Skip to main content
pradeepb
Staff
pradeepb
Staff
May 28, 2010

Technical Tip: How to control/change the FortiGate source IP for self-originating traffic: SNMP, Syslog, FortiAnalyzer, Alert Email, FortiManager

  • May 28, 2010
  • 0 replies
  • 62293 views
Description This article describes how to change the source interface IP that the FortiGate will use when sending TCP/UDP packets to the following log, trap, or alarm receivers.
Scope FortiOS v6.0 and above.
Solution

By default, the source IP is the one from the FortiGate egress interface. This feature allows, for example, specifying a loopback address as the source IP:

  • SNMP.
  • Syslog.
  • FortiAnalyzer.
  • Alert Email.
  • FortiManager.

 

This feature is available only in the CLI.


The following CLI commands show some examples :

 

config system snmp community
    edit 1
        config hosts
            edit 1
                set ip 10.160.0.171
                set source-ip 10.160.10.1    <----- Source IP to use.
            next
        end
        set name "community_name"
    next
end

For SNMP v3:

config system snmp user
    edit <user>
        set source-ip  10.160.10.1
    next 
end    

config system central-management
    set fmg-source-ip 172.16.122.154
end

config log syslogd setting
    set status enable
    set server "10.160.0.171"
    set source-ip 10.160.10.1
end

config system alertemail
    set source-ip 10.160.10.1
end

 

A sniffer trace allows to verify the source IP of the packets sent:


FGT# diagnose sniffer packet  any " port 162" 4

4.030647 internal out 10.160.10.1.162 -> 10.160.0.171.162: udp 112
4.031243 internal out 10.160.10.1.162 -> 10.160.0.171.162: udp 137 

 

From v7.0.0 and later, local out routing can be modified in the GUI as well:

 

local out routing.gif

 

CLI:

 

config system global
    set gui-local-out enable <--- Displays the feature in the GUI.
end

Note:
The 'source-ip' setting will be removed on certain management services when enabling 'ha-direct' under HA settings.
The following warning message will appear in the CLI upon completing 'ha-direct' configuration.


ha-direct is enabled, so source-ip settings are not used in certain management services (e.g., remote logging, netflow and sflow).
We recommend to unset all these source-ip.
Do you want to unset them now? (y/n)y

 

Related articles:

Technical Tip : Configuring and using a loopback interface on a FortiGate

Technical Tip: How a FortiManager can manage a FortiGate via Redundant WAN interfaces

Technical Tip: Configure and edit the Local-out Routing (Source-IP) using GUI for self-originating traffic
    Terms & ConditionsAccessibility statement