Skip to content

Add a Static Route

A route tells the FortiGate where to send traffic destined for a particular network. The most common route is the default route (0.0.0.0/0) — "anything I don't have a more specific match for, send out the WAN to the upstream gateway." Without it, the FortiGate is internet-isolated.

You add other static routes when you have multiple internal networks reachable through different gateways, or when an upstream router needs to be told about specific subnets.

Before You Start

  • The destination subnet (e.g. 0.0.0.0/0 for internet, 10.20.0.0/16 for a remote office).
  • The next-hop gateway IP (the router that knows how to get there).
  • The interface this gateway is reachable through.

Steps

  1. Network → Static Routes → + Create New.
  2. Fill in:
    • Destination — pick Subnet (default), enter the destination network. For default route: 0.0.0.0/0.0.0.0.
    • Gateway Address — the next-hop IP. For default route: your ISP's gateway (often something like 203.0.113.1).
    • Interface — the interface that reaches the gateway (e.g. wan1).
    • Administrative Distance — defaults to 10. Lower wins when multiple routes match. Leave at 10 unless you're stacking routes intentionally (e.g. backup route at 20).
    • Comments — optional but useful (Default route via ISP A).
    • StatusEnabled.
  3. Click OK.

CLI Equivalent

config router static
edit 0       # 0 lets FortiOS auto-pick an unused ID
    set dst 0.0.0.0 0.0.0.0
    set gateway 203.0.113.1
    set device wan1
    set distance 10
next
end

Verify

get router info routing-table all
# Look for your route. Default route shows as "S* 0.0.0.0/0 [10/0] via 203.0.113.1, wan1"
# The "S*" means Static, currently active.

execute ping 8.8.8.8
# Should succeed if route is good and WAN is up.

Backup / Failover Routes

If you have two ISPs, you can add two default routes with different distances:

config router static
edit 1
    set dst 0.0.0.0 0.0.0.0
    set gateway 203.0.113.1
    set device wan1
    set distance 10        # primary
next
edit 2
    set dst 0.0.0.0 0.0.0.0
    set gateway 198.51.100.1
    set device wan2
    set distance 20        # backup — only used if wan1 fails
next
end

FortiOS uses link-monitor (ping or health-check) to detect WAN failure and switch. For finer control, use SD-WAN — see Set Up SD-WAN.

Common Issues

  • Route shows in table but no internet. Gateway is wrong. Try execute ping <gateway-ip> — must succeed first.
  • Route doesn't appear in table. Interface is down, or admin distance conflicts with a higher-priority route. get router info routing-table all shows only the active route per destination.
  • Have routes but traffic still fails. Firewall policy missing — see Add a Firewall Policy. Routing tells where the packet goes; policy decides if it's allowed.
  • Wrong interface picked automatically. Specify the interface explicitly rather than letting FortiOS guess.