FortiOS 7.4 — Best way to route 100+ subnets into an IPsec SD-WAN zone?

Forum|Forum|6 months ago
November 20, 2025
3 replies
476 views

Hi everyone,
I’m working on a FortiGate running FortiOS 7.4.x.

I have:

2 WAN interfaces inside virtual-wan-link (SD-WAN)

2 IPsec interface inside another SD-WAN zone called remote

About 100 different /24 subnets that should be routed into the remote zone (over the IPsec tunnel)

All internet traffic must go out through virtual_wan_link

The obvious solution is creating 100 static routes, one for each /24, pointing to the remote SD-WAN zone — but that’s not practical at all.

How do you guys handle large numbers of remote networks in SD-WAN deployments?

Thanks!

Jean-Philippe_P

Staff & Editor

Hello yemliha,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Jean-Philippe - Fortinet Community Team

AEK

SuperUser

Hi Yamliha

Routing protocol is your best solution.

It is also possible to do with much less static routes, but only if the initial subnetting was done in a clean manner, in that case you can have few routes instead of hundreds, but I guess now it is too late.

AEK

ede_pfau

SuperUser

Eh, why is that "not practical"?? It's a job for an intern, if you have one. /s

If you stick with static routes, just create one address object for each /24, check the "routeable" property, and then collect them all into a routable address group. Use the address group in ONE static route. Done.

Any changes will be changes of the one address group.

If objections of "too much work" arise...

- you can script those addresses easily

- you will need them anyways: first in phase2 of the VPN, then in policies.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded