Category Archives: FortiOS 5.4 Handbook

The complete handbook for FortiOS 5.4

Building the routing table

Building the routing table

In the factory default configuration, the FortiGate unit routing table contains a single static default route. You can add routing information to the routing table by defining additional static routes.

It is possible that the routing table is faced with several different routes to the same destination—the IP addresses of the next-hop router specified in those routes or the FortiGate interfaces associated with those routes may vary. In this situation, the “best” route is selected from the table.

The FortiGate unit selects the “best” route for a packet by evaluating the information in the routing table. The “best” route to a destination is typically associated with the shortest distance between the FortiGate unit and the closest gateway, also known as a next-hop router. In some cases, the next best route may be selected if the best route is unavailable.

The FortiGate unit installs the best available routes in the unit’s forwarding table, which is a subset of the unit’s routing table. Packets are forwarded according to the information in the forwarding table.

Viewing the routing table in the CLI

Viewing the routing table in the CLI

In the CLI, you can easily view the static routing table just as in the web-based manager or you can view the full routing table.

When viewing the list of static routes using the CLI command get route static, it is the configured static routes that are displayed. When viewing the routing table using the CLI command get router info routing-table all, it is the entire routing table information that is displayed including configured and learned routes of all types. The two are different information in different formats.

If VDOMs are enabled on your FortiGate unit, all routing related CLI commands must be performed within a VDOM and not in the global context.


To view the routing table

# get router info routing-table all

Codes: K – kernel, C – connected, S – static, R – RIP, B – BGP O – OSPF, IA – OSPF inter area

N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2

E1 – OSPF external type 1, E2 – OSPF external type 2

i – IS-IS, L1 – IS-IS level-1, L2 – IS-IS level-2, ia – IS-IS inter area

* – candidate default

S* [10/0] via, port2

S [10/0] via, port2

S [10/0] via, port2

C is directly connected, port3

B [20/0] via, port3, 2d18h02m

C is directly connected, port2


Examining an entry:

B [20/0] via, port3, 2d18h02m

B                                                  BGP. The routing protocol used.                              The destination of this route including netmask.

[20/0]                                           20 indicates and administrative distance of 20 out of a range of 0 to 255.

0 is an additional metric associated with this route, such as in OSPF                                 The gateway, or next hop.

port3                                           The interface used by this route.

2d18h02m                                  How old this route is, in this case almost three days old.


To view the kernel routing table

# get router info kernel

tab=254 vf=0 scope=253 type=1 proto=2 prio=0> pref= gwy= dev=5(external1)

tab=254 vf=0 scope=253 type=1 proto=2 prio=0> pref= gwy= dev=6(internal)

The parts of the routing table entry are:


tab                                               Table number. This will be either 254 (unicast) or 255 (multicast).

vf                                                 Virtual domain of the firewall. This is the vdom index number. If vdoms are not enabled, this number will be 0.

type                                             Type of routing connection. Valid values include:

0 – unspecific

1 – unicast

2 – local

3 – broadcast

4 – anycast

5 – multicast

6 – blackhole

7 – unreachable

8 – prohibited

Type of installation. This indicates where the route came from. Valid values include:


0 – unspecific

2 – kernel

11 – ZebOS routing module

14 – FortiOS

15 – HA

16 – authentication based

17 – HA1

prio                                             Priority of the route. Lower priorities are preferred.



The IP address and subnet mask of the destination

pref                                             Preferred next hop along this route

gwy                                             Gateway – the address of the gateway this route will use

dev                                              Outgoing interface index. This number is associated with the interface for this route, and if VDOMs are enabled the VDOM will be included here as well. If an interface alias is set for this interface it will also be displayed here.

Routing Information FortiOS 5.4.0

Default route

The default route is used if either there are no other routes in the routing table or if none of the other routes apply to a destination. Including the gateway in the default route gives all traffic a next-hop address to use when leaving the local network. The gateway address is normally another router on the edge of the local network.

All routers, including FortiGate units, are shipped with default routes in place. This allows customers to set up and become operational more quickly. Beginner administrators can use the default route settings until a more advanced configuration is warranted.

