Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
egudino
Staff
Staff

Created on ‎05-14-2025 12:31 AM

Article Id 391715

Technical Tip: How to configure 'vrdst' to monitor specific subnets under VRRP environment

Description This article explains how the 'vrrp-dst' command works with 2 monitored subnets and with the 'ignore-default-route enable/disable' command.
Scope FortiGate VRRP-dst can monitor destination subnets based on the active routing table information. If 1 or 2 subnets are not present in the routing table, FortiGate can execute a VRRP-Failover for the configured VRRP interface.

FortiGate can also ignore the default 0.0.0.0/0 route in case that the primary explicit subnet is deleted from the routing table.

This is the expected behavior when FortiGate performs a VRRP-Failover with the 'vrdst' command configured:

 

  • If just 1 subnet is configured under 'vrdst' command it will take an action based on that only subnet.
  • If 2 subnets are being monitored (Which is the maximum allowed monitored subnets), in order to execute a VRRP-Failover the 2 subnets must not be installed in the routing table. If just 1 out of 2 subnets is still installed in the routing table, VRRP will not perform a Failover, which means "subnet1" AND "subnet2".
  • After VRRP Failover, if original PRIMARY installs just 1 out of 2 monitored subnets, it will be enough to recover the PRIMARY role.
Solution

In the following scenario FortiGate is monitoring 2 subnets, they are both reachable through port1 and port3 and using port9 to configure VRRP.

 

  • 192.168.5.0 port1.
  • 192.168.100.0 port3.


FortiGate does not send any type of packets to monitor if the destination is reachable. Instead, it uses the routing table to see if there is a match for the desired configured destination subnet(s).

 

FortiGate1 port9 configuration:

 

config system interface
    edit "port9"
        set ip 10.90.100.1 255.255.255.0
        set vrrp-virtual-mac enable
            config vrrp
                edit 10
                    set vrgrp 10
                    set vrip 10.90.100.254
                    set priority 200
                    set vrdst 192.168.5.0 192.168.100.0
                    set ignore-default-route enable
    next
end

 

FortiGate2 port9 configuration:

 

config system interface
    edit "port9"
        set ip 10.90.100.2 255.255.255.0
        set vrrp-virtual-mac enable
            config vrrp
                edit 10
                    set vrgrp 10
                    set vrip 10.90.100.254
                next
            end
    next
end

 

Because FortiGate1 has a higher priority (200) and the 2 monitored subnets are installed in the routing table, this is elected as PRIMARY:

 

FortiGate1#get router info routing-table details

 

Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 192.168.74.2, port8, [1/0]
S 192.168.5.0/24 [10/0] is directly connected, port1, [1/0]
S 192.168.100.0/24 [10/0] is directly connected, port3, [1/0]

 

ForitGate1#get router info vrrp


Interface: port9, primary IP address: 10.90.100.1
UseVMAC: 1, SoftSW: 0, EmacVlan: 0 BrPortIdx: 0, PromiscCount: 1
HA mode: primary (0:0:1) VRRP primary number: 1
VRID: 10 verion: 2
vrip: 10.90.100.254, priority: 200 (200,0), state: PRIMARY
adv_interval: 1, preempt: 1, ignore_dft: 1 start_time: 3
primary_adv_interval: 100, accept: 1
vrmac: 00:00:5e:00:01:0a
vrdst: 192.168.5.0 192.168.100.0
vrgrp: 10

 

After disabling 192.168.5.0/24 subnet from the routing table. The VRRP environment continue to be the same with no changes.

 

FortiGate1# get router info routing-table details 192.168.5.0

Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "static", distance 10, metric 0, best
* vrf 0 192.168.74.2, via port8

 

FortiGate1# get router info vrrp
Interface: port9, primary IP address: 10.90.100.1
UseVMAC: 1, SoftSW: 0, EmacVlan: 0 BrPortIdx: 0, PromiscCount: 1
HA mode: primary (0:0:1) VRRP primary number: 1
VRID: 10 verion: 2
vrip: 10.90.100.254, priority: 200 (200,0), state: PRIMARY
adv_interval: 1, preempt: 1, ignore_dft: 1 start_time: 3
primary_adv_interval: 100, accept: 1
vrmac: 00:00:5e:00:01:0a
vrdst: 192.168.5.0 192.168.100.0
vrgrp: 10

 

Even though FortiGate1 knows how to reach the '192.168.5.0/24' subnet using the default route 0.0.0.0/0, it is ignoring it as it is stated by the 'set ignore-default-route enable' command. If this command is disabled (by default), it will assume that the 0.0.0.0/0 path is valid, and it will not execute VRRP Failover.

 

After deleting the second monitored subnet 192.168.100.0/24 from the routing table, VRRP failover is performed.

 

FortiGate1# get router info routing-table details 192.168.100.0

Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "static", distance 10, metric 0, best
* vrf 0 192.168.74.2, via port8

 

 

FortiGate1# get router info vrrp
Interface: port9, primary IP address: 10.90.100.1
UseVMAC: 1, SoftSW: 0, EmacVlan: 0 BrPortIdx: 0, PromiscCount: 0
HA mode: primary (0:0:1) VRRP primary number: 0
VRID: 10 verion: 2
vrip: 10.90.100.254, priority: 0 (200,0), state: BACKUP
adv_interval: 1, preempt: 1, ignore_dft: 1 start_time: 3
primary_adv_interval: 100, accept: 1
vrmac: 00:00:5e:00:01:0a
vrdst: 192.168.5.0 192.168.100.0
vrgrp: 10
530
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.