FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
amahdi
Staff
Staff
Article Id 310940
Description This article describes a scenario where the user is trying to configure a default static route via port9 which resides in a different VRF (5) instead of the default VRF.
However, upon trying to configure the static route on the CLI, there is no option to specify the VRF.

FG01 # config router static
FG01 # edit 50
FG01 (50) # set
status                     <----- Enable/disable this static route.
*dst                       <----- Destination IP and mask for this route.
gateway                    <----- Gateway IP for this route.
preferred-source           <----- Preferred source IP for this route.
distance                   <----- Administrative distance (1 - 255).
weight                     <----- Administrative weight (0 - 255).
priority                   <----- Administrative priority (1 - 65535).
*device                     <----- Gateway out interface or tunnel.
comment                    <----- Optional comments.
blackhole                  <----- Enable/disable black hole.
dynamic-gateway            <----- Enable use of dynamic gateway retrieved from a DHCP or PPP server.
sdwan-zone                 <----- Choose SD-WAN Zone.
dstaddr                    <----- Name of firewall address or address group.
internet-service           <----- Application ID in the Internet service database.
internet-service-custom    <----- Application name in the Internet service custom database.
link-monitor-exempt        <----- Enable/disable withdrawal of this static route when link monitor or health check is down.
tag                        <----- Route tag.
bfd                        <----- Enable/disable Bidirectional Forwarding Detection (BFD).
Scope FortiGate.
Solution

To create a static route with VRF, the interface needs to be in the VRF, and the route needs to reference the VRF. No need to specify the VRF on the route:

config system interface
    edit "port9"
        set vdom "root"
        set vrf 5
        set ip 192.168.1.10 255.255.255.0
        set type physical
        set role lan
        set snmp-index 24
    next
end

 

Then the static route should be configured as usual:


config router static
    edit 50
        set dst 0.0.0.0 0.0.0.0
        set device port9
    next
end

 

After running the below command, the static route should be visible on the routing table:


get router info routing-table all vrf 5

 

Contributors