FortiGate units come with a default static route with an IPv4 address of, an administration distance of 10, and a gateway IPv4 address.

Adding a static route

To add or edit a static route, go to Router > Static > Static Routes and select Create New.

Destination IP / Mask               Enter the destination IP address and netmask.

A value of is universal.

Device                                         Select the name of the interface which the static route will connect through.

Gateway                                     Enter the gateway IP address.


Enter the distance value, which will affect which routes are selected first by different protocols for route management or load balancing. The default is


Priority                                       Enter the priority if desired, which will artificially weight the route during route selection. The higher the number, the less likely the route is to be selected over others. The default is 0.

Routing table

When two computers are directly connected, there is no need for routing because each computer knows exactly where to find the other computer. They communicate directly.

Networking computers allows many computers to communicate with each other. This requires each computer to have an IP address to identify its location to the other computers. This is much like a mailing address – you will not receive your postal mail at home if you do not have an address for people to send mail to. The routing table on a computer is much like an address book used to mail letters to people in that the routing table maintains a list of how to reach computers. Routing tables may also include information about the quality of service (QoS) of the route, and the interface associated with the route if the device has multiple interfaces.

Looking at routing as delivering letters is more simple than reality. In reality, routers loose power or have bad cabling, network equipment is moved without warning, and other such events happen that prevent static routes from reaching their destinations. When any changes such as these happen along a static route, traffic can no longer reach the destination — the route goes down. Dynamic routing can address these changes to ensure traffic still reaches its destination. The process of realizing there is a problem, backtracking and finding a route that is operational is called convergence. If there is fast convergence in a network, users won’t even know that re- routing is taking place.

The routing table for any device on the network has a limited size. For this reason, routes that aren’t used are replaced by new routes. This method ensures the routing table is always populated with the most current and most used routes—the routes that have the best chance of being reused. Another method used to maintain the routing table’s size is if a route in the table and a new route are to the same destination, one of the routes is selected as the best route to that destination and the other route is discarded.

Routing tables are also used in unicast reverse path forwarding (uRPF). In uRPF, the router not only looks up the destination information, but also the source information to ensure that it exists. If there is no source to be found, then that packet is dropped because the router assumes it to be an error or an attack on the network.

The routing table is used to store routes that are learned. The routing table for any device on the network has a limited size. For this reason, routes that aren’t used are replaced by new routes. This method ensures the routing table is always populated with the most current and most used routes — the routes that have the best chance of being reused. Another method used to maintain the routing table’s size is if a route in the table and a new route are to the same destination, one of the routes is selected as the best route to that destination and the other route is discarded.

Some actions you can perform on the routing table include:

  • Viewing the routing table in the web-based manager
  • Viewing the routing table in the CLI
  • Searching the routing table

Viewing the routing table in the web-based manager

By default, all routes are displayed in the Routing Monitor list. The default static route is defined as, which matches the destination IP address of “any/all” packets.

To display the routes in the routing table, go to Router > Monitor > Routing Monitor.

The figure below shows the Routing Monitor list belonging to a FortiGate unit that has interfaces named “port1”, “port4”, and “lan”. The names of the interfaces on your FortiGate unit may be different.

Advanced Static Routing

Advanced Static Routing

Advanced static routing includes features and concepts that are used in more complex networks. Dynamic routing is not addressed in this section.

This section includes: Routing concepts

Static routing tips

Policy routing

Transparent mode static routing

Static routing example


Routing concepts

Many routing concepts apply to static routing. However without first understanding these basic concepts, it is difficult to understand the more complex dynamic routing.

This section includes:

  • Routing in VDOMs
  • Default route
  • Adding a static route
  • Routing table
  • Building the routing table
  • Static routing security
  • Multipath routing and determining the best route
  • Route priority
  • Troubleshooting static routing


Routing in VDOMs

Routing on FortiGate units is configured per-VDOM. This means if VDOMs are enabled, you must enter a VDOM to do any routing configuration. This allows each VDOM to operate independently, with its own default routes and routing configuration.

In this guide, the procedures assume your FortiGate unit has VDOMs disabled. This is stated in the assumptions for the examples. If you have VDOMs enabled you will need to perform the following steps in addition to the procedure’s steps.


