FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ciordan
Staff
Staff
Article Id 193614

Description

 

This article describes how to configure a static route with address objects or address groups.

 

Scope

 

FortiGate.


Solution

 

Configure a standard address through the GUI under Policy & Objects, specifying the name, type, and subnet:

GUI view:

 

Stephen_G_0-1682994251689.png

 

 
CLI view of the created address object:
 
sh firewall address Test_range
config firewall address
    edit "Test_range"
        set uuid 1e123290-e041-51e9-b531-e5c4e2980e1a
        set subnet 10.0.0.0 255.255.255.0
    next
end
 
Configure a standard address group in the GUI under Policy & Objects, specifying the name and the members:
 
GUI view:
 
 
CLI view of the created address group:
 
sh firewall addrgrp Test_group
config firewall addrgrp
    edit "Test_group"
        set uuid dd0497ce-e041-51e9-1b4e-bc11d7cc083c
        set member "Test_range"
    next
end
 
 
Note: If the 'Static Route Configuration' option is enabled on either the address group or an address object, but not on both, the address object will not appear in the list of available address objects to be selected as a member of that group. Both the address object and the address object group must have matching settings for the 'Static Route Configuration' option, either enabled or disabled.
 
Enable static route configuration from the GUI or add 'set allow-routing enable' from the CLI for the address object or address group:
 
 
 
sh firewall address Test_range
config firewall address
    edit "Test_range"
        set uuid 1e123290-e041-51e9-b531-e5c4e2980e1a
        set allow-routing enable
        set subnet 10.0.0.0 255.255.255.0
    next
end
 
 
sh firewall addrgrp Test_group
config firewall addrgrp
    edit "Test_group"
        set uuid dd0497ce-e041-51e9-1b4e-bc11d7cc083c
        set member "Test_range"
        set allow-routing enable
    next
end
 
If the static route is configured with an address object or group as the destination, there will be available entries:
 
conf router static
edit 1

set dstaddr
<string>    please input string value
Test_range      address
Test_group      addrgrp

set dstaddr
 
It is possible to check the configured static route under Network -> Static Routes from the GUI or with show router static in the CLI
 
 
 
sh router static
config router static
    edit 1
        set gateway 192.168.1.1
        set device "wan1"
        set dstaddr "Test_group"
    next
end
 

From FortiOS v7.4.0, it is possible to define a preferred source IP for static routes to control the source IP used for local-out traffic. This setting allows better control over the source IP on egress interfaces, making it feasible to use a specified IP instead of the default interface IP.

config router static
   edit <id>
      set preferred-source <ip_address>
      next
   end

This configuration allows local-out traffic using the static route to use the preferred source IP instead of the IP associated with the egress interface.

Verification:


get router info routing-table details 10.0.0.0

Routing table for VRF=0
Routing entry for 10.0.0.0/24
Known via "static", distance 10, metric 0, best
* vrf 0 192.168.1.1, via port1

 

Note: To add the address objects in a group, either disable or enable static route configuration for all of the address objects in the same group. The parameter static route configuration must be disabled or enabled in the same way.