WAN!"
Fix: delete policy 1 in config router policy. SD-WAN now wins.
Press Play to see why "policy route runs before SD-WAN" is the #1 routing gotcha Ram sees in interviews.
Scenario continued · Karan fixes the asymmetric SD-WAN

Two days into the bank's go-live, NOC reports asymmetric routing on the SD-WAN — return traffic from a SaaS provider arrives on wan1 even though the outgoing flow used wan2. Karan checks diag sys session list | grep dst=<saas> and confirms: outgoing wan2, return wan1.

The cause: the ISP behind wan1 advertises a more-specific route via eBGP with shorter AS-path, so return traffic naturally prefers it. The fix isn't to disable BGP — it's a route-map that tags wan2-advertised prefixes with a higher LOCAL_PREF on the inbound side and adjusts MED outbound. 12 minutes of diagnose ip router command show + one route-map edit + one BGP soft-reset, and traffic flows symmetrically.

Pause & Predict #2

Karan has two static default routes pointing at wan1 and wan2, both distance 10, both priority 0. ECMP is enabled. He wants outbound traffic from a single user session to consistently take wan1 (his "primary"). What's the cleanest one-line change?

Raise the priority on the wan2 default to 5 (or any value > wan1's). Same distance, different priority — lower priority wins, so wan1 stays active and wan2 becomes pure backup (only installs if wan1 goes down). Bonus: this preserves your ECMP setting for OTHER routes where you actually want load-sharing. Alternative answers like "change distance" work but break the symmetric backup pattern.

Debug like an L3 — Karan's one-command checklist

Vikram, Karan's senior at the banking IT team, doesn't argue. He runs three commands in order. You should too.

CLI — the routing-debug triage sequence 
# 1. Is the route in the active table?
get router info routing-table all | grep 10.70.20.0

# 2. Where did it come from? (OSPF? BGP? static?)
get router info routing-table database

# 3. Live route process — what's the OSPF/BGP daemon doing?
diagnose ip router command show

# 4. Drill into a specific protocol
get router info ospf neighbor
get router info ospf database
get router info bgp summary
get router info bgp network

One sweep tells you whether the route exists, which protocol won it, and whether the routing daemon is even healthy. No tcpdump. No guessing.

FortiGate routing CLI cheat-sheet — nine tiles A 3-column grid of nine mini-tiles, each showing a FortiOS routing-related CLI command and its one-line use case, covering routing table, OSPF, BGP, ISDB, and process-level diagnostics. Routing CLI cheat-sheet — nine tiles that solve 80% of cases ① ROUTING TABLE get router info routing-table all What's active right now? ② OSPF NEIGHBORS get router info ospf neighbor Full / EXSTART / Down? ③ BGP SUMMARY get router info bgp summary Established or Active? ④ ROUTE PROCESS diagnose ip router command show Live daemon CLI shell ⑤ ROUTE DATABASE get router info routing-table database Inactive backup routes too ⑥ OSPF DEBUG diag debug application ospfd -1; diag debug en Trace adjacency in real-time ⑦ STATIC CONFIG config router static / policy / ospf / bgp One config tree per protocol ⑧ ISDB ROUTES get router info isdb SaaS-aware route table ⑨ EBGP MULTIHOP set ebgp-multihop enable Peer > 1 hop away Bookmark this. These nine commands handle ~80% of routing incidents on FortiOS 7.4 / 7.6. Works on FortiGate VM, 60F, 100F, 600F, and FortiGate-VM in CF/AWS/Azure.
Figure 5. Nine-tile routing cheat-sheet. Screenshot this for your lab bench — it handles 80% of routing incidents on the FortiGate fleets the Indian aggregators run.
Verify the fix worked

After any routing change, run these two commands in order:

get router info routing-table all — confirms the prefix is active.

get router info ospf neighbor (or bgp summary) — confirms adjacencies are healthy.

Expected: prefix shows with the right protocol code (O, O IA, B, S) and the neighbor shows Full (OSPF) or Established (BGP).

2024 reminder — routing flaps after CVE-2024-47575 "FortiJump"

Mandiant's UNC5820 hijacked FortiManager via CVE-2024-47575 (CVSS 9.8, missing auth in fgfmsd) and pushed rogue policies — and in many fleets the same vector silently re-injected static routes that overrode OSPF / BGP-learned paths. The IOC pattern: unexpected S (static) entries appearing for prefixes that should be coming from your IGP, with high distance values that "shouldn't matter" but actually do because the attacker also bumped FMG-pushed static routes ahead of dynamic learn. Audit hint: diff get router info routing-table database output against your last known-good baseline weekly. Source: Tenable PSIRT advisory.

Pause & Predict #3

Riya at an Indian IT services firm Pune installs two static routes to the SAME destination with distance 10 AND priority 0 on both. ECMP is enabled. She expects the FortiGate to load-balance 50/50 across them. diag sys session list shows all sessions using only one of the two paths. What's the most likely cause?

