Description
This article describes how to configure a static route with address objects or address groups.
Scope
FortiGate.
Solution
Configure a standard address through the GUI under Policy & Objects, specifying the name, type, and subnet:
GUI view:
CLI view of the created address object:
sh firewall address Test_range
config firewall address
edit "Test_range"
set uuid 1e123290-e041-51e9-b531-e5c4e2980e1a
set subnet 10.0.0.0 255.255.255.0
next
end
edit "Test_range"
set uuid 1e123290-e041-51e9-b531-e5c4e2980e1a
set subnet 10.0.0.0 255.255.255.0
next
end
Configure a standard address group in the GUI under Policy & Objects, specifying the name and the members:
GUI view:
CLI view of the created address group:
sh firewall addrgrp Test_group
config firewall addrgrp
edit "Test_group"
set uuid dd0497ce-e041-51e9-1b4e-bc11d7cc083c
set member "Test_range"
next
end
edit "Test_group"
set uuid dd0497ce-e041-51e9-1b4e-bc11d7cc083c
set member "Test_range"
next
end
Note: If the 'Static Route Configuration' option is enabled on either the address group or an address object, but not on both, the address object will not appear in the list of available address objects to be selected as a member of that group. Both the address object and the address object group must have matching settings for the 'Static Route Configuration' option, either enabled or disabled.
Enable static route configuration from the GUI or add 'set allow-routing enable' from the CLI for the address object or address group:
sh firewall address Test_range
config firewall address
edit "Test_range"
set uuid 1e123290-e041-51e9-b531-e5c4e2980e1a
set allow-routing enable
set subnet 10.0.0.0 255.255.255.0
next
end
edit "Test_range"
set uuid 1e123290-e041-51e9-b531-e5c4e2980e1a
set allow-routing enable
set subnet 10.0.0.0 255.255.255.0
next
end
sh firewall addrgrp Test_group
config firewall addrgrp
edit "Test_group"
set uuid dd0497ce-e041-51e9-1b4e-bc11d7cc083c
set member "Test_range"
set allow-routing enable
next
end
edit "Test_group"
set uuid dd0497ce-e041-51e9-1b4e-bc11d7cc083c
set member "Test_range"
set allow-routing enable
next
end
If the static route is configured with an address object or group as the destination, there will be available entries:
conf router static
edit 1
set dstaddr
<string> please input string value
Test_range address
Test_group addrgrp
set dstaddr
edit 1
set dstaddr
<string> please input string value
Test_range address
Test_group addrgrp
set dstaddr
It is possible to check the configured static route under Network -> Static Routes from the GUI or with show router static in the CLI
sh router static
config router static
edit 1
set gateway 192.168.1.1
set device "wan1"
set dstaddr "Test_group"
next
end
edit 1
set gateway 192.168.1.1
set device "wan1"
set dstaddr "Test_group"
next
end
From FortiOS v7.4.0, it is possible to define a preferred source IP for static routes to control the source IP used for local-out traffic. This setting allows better control over the source IP on egress interfaces, making it feasible to use a specified IP instead of the default interface IP.
config router static
edit <id>
set preferred-source <ip_address>
next
end
This configuration allows local-out traffic using the static route to use the preferred source IP instead of the IP associated with the egress interface.
Verification:
get router info routing-table details 10.0.0.0
Routing table for VRF=0
Routing entry for 10.0.0.0/24
Known via "static", distance 10, metric 0, best
* vrf 0 192.168.1.1, via port1
Note: To add the address objects in a group, either disable or enable static route configuration for all of the address objects in the same group. The parameter static route configuration must be disabled or enabled in the same way.
