FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Andreas77_FTNT
Article Id 192605

Description

 

This article describes how to override default route settings: administrative distance and priority, for the default route received from DHCP.

A DHCP server can send a gateway address with Option 3 (Router) on a DHCP Offer message:


 
 
If the FortiGate interface is configured to receive an IP address from DHCP, FortiGate will add following default route:
 
S*      0.0.0.0/0 [5/0] via 192.168.174.2, port1
 
The default route has a default value of 5 for Administrative Distance (AD) and 0 for priority.

Starting FortiOS 7.0.4 default priority of learned routes from DHCP is '1'.
config system interface


Solution 1:
Create a static route with desired AD and priority, as well as the 'dynamic-gateway' option enabled.
Note that the distance of the static route should be less than the distance configured on the interface (default is 5).

show full system interface port1 | grep distance
    set distance 5

config router static
    edit 1
        set distance 3
        set priority 25
        set device "port1"
        set dynamic-gateway enable
    next
end

Below is the output of the routing table:

 

FGT # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

Routing table for VRF=0
S* 0.0.0.0/0 [3/0] via 192.168.254.254, port1, [25/0]


Solution 2:
Edit distance and priority under interface configuration.


config system interface
    edit "port1"
        set vdom "root"
        set mode dhcp
        set distance 3
        set priority 10
        set allowaccess ping https ssh http
        set type physical
        set snmp-index 1
    next
end

Below is the output of routing table:

 

FGT # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

Routing table for VRF=0
S* 0.0.0.0/0 [3/0] via 192.168.254.254, port1, [10/0]