Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jiahoong112
Staff
Staff

Created on ‎01-06-2025 01:56 AM

Article Id 368427

Technical Tip: Multiple Active Concurrent Default Routes

Description

This article describes how to configure multiple active default routes that exist simultaneously in the routing table. Default routes here refer to routes to the internet.

 

For example, regular connection to the internet for client devices gets routed through BGP and another internet connection for a specific device goes through Netskope. Here, there is a requirement to have 2 active default routes at the same time. This can be done using a dynamic routing protocol and static route.

 

Topology:

 

jiahoong112_0-1736120351105.png

 

Routing table before the change:

 

jiahoong112_1-1736120351108.png

 

Both BGP and Static default routes cannot exist concurrently. Even when the Admin Distance (AD) of the static route is changed to be the same as the BGP route, the static route will still take precedence. If the static route’s AD value is changed to a higher value like 201, then the BGP route will become the Default Route as shown here:

 

jiahoong112_2-1736120351110.png
Scope FortiOS versions that are not End of Support.
Solution

There are 2 steps to this:

 

  1. Create the following static routes: 0.0.0.0/1 and 128.0.0.0/1.
    • Doing this will make the Static Routes take precedence in the routing table while allowing the BGP routes to exist concurrently.
    • Create the following Static Routes. In the GUI, go to Network -> Static Routes:

     jiahoong112_3-1736120358703.png

 

 

  • After configuring that, the routing table should look like this:

      jiahoong112_4-1736120358705.png

 

  • 0.0.0.0/1 covers address range: 0.0.0.1 - 127.255.255.254.
  • 128.0.0.0/1 covers address range: 128.0.0.1 - 255.255.255.254.

 

  1. Policy Routes will have to be configured to route traffic through BGP.

For local-out traffic (FortiGuard, DNS, FortiManager, FortiAnalyzer, etc), the source-ip and/or source interface must be specified in their respective settings.

 

Related documents:

Technical Tip: Configure and edit the Local-out Routing (Source-IP) using GUI for self-originating t...

Local out traffic
1225
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.