FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.


This article describes how to push static routes from FortiGate DHCP server using RFC 3442 DHCP Option 121.


DHCP Option 121 uses hexadecimal representation of decimal values.
It is compatible with all Windows machines except XP and Server 2003.
Also Linux accepts routes learned by DHCP Option 121.

The format is a concatenation of three sections, with no delimiting characters:


<mask> <destination subnet> <next hop IP>


Note that the destination subnet is condensed but only down to the size of the CIDR mask, rounded up to the nearest octet.

For example, here is the formatting for three different routes; spaces are added for clarity:


08 0A C0A80201

10 0A00 C0A80201

14 0A0000 C0A80201


Note the additional zeroes in the destination subnet section; although it is only to zero, the output length is different because the destination subnet is extended up to and including the octet of the CIDR mask boundary.


Each route statement is then concatenated together into a single hexadecimal statement.


As an example:

1st route. with gateway
Hex value has to be: /8=08,,                       

Output value: 080AC0A80201


2nd route.  with gateway
Hex value has to be: /16=10,,         

Output value: 10AC10C0A80201

3rd route.  with gateway
Hex value has to be: /24=18,,     

Output value: 18C0A80FC0A80201


The final concatenated result then would be:


On FortiGate, DHCP Options can be configured from the GUI or CLI.

From GUI.

Go to  Network -> Interfaces -> Edit Interface -> Advanced -> Create new “ Additional DHCP Options” and enter:

- Option Code: Specify

- Code: 121

- Value Type: Hexadecimal

- Value: 080AC0A8020110AC10C0A8020118C0A80FC0A80201



From the CLI.

# config system dhcp server
    edit 1
        # config options
            edit 1
                set code 121
                set type hex
                set value "080AC0A8020110AC10C0A8020118C0A80FC0A80201"
Finally, the three routes appear in the routing table of the Windows machine after renewing the IP configuration using the following command:

Here is the final result when listing the routing table using Route print command:

C:\users\fortinet>route print