- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- VRRP static route question
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VRRP static route question
I refer to "set ignore-default-route enable" in Technical Tip: VRRP - Active failover with link-mo... - Fortinet Community
edit "lan1"
config vrrp
edit 100
set vrgrp 100
set vrip 10.0.0.254
set priority 200
set vrdst 1.1.1.1
set vrdst-priority 10
set ignore-default-route enable
Correct me if I am wrong but the static route should be removed when the VRRP fails so what does "set ignore-default route enable" do?
==================================================================================
config system link-monitor
edit "monitor-vrrp-destination"
set srcintf "wan"
set server "1.1.1.1"
set gateway-ip x.x.x.x
set update-static-route disable
next
end
What does set update-static-route disable do in this config? Should it be enable instead?
Labels:
- Labels:
-
FortiGate
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @BusinessUser ,
Correct me if I am wrong but the static route should be removed when the VRRP fails so what does "set ignore-default route enable" do?
This is tied to the "set vrdst" option. This option tells VRRP to monitor if route to the VRDST IP address exists in the routing table. If the route disappears from the routing table, the VRRP Master will lower its priority from "set priority" to "set vrdst-priority". The option "set ignore-default-route enable" simply ignores the default route when checking reachability to VRDST.
The option should probably be called "set vrdst-ignore-default-route", but it's not :-).
In general, if your VRDST is not actually reachable via the default route, you should enable "ignore-default-route".
What does set update-static-route disable do in this config? Should it be enable instead?
The link monitor is not tied just to VRRP, but they can be used in conjunction. Link monitor is just an active probe, which can remove routes from the routing table when the monitored server stops responding. So, if you want VRDST induced failover of VRRP to happen, you will need to keep "update-static-route" enabled. More on link monitor feature can be found at https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/647723/link-monitor-with-rou... .
HTH,
Boris
Boris
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Q: >>..what does "set ignore-default route enable" do?
R: The setting "set ignore-default-route enable" enables ignoring of default route when checking destination.
https://docs.fortinet.com/document/fortigate/6.2.3/cli-reference/10620/system-interface
Q: >>What does set update-static-route disable do in this config? Should it be enable instead?
R: The setting "set update-static-route disable" disables the ability to update the static route. If I understood correctly what you are trying to achieve, you could keep update-static-route disabled if you use "set ignore-default-route enable". I have never worked with that particular config before.
https://community.fortinet.com/t5/FortiGate/Technical-Note-Routing-Change-and-Session-Fail-over-with...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Bring-other-interfaces-down-when-link-moni...
From article https://community.fortinet.com/t5/FortiGate/Technical-Tip-Link-monitor/ta-p/197504 :
---------------------------------------------------
**set update-static-route “Enable/disable updating the static route, default: enable”
[** It is advised to keep disabled as it may cause the production environment down , Make sure it's working before enabling it]
---------------------------------------------------
---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i dont get it.
what is the difference between "set update-static-route enable " and "set ignore-default route enable"?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
They are two different settings configured under two different contexts, "system interface" and "system link-monitor". You may find the answer from my colleague Boris clearer.
---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there fortigate training video for vrrp or link monitoring?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @BusinessUser,
I have checked https://video.fortinet.com/search and https://www.youtube.com/@fortinet/search and so far I could not find anything related to them.
Regards,
---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
Related Posts
- NO internet connection when using static... 749 Views
- FortiOS 7.2.4 IPSec split-tunnel breaks local... 287 Views
- Cisco Trunk port to Fortiswitch 1081 Views
- Routing Issue on FortiGate 7.2.8 297 Views
- Policy based routing to IPsec tunnel 190 Views
Labels
-
FortiGate
6,546 -
FortiClient
1,306 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
415 -
5.6
362 -
FortiAP
335 -
FortiSwitch
333 -
FortiClient EMS
264 -
6.2
251 -
FortiMail
243 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
71 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
Firewall policy
24 -
FortiConnect
24 -
SD-WAN
24 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
15 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
Interface
12 -
FortiCASB
12 -
Logging
11 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
IP address management - IPAM
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
Traffic shaping policy
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiDB
3 -
Port policy
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
Fortinet Engage Partner Program
2 -
TACACS
1 -
4.0MR1
1 -
Schedule
1 -
Users
1 -
SDN connector
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
FortiPAM
1 -
Application signature
1 -
Web rating
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Multicast routing
1 -
Email filter profile
1 -
Zone
1 -
Internet Service Database
1 -
Explicit proxy
1 -
System settings
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.