To route in VDOMs – web-based manager

Select the VDOM that you want to view or configure at the bottom of the main menu.



To route in VDOMs – CLI

Before following any CLI routing procedures with VDOMs enabled, enter the following commands. For this example, it is assumed you will be working in the root VDOM. Change root to the name of your selected VDOM

as needed.

config vdom edit root

Following these commands, you can enter any routing CLI commands as normal.

Chapter 3 – Advanced Routing

Chapter 3 – Advanced Routing

This chapter describes advanced static routing concepts and how to implement dynamic routing on FortiGate units.

This FortiOS Handbook chapter contains the following sections:

Advanced Static Routing explains universal and static routing concepts, equal cost multipath (ECMP) and load balancing, policy routing, and routing in transparent mode.

Dynamic Routing Overview provides an overview of dynamic routing, compares static and dynamic routing, and helps you decide which dynamic routing protocol is best for you.

Routing Information Protocol (RIP) describes a distance-vector routing protocol intended for small, relatively homogeneous networks.

Border Gateway Protocol (BGP) describes classless inter-domain routing, and aggregate routes. BGP is the only routing protocol to use TCP for a transport protocol.

Open Shortest Path First (OSPF) provides background on the specific protocol explaining terms used and how the protocol works, as well as providing some troubleshooting information and examples on configuring the protocols in different situations.

Intermediate System to Intermediate System Protocol(IS-IS), which describes the link state protocol, is well- suited to smaller networks and with near universal support on routing hardware. The section also provides troubleshooting information and configuration examples.


Chapter 2 – Getting Started

Chapter 2 – Getting Started

  • Installation discusses installing a FortiGate in your network.
  • Using the GUI describes how to use the graphical user interface (GUI).
  • A Guide to Using the Entry Level Models introduces you to FortiGate models 30-90, also known as the Entry Level models.
  • Basic Administration explains basic tasks that should be done to set-up a new FortiGate.
  • Resources lists resources available to help you with more advanced FortiGate configurations.

Differences between Models

You should know that there are two key differences between different FortiGate models.




Certain features are not available on all models. Additionally, a particular feature may be available only through the CLI on some models, while that same feature may be viewed in the GUI on other models.

If you believe your FortiGate model supports a feature that does not appear in the GUI, go to System > Feature

Select and confirm that the feature is turned on. For more information, see Feature Select on page 205. For more information about features that vary by model, please see the Feature/Platform Matrix.



Naming conventions may vary between FortiGate models. For example, on some models the hardware switch interface used for the local area network is called lan, while on other units it is called internal.



This section discusses how to install your FortiGate and use it in your network, after completion of the initial set- up outlined in the FortiGate model’s QuickStart Guide. The section also provides troubleshooting tips.

The following topics are included in this section:

  • NAT/Route Mode vs. Transparent Mode
  • Setup Wizard
  • Installing a FortiGate in NAT/Route mode
  • Using a Virtual Wire Pair
  • Troubleshooting your FortiGate Installation

NAT/Route Mode vs. Transparent Mode

A FortiGate can operate in one of two modes: NAT/Route or Transparent.


NAT/Route mode is the most common operating mode. In this mode, a FortiGate is installed as a gateway or router between two networks. In most cases, it is used between a private network and the Internet. This allows the FortiGate to hide the IP addresses of the private network using network address translation (NAT). NAT/Route mode is also used when two or more Internet service providers (ISPs) will be used to provide the FortiGate with redundant Internet connections.

A FortiGate in Transparent mode is installed between the internal network and the router. In this mode, the FortiGate does not make any changes to IP addresses and only applies security scanning to traffic. When a FortiGate is added to a network in Transparent mode, no network changes are required, except to provide the FortiGate with a management IP address. Transparent mode is used primarily when there is a need to increase network protection but changing the configuration of the network itself is impractical.

For more information about Transparent Mode, see the Transparent Mode handbook available at the Fortinet Document Library.


