Technical Tip: How to use a source IP for internal workings

Description

This article describes how to use a source IP for internal workings.

Scope

FortiGate.

Solution

In this scenario, it is assumed that FortiGate is behind a router/firewall that only allows traffic coming from a source IP address x.x.x.x.

Normally, an IPPool can be configured and added to IPv4 policies to SNAT all internal traffic; however, it cannot SNAT local traffic that is specific to the internal workings of FortiOS, like DNS, FortiGuard services, FortiManager connection IP, FortiAnalyzer logging, Syslog, alert email, SNMP, and authorization requests, because by default, FortiGate is using the IP address of the outgoing interface of the traffic.

A loopback interface can be created with the IP address x.x.x.x

config system interface
    edit "local-interface"
        set vdom "root"
        set ip x.x.x.x 255.255.255.255
        set type loopback
    next
end

Then, it can be added as a source-ip to the local service.
Examples:
FortiGuard system:

config sys fortiguard
    set source-ip x.x.x.x
end

DNS system:

config sys dns
    set source-ip x.x.x.x
end

Some setups might also require the traffic to have a different source IP (ex, LAN IP) but need to go out to a different outgoing interface (ex, WAN interface). The same configuration may apply by configuring the source IP of the service with the LAN IP address.