Description

This article describes the behavior change, starting FortiOS 7.4.0, 7.2.6, and 7.0.13 the automatic default route via DHCP WAN interface in SDWAN Zone.

Scope

FortiGate.

Solution

By default on a DHCP WAN interface, 'Retrieve default gateway from server' is enabled in the GUI (defaultgw in CLI) with distance 5 (default distance), this adds a default static route with AD 5 in the routing table.

However, when this interface is configured as an SD-WAN member, this automatic static route is then removed from the routing table and a manual static default route via the SD-WAN zone or the individual interface is required.

Below is the example of a unit running 7.0.12:

config system interface

    edit "wan1"

        set vdom "root"

        set mode dhcp

        set allowaccess ping https ssh http telnet

        set type physical

        set role wan

        set snmp-index 1

    next

end

show full sys interface wan1 | grep defaultgw

    set defaultgw enable

Routing table for VRF=0

S*      0.0.0.0/0 [5/0] via 10.112.3.75, wan1, [1/0]

C       10.112.0.0/22 is directly connected, wan1

Added WAN1 as the SD-WAN member in the virtual-wan-link zone.

config system sdwan

    set status enable

        config zone

            edit "virtual-wan-link"

            next

        end

        config members

            edit 1

                set interface "wan1"

            next

end

Routing table for VRF=0

C       10.112.0.0/22 is directly connected, wan1

The automatic static default route is no longer in the routing table as wan1 is added as the SD_WAN member.

Starting FortiOS 7.4.0, 7.2.6, and 7.0.13, if a DHCP interface with 'Retrieve default gateway from server' is enabled is added as an SD-WAN member, the static default route will remain installed in the Routing table considering there is no other with lower AD.

Below is the example of a unit running 7.0.13:

show sys interface wan1

config system interface

    edit "wan1"

        set vdom "root"

        set mode dhcp

        set allowaccess ping https ssh http telnet

        set type physical

        set role wan

        set snmp-index 1

    next

end

show full sys interface wan1 | grep defaultgw

    set defaultgw enable

Below is the default route with a default distance of 5.

Routing table for VRF=0

S*      0.0.0.0/0 [5/0] via 10.112.3.75, wan1, [1/0]

C       10.112.0.0/22 is directly connected, wan1

Add WAN1 as the SD-WAN member in the virtual-wan-link zone.

config system sdwan

    set status enable

        config zone

            edit "virtual-wan-link"

            next

        end

        config members

            edit 1

                set interface "wan1"

            next

end

Routing table for VRF=0

S*      0.0.0.0/0 [5/0] via 10.112.3.75, wan1, [1/0]

C       10.112.0.0/22 is directly connected, wan1

The automatic static default route is still in the routing table.

Now, if there is a manual static route configured, use the SD-WAN Zone (virtual-wan-link) as below:

config router static

    edit 1

        set distance 1

        set sdwan-zone "virtual-wan-link"

    next

end

Now the default routes with distance 1 will be installed in the routing table because of the lower AD value:

Routing table for VRF=0

S*      0.0.0.0/0 [1/0] via 10.112.3.75, wan1, [1/0]

C       10.112.0.0/22 is directly connected, wan1

To remove the automatic routes from installing in the routing table, disable 'Retrieve default gateway from server' in the WAN interface in the GUI or use the below configuration snippet for CLI:

config system interface

    edit "wan1"

        set defaultgw disable
end