Technical Tip: How to display NP7 routing information for hyperscale firewall

maydin · ‎06-06-2023

Description

This article describes that with an hyperscale firewall, sessions are set up in the NP7 chip and also routed from there. There is a process to program kernel routes to the NP7 chip. For troubleshooting purposes, it can be necessary to display current routing information in the NP7 chip.

Scope

FortiGate Hyperscale Firewall - 7.0, 7.2, 7.4.

Solution

For a specific IP routing information can be displayed with the below command:

FGT (GiFW-hw1) # diagnose lpmd route query 10.118.5.80
=> VR: 0x0000, VDOM: 0500, IP: 10.118.5.80 / 32, NHI: 62
nhi: 62, family: 2, vdom: 500, ifindex: 20 port10, vlan_id: 0, status: GW, next hop: 10.153.11.172

All routes programmed on NP7 can be printed with the below command :

FGT (GiFW-hw1) # diagnose lpmd route dump
=== DUMP ALL ROUTE PROGRAMMED TYPE: 0 ===
*** Level 0 ***
=> VR: 0x0000, VDOM: 0000, IP: 0.0.0.0 / 0, NHI: 61424
=> VR: 0x8000, VDOM: 0000, IP: 0.0.0.0 / 0, NHI: 61425
*** Level 1 ***
*** Level 2 ***
*** Level 3 ***
*** Level 4 ***
=> VR: 0x0000, VDOM: 0500, IP: 224.0.0.0 / 4, NHI: 64
*** Level 5 ***
*** Level 6 ***
=> VR: 0x0000, VDOM: 0500, IP: 10.203.0.0 / 20, NHI: 53
=> VR: 0x0000, VDOM: 0500, IP: 10.110.0.0 / 20, NHI: 50
=> VR: 0x0000, VDOM: 0500, IP: 10.153.0.0 / 20, NHI: 55
*** Level 7 ***
=> VR: 0x0000, VDOM: 0500, IP: 10.110.15.255 / 32, NHI: 49
=> VR: 0x0000, VDOM: 0500, IP: 10.153.3.142 / 32, NHI: 54
=> VR: 0x0000, VDOM: 0500, IP: 10.118.5.80 / 32, NHI: 62
=> VR: 0x0000, VDOM: 0500, IP: 10.203.3.142 / 32, NHI: 52
=> VR: 0x0000, VDOM: 0500, IP: 10.110.0.0 / 32, NHI: 49
=> VR: 0x0000, VDOM: 0500, IP: 255.255.255.255 / 32, NHI: 64
=> VR: 0x0000, VDOM: 0500, IP: 10.153.0.0 / 32, NHI: 54
=== DUMP ALL ROUTE PROGRAMMED TYPE: 1 ===
*** Level 0 ***
=> VR: 0x0000, VDOM: 0000, IP: :: / 0, NHI: 61424
=> VR: 0x8000, VDOM: 0000, IP: :: / 0, NHI: 61425
*** Level 1 ***
*** Level 2 ***
*** Level 3 ***
*** Level 4 ***
=> VR: 0x0000, VDOM: 0500, IP: ff00:: / 8, NHI: 54
*** Level 5 ***
*** Level 6 ***
*** Level 7 ***
*** Level 8 ***
*** Level 9 ***
*** Level 10 ***
*** Level 11 ***
=> VR: 0x0000, VDOM: 0500, IP: fe80:: / 64, NHI: 54
*** Level 12 ***
*** Level 13 ***
*** Level 14 ***
*** Level 15 ***
*** Level 16 ***
*** Level 17 ***
*** Level 18 ***
*** Level 19 ***
=> VR: 0x0000, VDOM: 0500, IP: fe80:: / 128, NHI: 54
=> VR: 0x0000, VDOM: 0500, IP: fe80::d676:a0ff:fe1c:2a50 / 128, NHI: 49
=> VR: 0x0000, VDOM: 0500, IP: fe80::d676:a0ff:fe1c:2a57 / 128, NHI: 52
=> VR: 0x0000, VDOM: 0500, IP: fe80::d676:a0ff:fe1c:2a59 / 128, NHI: 54
=> VR: 0x0000, VDOM: 0500, IP: ::1 / 128, NHI: 2

In the above command output, route next-hop is specified with NHI parameter, for example :

=> VR: 0x0000, VDOM: 0500, IP: 10.118.5.80 / 32, NHI: 62

To find the gateway IP of NHI next-hop indexes below command can be used :

FGT (GiFW-hw1) # diag lpmd ktrie next_hop | grep 62

nhi: 62, family: 2, vdom: 500, ifindex: 20, oid: 137, vlan_id: 0 ref_cnt: 1, nh_flags: 0020, status: SYNCED | GW, next hop: 10.153.11.172