ECMP-load-balance method. FortiOS defaults to source-ip-based ECMP — every session from the same source IP goes the same way (sticky). If Riya is testing from one workstation, she sees 0% load-balance even though both routes are installed. Change to config system settings → set ecmp-max-paths 2 AND config system settings → set v4-ecmp-mode source-dest-ip-based (or weight-based) to spread per-flow. Confirm with get router info routing-table all — both routes should show as S*.

🤖 Ask the AI Tutor

Tap any question — instant context-aware answer. Tuned on FortiOS 7.4 / 7.6 docs + community.

Pre-curated answers grounded in FortiOS 7.4 / 7.6 docs + LIVECommunity. For complex prod issues, paste your get router info routing-table all + diagnose ip router command show output into chat.techclick.in.

📝 Final round — seven more

You've already answered 3 inline. Seven more. 70% (7 of 10) total marks this lesson complete on your Techclick profile. Tap Submit all answers at the end.

Q4 · Remember

Neha at an Indian IT services firm Bangalore is asked at her L1 screen: "In what order does FortiGate evaluate routing tables when forwarding a packet?"

Correct: d. The five-tier waterfall is policy route FIRST (Tier 1) → static (Tier 2) → dynamic (Tier 3) → SD-WAN rule (Tier 4) → default route (Tier 5, last resort). First match wins. Option a flips Tier 1 and Tier 2. Option b ignores the policy-route table entirely. Option c reverses the order. Memorize this — it's a top-3 Fortinet routing screening question.
Q5 · Apply

Aditya at an Indian IT services firm Bangalore has two static routes to the same destination: Route 1 (distance 10, priority 0) and Route 2 (distance 10, priority 5). Both interfaces are up. Which route is active in the FortiGate routing table?

Correct: a. Lower priority wins inside the static table when distance is identical — this is a FortiOS-specific tiebreaker most engineers don't even know exists, which is exactly why it gets asked. ECMP only kicks in when BOTH distance and priority match. Option a and b confuse "higher" with "wins" — opposite of reality. Route 2 becomes the backup that only takes over if Route 1 drops.
Q6 · Apply

Karthik at the banking IT team brings up OSPF between two FortiGates over an IPsec tunnel. Hellos are flowing, the neighbor reaches EXSTART but never progresses to Full. He's been staring at get router info ospf neighbor for 20 minutes. What's the single most likely cause?

Correct: a. EXSTART hang screams MTU mismatch — DBD packets sized at interface MTU can't traverse a smaller-MTU path. Options b/c/d all PREVENT the adjacency from reaching EXSTART at all (you'd be stuck at Init or 2-Way instead). Duplicate router-ID → adjacency rejected immediately. Area mismatch → Hellos drop. Hello/Dead mismatch → never sees the neighbor. EXSTART is specifically the DBD-exchange stage where MTU bites.
Q7 · Analyze

Aman runs get router info bgp summary on FG DC1 and the peer at 203.0.113.50 shows State/PfxRcd = Active (not Established). Peer is 3 hops away across a CPE. Tcpdump on the WAN interface shows OUTBOUND TCP/179 SYNs but no SYN-ACK back. What's the most likely cause?

Correct: b. eBGP packets ship with TTL=1 by default — designed for directly-connected peers. Any intermediate router decrements TTL → 0 → drop. Multi-hop peer needs ebgp-multihop enabled with a TTL high enough to traverse all intervening hops (5 is a safe minimum). Option a is a stability tuning, not a connection issue. Option c and d produce different "State" strings — Active specifically means "TCP can't be established."
Q8 · Analyze

Vikram inherits a FortiGate where SD-WAN rules look perfect on paper but Office365 traffic still egresses wan1 (not the wan2 the SD-WAN rule specifies). SLA probes are green. He's already verified the SD-WAN config. What's his next single command and why?

Correct: c. The lookup-order trap — policy route is Tier 1, SD-WAN is Tier 4. A forgotten policy route written months ago (often by a junior engineer testing something) silently overrides every later tier. This is the most-asked routing trap in Fortinet L2/L3 interviews. Option a only resets sessions, doesn't fix routing. Option b verifies the wrong thing. Option d affects OSPF cost, not the policy-route table.
Q9 · Evaluate

An auditor proposes: "All FortiGates should run BGP everywhere internally, including DC-to-DC, because BGP gives us policy control over path choice. Disable OSPF — too many neighbors hurts performance." Is this a sound design?

Correct: c. BGP's policy power isn't free — its conservative defaults (keepalive 60s, hold 180s) plus path-vector convergence make it the wrong tool for fast intra-DC failover. OSPF's link-state model converges in seconds because every router has identical topology data. The 2024-25 best-practice for FortiGate DC fabrics is OSPF for IGP + BGP for AS-edge + SD-WAN overlays. Option b is technically possible but solves a problem you shouldn't have. Option d is factually wrong — BGP runs over IPsec all the time.
Q10 · Evaluate

Karan's bank wants protected internal subnets to vanish from the internet during a failover test — not be reachable at all, not even with a brief ICMP unreachable response. What's the right tool, and where does it go in the lookup order?