Setup Wizard

The Setup Wizard helps to quickly configure your FortiGate to allow Internet access and remote access. The wizard can be launched from the GUI by selecting the  button, located in the top right corner. You can also get to the SetupWizard through FortiExplorer for either Windows or Mac OS. FortiExplorer can be downloaded at



Using the Setup Wizard

The Setup Wizard is intended to be used for initial setup. If it is used on a previously configured FortiGate, it replaces parts of the configuration, including existing firewall policies.

1. Connect to the FortiGate using FortiExplorer. It is recommended to view FortiExplorer in fullscreen mode because some options may not be visible otherwise.

2. Select your FortiGate, then select Setup Wizard.

3. Login using an admin account (the default admin account has the username admin and no password).

4. Select Change Password to set a new password for the admin account. Select Next.

5. Select the appropriate time zone. Select Next.

6. Fill in the appropriate information about your Internet WAN Connection. Select Next.

7. Enter an IP Address and Netmask for your LAN. If necessary, enable DHCP and select a Start and End

Address. Select Next.

8. Select the schedule for when Internet access should be allowed. Select Next.

9. Select the appropriate options for your Internet Access Policy, including NAT options and Unified Threat

Management. Select Next.

10. If necessary, configure options to allow Remote VPN Access using either an SSL VPN or an IPsec VPN. Select


11. A summary screen will appear. If the configuration shown is correct, select Configure.

12. (Optional) If you wish to activate a FortiCloud account, select Next and enter your information (for more information about FortiCloud, see the FortiCloud FAQ). Otherwise, select Done.


Your configuration has now been set up on the FortiGate, allowing users on the LAN to have Internet access.




Automatic all-SSID selection in FortiAP Profile (219347)

The SSID field in FortiAP Profiles now includes the option Automatically assign Tunnel-mode SSIDs. This eliminates the need to re-edit the profile when new SSIDs are created. You can still select SSIDs individually using the Select SSIDs option.

Automatic assignment of SSIDs is not available for FortiAPs in Local Bridge mode. The option is hidden on both the Managed FortiAP settings and the FortiAP Profile assigned to that AP.


Improved override of FortiAP settings (219347 264010 264897)

The configuration settings of a FortiAP in WiFi Controller > Managed FortiAPs can override selected settings in the FortiAP Profile:

  • Band and/or Channel
  • Transmitter Power
  • SSIDs
  • LAN Port mode


Note that a Band override also overrides Channel selections.

In the CLI, you can also override FortiAP LED state, WAN port mode, IP Fragmentation prevention method, spectrum analysis, and split tunneling settings.


Spectrum Analysis removed from FortiAP Profile GUI

Spectrum Analysis is no longer available in FortiAP Profiles in the GUI. It can be enabled in the CLI if needed.


Disable low data rates in 802.11a, g, n ac (297821)

To reduce air-time usage on your WiFi network, you can disable the use of low data rates which cause communications to consume more air time.

The 802.11 a, b, and g protocols are specified by data rate. 802.11a can support 6,9,12, 18, 24, 36, 48, and 54

Mb/s. 802.11b/g can support 1, 2, 5.5, 6, 9,12, 18, 24, 36, 48, 54 Mb/s. Basic rates are specified with the suffix “basic”, “12-basic” for example. The capabilities of expected client devices need to be considered when deciding the lowest Basic rate.

The 802.11n and ac protocols are specified by MSC (Modulation and Coding Scheme) Index and the number of spatial streams.

  • 802.11n with 1 or 2 spatial streams can support mcs0/1, mcs1/1, mcs2/1, mcs3/1, mcs4/1, mcs5/1, mcs6/1, mcs7/1,mcs8/2,mcs9/2, mcs10/2, mcs11/2, mcs12/2, mcs13/2, mcs14/2, mcs15/2.
  • 802.11n with 3 or 4 spatial streams can support mcs16/3, mcs17/3, mcs18/3, mcs19/3, mcs20/3, mcs21/3, mcs22/3, mcs23/3, mcs24/4, mcs25/4, mcs26/4, mcs27/4, mcs28/4, mcs29/4, mcs30/4, mcs31/4.
  • 802.11ac with 1 or 2 spatial streams can support mcs0/1, mcs1/1, mcs2/1, mcs3/1, mcs4/1, mcs5/1, mcs6/1, mcs7/1, mcs8/1, mcs9/1, mcs0/2, mcs1/2, mcs2/2, mcs3/2, mcs4/2, mcs5/2, mcs6/2, mcs7/2, mcs8/2, mcs9/2.
  • 802.11ac with 3 or 4 spatial streams can support mcs0/3, mcs1/3, mcs2/3, mcs3/3, mcs4/3, mcs5/3, mcs6/3, mcs7/3, mcs8/3, mcs9/3, mcs0/4, mcs1/4, mcs2/4, mcs3/4, mcs4/4, mcs5/4, mcs6/4, mcs7/4, mcs8/4, mcs9/4


