FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Andreas77_FTNT
Description
This document describes how to override default route settings: administrative distance and priority, for default route received from DHCP.

A DHCP server can send a gateway address with Option 3 (Router) on a DHCP Offer message:




If the FortiGate interface is configured to receive an IP address from DHCP, FortiGate will add following default route:
S*      0.0.0.0/0 [5/0] via 192.168.174.2, port1
The default route has default value of 5 for Administrative Distance (AD) and 0 for priority.

Solution
To change these settings, create a static route with desired AD and priority, as well as “dynamic-gateway” option enabled:
#config router static
    edit 1
        set distance 20
        set priority 25
        set device "port1"
        set dynamic-gateway enable
    next
end
Below is the output of routing table:
get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [5/0] via 192.168.174.2, port1
As per the output, the changes were not applied.

For these settings to apply, change the administrative distance on the interface itself:

#config system interface
    edit "port1"
        set vdom "root"
        set mode dhcp
        set distance 90
        set allowaccess ping https ssh http fgfm
        set type physical
        set snmp-index 1
    next
end
The distance value is not important. It can be everything except 5, which is the default value.
If the output of routing table is displayed again, the settings of the static route are now applied:


S*      0.0.0.0/0 [20/0] via 192.168.174.2, port1, [25/0]


Contributors