This article describes a scenario where the user is trying to configure a default static route via port9 which resides in a different VRF (5) instead of the default VRF.
However, upon trying to configure the static route on the CLI, there is no option to specify the VRF.
FG01 # config router static FG01 # edit 50 FG01 (50) # set status <----- Enable/disable this static route. *dst <----- Destination IP and mask for this route. gateway <----- Gateway IP for this route. preferred-source <----- Preferred source IP for this route. distance <----- Administrative distance (1 - 255). weight <----- Administrative weight (0 - 255). priority <----- Administrative priority (1 - 65535). *device <----- Gateway out interface or tunnel. comment <----- Optional comments. blackhole <----- Enable/disable black hole. dynamic-gateway <----- Enable use of dynamic gateway retrieved from a DHCP or PPP server. sdwan-zone <----- Choose SD-WAN Zone. dstaddr <----- Name of firewall address or address group. internet-service <----- Application ID in the Internet service database. internet-service-custom <----- Application name in the Internet service custom database. link-monitor-exempt <----- Enable/disable withdrawal of this static route when link monitor or health check is down. tag <----- Route tag. bfd <----- Enable/disable Bidirectional Forwarding Detection (BFD).
Scope
FortiGate.
Solution
To create a static route with VRF, the interface needs to be in the VRF, and the route needs to reference the VRF. No need to specify the VRF on the route:
config system interface edit "port9" set vdom "root" set vrf 5 set ip 192.168.1.10 255.255.255.0 set type physical set role lan set snmp-index 24 next end
Then the static route should be configured as usual:
config router static edit 50 set dst 0.0.0.0 0.0.0.0 set device port9 next end
After running the below command, the static route should be visible on the routing table:
get router info routing-table all vrf 5