Here are some examples of setting basic and supported rates.

config wireless-controller vap edit <vap_name>

set rates-11a 12-basic 18 24 36 48 54 set rates-11bg 12-basic 18 24 36 48 54

set rates-11n-ss34 mcs16/3 mcs18/3 mcs20/3 mcs21/3 mcs22/3 mcs23/3 mcs24/4 mcs25/4 set rates-11ac-ss34 mcs0/3 mcs1/3 mcs2/3 mcs9/4 mcs9/3



WiFi and Switch controllers are enabled separately (275860)

In the Feature Store (System > Features), the WiFi Controller and Switch Controller are now separate. However, the Switch Controller must be enabled in order for the WiFi Controller to be visible.

In the CLI, the settings that enable the WiFi and Switch controllers have been separated:

config system global

set wireless-controller enable set switch-controller enable



The settings that enable the GUI display for those controllers have also been separated:

config system settings

set gui-wireless-controller enable set gui-switch-controller enable



Add Support of LLDP protocol on FortiAP to send switch and port information (283107)

You can enable LLDP protocol in the FortiAP Profile. Each FortiAP using that profile can then send back information about the switch and port that it is connected to. This information is visible in the optional LLDP column of the Managed FortiAP list. To enable LLDP:

config wireless-controller wtp-profile edit <profile-name>

set lldp enable end


WTP groups (278462)

You can define FortiAP Groups. Each group can contain FortiAPs of a single platform (model). These groups can be used in VLAN-pooling to assign APs to particular VLANs. Create a FortiAP Group in the CLI like this:


config wireless-controller wtp-group edit 1

set platform-type 320C

config wtp-list

edit FP320C3X14010828 next

edit FP320C3X14010830 end


The platform-type field is optional. If it is left empty, the group can contain FortiAPs of any model.


VLANpooling (278462)

In an SSID, you can define a VLAN pool. As clients associate to an AP, they are assigned to a VLAN. A VLAN

pool can

  • assign a specific VLAN based on the AP’s FortiAP Group, usually for network configuration reasons, or
  • assign one of several available VLANs for network load balancing purposes (tunnel mode SSIDs only)

WAN Optimization

WAN Optimization

Toggle Disk Usage for logging or wan-opt (290892)

Both logging and WAN Optimization use hard disk space to save data. For FortiOS 5.4 you cannot use the same hard disk for WAN Optimization and logging.

  • If the FortiGate has one hard disk, then it can be used for either disk logging or WAN optimization, but not both. By default, the hard disk is used for disk logging.
  • If the FortiGate has two hard disks, then one disk is always used for disk logging and the other disk is always used for WAN optimization.

On the FortiGate, go to System > Advanced > Disk Settings to switch between Local Log and WAN Optimization.

You can also change disk usage from the CLI using the following command:

configure system global

set disk-usage {log | wanopt}



The Toggle Disk Usage feature is supported on all new “E” Series models, while sup- port for “D” Series models may vary.

Please refer to the Feature Platform Matrix for more information.

Changing the disk setting formats the disk, erases current data stored on the disk and disables either disk logging or WAN Optimization.

You can configure WAN Optimization from the CLI or the GUI. To configure WAN Optimization from the GUI you must go to System > Feature Select and turn on WAN Optimization.

Remote logging (including logging to FortiAnalyzer and remote Syslog servers) is not affected by using the single local hard disk for WAN Optimization.