Correct: b. The blackhole route (set blackhole enable in config router static) is exactly the right shape — silent drop, no ICMP reply (attackers can't even confirm the subnet exists), Tier-2 placement means it beats anything OSPF/BGP-learned. Option a works but is interface-specific and chatty (ICMP responses leak info). Option c kills your IGP entirely — too blunt. Option d generates a deny log per packet — visible to anyone reading logs.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the section that tripped you up and tap "Try again".

Self-explanation prompt

In 2-3 sentences, explain to a hypothetical batchmate: "Why can a stray policy route make a perfectly-configured SD-WAN deployment look broken?" Writing it out cements the concept faster than re-reading.

📤 Teach a friend on WhatsApp: Share

📖 Mini-glossary — terms used in this blog

Static route
Manually configured next-hop, default distance 10, FortiOS-specific priority breaks ties.
Policy route
Tier-1 lookup — steer by source / incoming intf / port / service before any other table runs.
ISDB route
Internet Service DB route — steer by SaaS identity (Salesforce, O365) instead of subnet.
OSPF
Link-state IGP. Default distance 110. Areas + LSAs + Dijkstra SPF.
LSA
Link-State Advertisement — the unit OSPF floods (Types 1/2/3/5 most common).
Area
OSPF flooding domain. Area 0 = backbone; non-zero areas touch backbone via ABRs.
ABR
Area Border Router — sits in 2+ areas, translates Type 3 summary LSAs.
BGP
Path-vector EGP. eBGP 20, iBGP 200. AS-path + LOCAL_PREF + MED decide.
eBGP / iBGP
external (between ASes) vs internal (same AS) BGP — different distances and TTL rules.
AS-path
Ordered list of ASes a BGP route has traversed. Loop prevention + tiebreaker.
Local-pref
iBGP attribute — higher LOCAL_PREF wins. Used to engineer outbound path choice.
ECMP
Equal-Cost Multi-Path — when distance AND priority match, FortiOS load-balances across both.
Blackhole route
Static route to Null0 — silent drop, no ICMP reply. Anti-leak / DDoS sinkhole.
Route-map
Conditional filter / mutator for BGP attributes — match prefix, set local-pref / MED / community.
ebgp-multihop
Override eBGP's default TTL=1 so peers separated by intermediate routers can establish.
Where this gets asked: an Indian enterprise, an Indian IT services firm, an Indian IT services firm, an Indian MSP and the banking IT team drill OSPF + BGP fundamentals on every network-engineer-leaning Fortinet round. L1 screens lock on lookup order + default distances. L2 rounds test EXSTART / MTU + ebgp-multihop. L3 rounds want you to design an SD-WAN underlay with BGP route-maps and reason about asymmetric paths. Get the five-tier waterfall on the whiteboard inside 60 seconds and you're past the gate.

What's next?

Blog 7 opens up FortiGate VDOMs and multi-tenancy — single-VDOM vs multi-VDOM, mgmt VDOM, inter-VDOM links (NPU offload tricks), per-VDOM resource caps, and the MSP patterns the Indian aggregators use to host 50+ clients on one box.

Blog 7 · FortiGate VDOMs & Multi-Tenancy → ← All Fortinet lessons

📚 Sources

  1. Fortinet Community — Technical Tip: Routing methods in FortiGate (policy, ISDB, SD-WAN, static, dynamic). community.fortinet.com
  2. iMedita — 150+ Routing Interview Questions for Network Engineers. imedita.com/blog/routing-interview-questions
  3. UniNets — Top Fortinet Firewall Interview Q&A 2025. uninets.com/blog/fortinet-firewall-interview-questions-answers
  4. NWKings — Top 20 Fortinet Firewall Interview Questions and Answers (2025). nwkings.com/fortinet-firewall-interview-questions-and-answers
  5. Fortinet Community — Technical Tip: BGP neighbor on FortiGate stuck in Active / Idle. community.fortinet.com (eBGP multihop + TCP/179 + MD5)
  6. Fortinet Docs — OSPF Configuration (FortiOS 7.4 / 7.6 Administration Guide). docs.fortinet.com
  7. Fortinet Docs — BGP Configuration (FortiOS 7.4 / 7.6 Administration Guide). docs.fortinet.com
  8. Tenable Blog — CVE-2024-47575 FAQ: FortiJump Zero-Day in FortiManager. tenable.com/blog/cve-2024-47575-faq-about-fortijump-zero-day-in-fortimanager
  9. GitHub yuriskinfo — FortiGate debug-diagnose complete cheat sheet. github.com/yuriskinfo/cheat-sheets