Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
amahdi
Staff
Staff

Created on ‎04-22-2024 10:31 PM

Article Id 310940

Technical Tip : VRF is not an option in static route settings

Description This article describes a scenario where the user is trying to configure a default static route via port9 which resides in a different VRF (5) instead of the default VRF.
However, upon trying to configure the static route on the CLI, there is no option to specify the VRF.

FG01 # config router static
FG01 # edit 50
FG01 (50) # set
status                     <----- Enable/disable this static route.
*dst                       <----- Destination IP and mask for this route.
gateway                    <----- Gateway IP for this route.
preferred-source           <----- Preferred source IP for this route.
distance                   <----- Administrative distance (1 - 255).
weight                     <----- Administrative weight (0 - 255).
priority                   <----- Administrative priority (1 - 65535).
*device                     <----- Gateway out interface or tunnel.
comment                    <----- Optional comments.
blackhole                  <----- Enable/disable black hole.
dynamic-gateway            <----- Enable use of dynamic gateway retrieved from a DHCP or PPP server.
sdwan-zone                 <----- Choose SD-WAN Zone.
dstaddr                    <----- Name of firewall address or address group.
internet-service           <----- Application ID in the Internet service database.
internet-service-custom    <----- Application name in the Internet service custom database.
link-monitor-exempt        <----- Enable/disable withdrawal of this static route when link monitor or health check is down.
tag                        <----- Route tag.
bfd                        <----- Enable/disable Bidirectional Forwarding Detection (BFD).
Scope FortiGate.
Solution

To create a static route with VRF, the interface needs to be in the VRF, and the route needs to reference the VRF. No need to specify the VRF on the route:

config system interface
    edit "port9"
        set vdom "root"
        set vrf 5
        set ip 192.168.1.10 255.255.255.0
        set type physical
        set role lan
        set snmp-index 24
    next
end

 

Then the static route should be configured as usual:


config router static
    edit 50
        set dst 0.0.0.0 0.0.0.0
        set device port9
    next
end

 

After running the below command, the static route should be visible on the routing table:


get router info routing-table all vrf 5

 

117
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.