Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ciordan
Staff
Staff

Created on ‎09-26-2019 12:23 AM Edited on ‎01-19-2026 05:22 AM By Staff & Editor

Article Id 193614

Technical Tip: How to add refer address objects or address groups in the Static Routes

Description

 

This article describes how to configure a static route with address objects or address groups.

 

Scope

 

FortiGate.


Solution

 

Configure an address object through the GUI under Policy & Objects, specifying the name, type, and subnet.

 

Note:

- In FortiOS 7.4.x and below, enable "Static route configuration" option while creating an address object and address group.

- Beginning FortiOS 7.6.x, enable "Routing configuration" option while creating an address object and address group.

 

GUI view:

 

pic-1.png

 

CLI view:
 
config firewall address
edit "Test_Address_Object"
set uuid bc6f2364-f3b1-51f0-d076-f55395a71975
set allow-routing enable       << Important to enable this configuration
set subnet 10.10.10.0 255.255.255.0
next
end
 
Configure an address group in the GUI under Policy & Objects, specifying the name and the members:
 
GUI view:
 
pic-2.png 
CLI view: 
 
config firewall addrgrp
edit "Test_Address_Group"
set allow-routing enable      << Important to enable this configuration
set member "Test_Address_Object"
set uuid 0fb59cd2-f3b3-51f0-ad39-1d2c3a984efa
next
end
 
Now, address object or address group is available for selection while configuring static route.
 
GUI view:
pic-3.png

 

CLI view:

 

lab # config router static

lab (static) # edit 10
new entry '10' added

 

lab (10) # set dstaddr
<string> please input string value
Test_Address_Object address        <<<< Available address object
Test_Address_Group addrgrp         <<<< Available address group

 

 

From FortiOS v7.4.0, it is possible to define a preferred source IP for static routes to control the source IP used for local-out traffic. This setting allows better control over the source IP on egress interfaces, making it feasible to use a specified IP instead of the default interface IP.

config router static
   edit <id>
      set preferred-source <ip_address>
      next
   end

This configuration allows local-out traffic using the static route to use the preferred source IP instead of the IP associated with the egress interface.

Verification:


get router info routing-table details 10.0.0.0

Routing table for VRF=0
Routing entry for 10.0.0.0/24
Known via "static", distance 10, metric 0, best
* vrf 0 192.168.1.1, via port1

 

Related Articles:

Technical Tip: Unable to add the addresses objects on the address group.

Technical Tip: Configuring preferred-source in source IP for local-out traffic

41147
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.