Fortinet black logo

Handbook

Reverse path route caching

Reverse path route caching

By default, reverse path route caching is enabled. FortiADC caches a reverse path route for inbound traffic so it can forward reply packets to the ISP link that forwarded the corresponding request packet. This is useful when your site receives traffic from multiple ISP links. For example, in Reverse path route caching enabled, the reverse path pointer ensures that client traffic received from ISP1 is returned through ISP1.

Note: FortiADC does not support IPv6 traffic reverse path route caching.

Reverse path route caching enabled

When reverse path caching is not enabled, the system forwards reply packets based on the results of routing lookup.

To enable/disable reverse path route caching, use the config router setting CLI command:

FortiADC-VM # config router setting

FortiADC-VM (setting) # get

rt-cache-strict : disable

rt-cache-reverse : enable

ip-forward : enable

ip6-forward : enable

FortiADC-VM (setting) # set rt-cache-reverse disable

FortiADC-VM (setting) # end

FortiADC-VM # get router setting

rt-cache-strict : disable

rt-cache-reverse : disable

ip-forward : enable

ip6-forward : enable

The rt-cache-strict option is disabled by default. Enable it when you want to send reply packets only via the same interface that received the request packets. When enabled, source interface becomes part of the matching tuple that FortiADC uses to identify sessions, so reply traffic is forwarded from the same interface that received the traffic. (Normally each session is identified by a 5-tuple: source IP, destination IP, protocol, source port, and destination port.)

If the rt-cache-reverse option is enabled, you can use the config rt-cache-reverse-exception command to maintain an exceptions list for source IP addresses that should be handled differently. For example, if you configure an exception for 192.168.1.0/24, FortiADC will not maintain a pointer to the ISP for traffic from source 192.168.1.18. Reply packets will be forwarded based on the results of routing lookup.

FortiADC-docs # config router setting

FortiADC-docs (setting) # get

rt-cache-strict : disable

rt-cache-reverse : enable

ip-forward : enable

ip6-forward : enable

icmp-redirect-send : disable

FortiADC-docs (setting) # config rt-cache-reverse-exception

FortiADC-docs (rt-cache-rever~e) # edit 1

Add new entry '1' for node 3740

FortiADC-docs (1) # set ip-netmask 192.168.1.0/24

FortiADC-docs (1) # end

FortiADC-docs (setting) # end

Reverse path route caching

By default, reverse path route caching is enabled. FortiADC caches a reverse path route for inbound traffic so it can forward reply packets to the ISP link that forwarded the corresponding request packet. This is useful when your site receives traffic from multiple ISP links. For example, in Reverse path route caching enabled, the reverse path pointer ensures that client traffic received from ISP1 is returned through ISP1.

Note: FortiADC does not support IPv6 traffic reverse path route caching.

Reverse path route caching enabled

When reverse path caching is not enabled, the system forwards reply packets based on the results of routing lookup.

To enable/disable reverse path route caching, use the config router setting CLI command:

FortiADC-VM # config router setting

FortiADC-VM (setting) # get

rt-cache-strict : disable

rt-cache-reverse : enable

ip-forward : enable

ip6-forward : enable

FortiADC-VM (setting) # set rt-cache-reverse disable

FortiADC-VM (setting) # end

FortiADC-VM # get router setting

rt-cache-strict : disable

rt-cache-reverse : disable

ip-forward : enable

ip6-forward : enable

The rt-cache-strict option is disabled by default. Enable it when you want to send reply packets only via the same interface that received the request packets. When enabled, source interface becomes part of the matching tuple that FortiADC uses to identify sessions, so reply traffic is forwarded from the same interface that received the traffic. (Normally each session is identified by a 5-tuple: source IP, destination IP, protocol, source port, and destination port.)

If the rt-cache-reverse option is enabled, you can use the config rt-cache-reverse-exception command to maintain an exceptions list for source IP addresses that should be handled differently. For example, if you configure an exception for 192.168.1.0/24, FortiADC will not maintain a pointer to the ISP for traffic from source 192.168.1.18. Reply packets will be forwarded based on the results of routing lookup.

FortiADC-docs # config router setting

FortiADC-docs (setting) # get

rt-cache-strict : disable

rt-cache-reverse : enable

ip-forward : enable

ip6-forward : enable

icmp-redirect-send : disable

FortiADC-docs (setting) # config rt-cache-reverse-exception

FortiADC-docs (rt-cache-rever~e) # edit 1

Add new entry '1' for node 3740

FortiADC-docs (1) # set ip-netmask 192.168.1.0/24

FortiADC-docs (1) # end

FortiADC-docs (setting) # end