Description
This article provides the details on how to Configure or Edit the Local-out Routing (Source-IP) using GUI for self-originating traffic.
Scope
Version7.0 onwards.
Solution
By default, local out traffic relies on routing table lookups to determine the egress interface that is used to initiate the connection.
Assume the configured DNS on the firewall and it is reachable from the DMZ interface, then it will take the source-IP of the DMZ Interface to do the DNS Query.
In FortiGate, it is possible to set the 'source-IP' to be used by the FortiGate to communicate with the respective servers for the below configurations/services.
Logging:
# config log FortiAnalyzer Override Settings
# config log FortiAnalyzer Setting
# config log Syslogd Override Settings
# config log FortiAnalyzer Cloud Setting
System:
# config system fortiguard
# config system email-server
# config system snmp user
# config system dns
Remote Auth:
# config user LDAP
# config user Radiur
# config user TACACS
You can check which source-ip is configured in an overview using the following CLI command:
# get sys source-ip status
Example:
The following services force their communication to use a specific source IP address:
service=NTP source-ip=10.40.16.20
service=DNS source-ip=172.31.128.20
service=Fortiguard source-ip=172.31.128.20
service=Alert Email source-ip=172.31.128.20
=======finished getting system source-ip status=======
By default, Local Out Routing is not visible in the GUI. Go to System -> Feature Visibility to enable it. See Feature visibility for more information.
To configure local-out routing:
Go to Network -> Local Out Routing.
If a service is disabled, it is grayed out.
To enable it, select the service and select 'Enable Service'.
** The LDAP and other features will be visible only once it is configured.
For the Outgoing interface, please select one of the following:
Auto - Select the outgoing interface automatically based on the routing table.
SD-WAN - Select the outgoing interface using the configured SD-WAN interfaces and rules.
Specify - Select the outgoing interface from the dropdown.
* Use Interface IP - Use the primary IP, which cannot be configured by the user.
* Manually - Selected an IP from the list, if the selected interface has multiple IPs configured.
Some local out routing settings can only be configured using the CLI.
NTP:
# config system ntp
# config ntpserver
edit <id>
set interface-select-method {auto | sdwan | specify}
set interface <interface>
next
end
end
DHCP Relay:
# config system interface
edit <interface>
set dhcp-relay-interface-select-method {auto | sdwan | specify}
set dhcp-relay-interface <interface>
next
end
Certificate:
# config vpn certificate setting
set interface-select-method {auto | sdwan | specify}
set interface <interface>
end
Netflow:
# config system {netflow | sflow | vdom-netflow | vdom-sflow}
set interface-select-method {auto | sdwan | specify}
set interface <interface>
end
** IPS, Ping, Traceroute, etc are also only configurable from CLI.
Useful links:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-CLI-command-to-check-the-use-of-source-ip-...
https://docs.fortinet.com/document/fortigate/7.0.0/fortios-release-notes/743723/new-features-or-enha...
