REW

How To Check Routing Table On FortiGate?

Published Aug 29, 2025 5 min read
On this page

There are several ways to check the routing table on a FortiGate, but the most comprehensive method is using the Command Line Interface (CLI) with the command get router info routing-table all. This command displays the full routing table, including static, connected, and dynamically learned routes. You can also use the graphical user interface (GUI) or other CLI commands for more specific information.

How to check the routing table via CLI

The CLI offers the most detailed view of the routing table and is essential for advanced troubleshooting.

**1. View the full routing table with get router info routing-table all**This is the primary command for viewing the routing table. It shows all active routes, whether they are static, connected, or learned via a dynamic routing protocol.

FGT # get router info routing-table all

Use code with caution.

  • Sample output breakdown:
    • Codes: The output begins with a legend for the route type codes, such as K (Kernel), C (Connected), S (Static), and B (BGP).
    • Destination:10.0.1.0/24 is the destination network.
    • Route Information:is directly connected, port4 indicates that traffic for 10.0.1.0/24 is sent out the port4 interface.
    • Recursive Route:10.0.0.0/24 [200/0] via 10.10.10.1 (recursive via WAN1-VPN tunnel 203.0.113.1) shows that to reach 10.0.0.0/24, the next hop is 10.10.10.1, which is reachable through a recursive lookup via another route.

**2. View specific routes with get router info routing-table details**This command shows both active and inactive routes, which is useful for troubleshooting. An asterisk (*) marks the best, or active, route.

FGT # get router info routing-table details 10.109.63.254

Use code with caution.

  • Sample output breakdown:
    • best: This keyword at the end of a line confirms that the route is currently active.
    • inactive: If a route's conditions are not met (e.g., the interface is down), the database will show it as inactive, helping you diagnose why a route is not being used.

**3. View the kernel routing table with get router info kernel**This command shows the Forwarding Information Base (FIB), which is the low-level table used by the FortiGate to forward packets.

FGT # get router info kernel

Use code with caution.

  • Sample output breakdown:
    • tab=254: The table number. For unicast routes, this is typically 254.
    • dev=4(port2): The device or outgoing interface associated with the route.

**4. Check policy routes with diagnose firewall proute list**Policy routes take precedence over standard static and dynamic routes. This command lists all configured policy routes.

FGT # diagnose firewall proute list

Use code with caution.

  • Policy routes are checked before standard routing tables, so they are a crucial part of the routing flow.

How to check the routing table via GUI

For a user-friendly overview and route lookup tool, use the FortiGate GUI.

1. Access the Routing Monitor

  • For FortiOS 6.4 and above: Go to Dashboard > Network. Hover over the Routing widget and click Expand to Full Screen.
  • For older versions: Go to Monitor > Routing Monitor.
  • The Routing Monitor displays all active static and dynamic routes and provides options to filter the view.

2. Perform a route lookupThe GUI offers a powerful route lookup utility that shows exactly how a packet would be routed based on its characteristics, including Policy Routes and SD-WAN rules.

  • In the Routing monitor, click the Route Lookup button.
  • Enter the Destination IP address and optionally the Source IP, Source Interface, or Protocol to simulate a traffic flow.
  • Click OK. The monitor will highlight the matching route, including any policy or SD-WAN rule.

3. Filter by route typeFrom the Routing monitor, you can filter the view to see specific route types, such as Policy, BGP Neighbors, or OSPF Neighbors.

FortiGate routing logic and interpretation

To correctly interpret the routing table, it's important to understand the hierarchy FortiGate uses to determine the path for a packet:

  1. Policy Routes: The FortiGate first checks for any matching policy routes. If a policy route is matched, it takes precedence over all other routes.
  2. SD-WAN Rules: If there are no matching policy routes, SD-WAN rules are consulted. If a rule matches, the traffic is forwarded according to the SD-WAN configuration.
  3. Kernel/FIB (Main Routing Table): If neither of the above matches, the FortiGate consults the main routing table (FIB), which contains the best routes from all other sources.

Key components of a route entry:

  • Destination: The network prefix for which the route is valid (e.g., 10.0.1.0/24).
  • Gateway (Next Hop): The IP address of the next device to forward the packet to.
  • Interface: The outgoing interface the packet will use.
  • Administrative Distance (AD): The trustworthiness of a route. Lower values are preferred.
    • Connected: 0
    • Static: 10
    • BGP: 200
  • Metric: A value used to compare routes learned from the same protocol. Lower is better.
  • Priority: Used as a tie-breaker when AD and Metric are equal. Lower is better.

What to do if VDOMs are enabled

If Virtual Domains (VDOMs) are enabled on your FortiGate, all routing-related CLI commands must be executed within the specific VDOM context.

  1. **Enter the VDOM context:**sh

    FGT # config vdom
FGT (vdom) # edit <vdom_name>

    Use code with caution.

  2. **Execute the routing command:**sh

    FGT (<vdom_name>) # get router info routing-table all

    Use code with caution.

This article provides a comprehensive guide to checking the routing table on a FortiGate, covering both GUI and CLI methods, and explaining the different types of routes and how the firewall processes them.

Enjoyed this article? Share it with a friend.