Routing concepts

This section contains the following topics:

Default route

The default route has a destination of, representing the least specific route in the routing table. It is a catch all route in the routing table when traffic cannot match a more specific route. Typically this is configured with a static route with an administrative distance of 10. In most instances, you will configure the next hop interface and the gateway address pointing to your next hop. If your FortiGate is sitting at the edge of the network, your next hop will be your ISP gateway. This provides internet access for your network.

Sometimes the default route is configured through DHCP. On some desktop models, the WAN interface is preconfigured in DHCP mode. Once the WAN interface is plugged into the network modem, it will receive an IP address, default gateway, and DNS server. FortiGate will add this default route to the routing table with a distance of 5, by default. This will take precedence over any default static route with a distance of 10. Therefore, take caution when you are configuring an interface in DHCP mode, where Retrieve default gateway from server is enabled. You may disable it and/or change the distance from the Network > Interfaces page when you edit an interface.

Adding or editing a static route

To add a static route using the GUI:
  1. Go to Network > Static Routes and click Create New.

  2. Enter the following information:

    Dynamic Gateway

    When enabled, a selected DHCP/PPPoE interface will automatically retrieve its dynamic gateway.


    • Subnet

      Enter the destination IP address and netmask. A value of creates a default route.

    • Named Address

      Select an address or address group object. Only addresses with static route configuration enabled will appear on the list. This means a geography type address cannot be used.

    • Internet Service

      Select an Internet Service. These are known IP addresses of popular services across the Internet.


    Select the name of the interface that the static route will connect through.

    Gateway Address

    Enter the gateway IP address. When selecting an IPsec VPN interface or SD-WAN creating a blackhole route, the gateway cannot be specified.

    Administrative Distance

    Enter the distance value, which will affect which routes are selected first by different protocols for route management or load balancing. The default is 10.

    Advanced Options

    Optionally, expand Advanced Options and enter a Priority. When two routes have an equal distance, the route with a lower priority number will take precedence. The default is 0.

  3. Click OK.

Configuring FQDNs as a destination address in static routes

You can configure FQDN firewall addresses as destination addresses in a static route, using either the GUI or the CLI.

In the GUI, to add an FQDN firewall address to a static route in the firewall address configuration, enable the Static Route Configuration option. Then, when you configure the static route, set Destination to Named Address.

To configure an FQDN as a destination address in a static route using the CLI:
config firewall address
    edit 'Fortinet-Documentation-Website'
        set type fqdn
        set fqdn
        set allow-routing enable
config router static
    edit 0
        set dstaddr Fortinet-Documentation-Website

Routing table

A routing table consists of only the best routes learned from the different routing protocols. The most specific route always takes precedence. If there is a tie, then the route with a lower administrative distance will be injected into the routing table. If administrative distances are also equal, then all the routes are injected into the routing table, and Cost and Priority become the deciding factors on which a route is preferred. If these are also equal, then FortiGate will use Equal cost multi-path to distribute traffic between these routes.

Viewing the routing table in the GUI

You can view routing tables in the FortiGate GUI under Dashboard > Network > Static & Dynamic Routing by default. Expand the widget to see the full page. Additionally, if you want to convert the widget into a dashboard, click on the Save as Monitor icon on the top right of the page.

You can also monitor policy routes by toggling from Static & Dynamic to Policy on the top right corner of the page. The active policy routes include policy routes that you created, SD-WAN rules, and Internet Service static routes. It also supports downstream devices in the Security Fabric.

The following figure show an example of the static and dynamic routes in the Routing Monitor:

To view more columns, right-click on the column header to select the columns to be displayed:



IP Version

Shows whether the route is IPv4 or IPv6.


The IP addresses and network masks of destination networks that the FortiGate can reach.

Gateway IP

The IP addresses of gateways to the destination networks.


The interface through which packets are forwarded to the gateway of the destination network.


The administrative distance associated with the route. A lower value means the route is preferable compared to other routes to the same destination.


The type values assigned to FortiGate routes (Static, Connected, RIP, OSPF, or BGP):

  • Connected: All routes associated with direct connections to FortiGate interfaces
  • Static: The static routes that have been added to the routing table manually
  • RIP: All routes learned through RIP