Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
stroia
Staff
Staff

Created on ‎06-27-2024 09:12 AM Edited on ‎07-01-2024 12:04 AM By Community Manager

Article Id 322921

Technical Tip: How to avoid undesired static routes

Description This article describes the risk of and how to avoid undesired static routes into a FortiGate routing table.
Scope FortiGate.
Solution

In Fortinet SD-WAN design, it is necessary to configure an interface as an SD-WAN Member in order to be able to use it in an SD-WAN rule. See SD-WAN members and zones.

 

If any additional SD-WAN zones have been created before, the only option available in the related top-down menu (see below) will be to use a default Zone called virtual-wan-link:

 undesired_static_routes_first_screen.png

 

All SD-WAN members can potentially be under that zone:

 

Undesired_static_routes_second_screen.png

 

On SD-WAN FortiOS design, it is possible to add a static route pointing to an SD-WAN zone, as explained here: Specify an SD-WAN zone in static routes and SD-WAN rules and shown here:

 

Undesired_static_routes_third_screen.png

 

If all interfaces are in the default zone, once the configuration is applied, FortiGate will install one static route pointing to each interface in the zone in the routing table:

 

undesired_static_routes_fourth_screen.png

 

This scenario could be dangerous or not easy to control in the following condition: During session lookup performed by FortiGate before creating a new session, if a packet with a specific set of attributes (source and destination: address, physical and TCP/UDP ports) is permitted from a firewall policy, but is not matched from an explicit SD-WAN rule (see: The SD-WAN rule matching process), it will be matched from the last implicit one and traffic will be forwarded according to the routing table.

 

Assuming ports 3 and 4 are the 2 Spoke’s WAN ports, connected to 2 MPLS connections if a packet with destination IP 172.16.5.10 is not matched from an explicit SD-WAN rule traffic, it will be forwarded on port 3, according to ECMP mechanics: Equal Cost Multi-Path.

 

If an IP of 172.16.5.10 is assigned to a server reachable only via Hub LAN ports and not via MPLS connections, the client that sent it will never receive an answer.

 

This is why, to avoid the described scenario, it is recommended to divide interfaces into 2 or more SD-WAN zones, calling them Underlay and Overlay for example, as well as to add a static route pointing to a zone only if it is acceptable that traffic goes out from each zone interface.

 

Considering the previous example, a static route pointing to the Overlay zone with only Tunnels on it may be the best option.

 

Related documents:

How to fix static route with SD-WAN zone 

Routing Concepts 
465
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.