Description
This article describes how to configure or edit the Local-out Routing for self-originating traffic using the GUI.
Scope
FortiGate 7.0.0 and later.
Solution
FortiGate relies on routing table lookups to determine the egress interface and source ip it uses to initiate the connection for local-out traffic.
For example, if the configured DNS server is in the DMZ subnet, FortiGate will use the source-IP of the DMZ Interface to do the DNS query by default.
It is possible to use the GUI or CLI to specify the source-IP and interface FortiGate will use for its requests to several services. CLI offers the most flexible options, but GUI can be useful for review and can be used for some editing.
By default, Local-Out Routing is not visible in the GUI. Go to System -> Feature Visibility to enable it. See Feature Visibility for more information.
Once visible, configure local-out routing:
Go to Network -> Local Out Routing.
If a service is disabled, it is grayed out.
To enable it, select the service and select 'Enable Service'.
** Local-out routing for LDAP and other features will only be visible after the feature is configured.
The outgoing interface has the following options:
Auto: Select the outgoing interface automatically based on the routing table.
SD-WAN: Select the outgoing interface using the configured SD-WAN interfaces and rules.
Specify: Select the outgoing interface from the dropdown.
* Use Interface IP - Use the primary IP, which cannot be configured by the user.
* Manually - Select an IP from the list, if the selected interface has multiple IPs configured. If the desired source-ip is assigned to a different interface, configure using CLI.
Check which source-ip is configured in an overview using the following CLI command:
get system source-ip status
Example:
The following services force their communication to use a specific source IP address:
service=NTP source-ip=10.40.16.20
service=DNS source-ip=172.31.128.20
service=Fortiguard source-ip=172.31.128.20
service=Alert Email source-ip=172.31.128.20
=======finished getting system source-ip status=======
Local-out routing can also be configured in CLI.
Logging:
config log fortianalyzer override-setting
config log fortianalyzer setting
config log syslogd override-setting
config log fortianalyzer-cloud setting
config log fortiguard setting
System:
config system fortiguard
config system email-server
config system snmp user
config system dns
config system fortisandbox
Note:
The source-ip in security fabric is added from v7.2.8/v7.4.4.
config system csf
Remote Auth:
config user ldap
config user radius
config user tacacs+
Some local out-routing settings can only be configured using the CLI.
NTP:
config system ntp
config ntpserver
edit <id>
set interface-select-method {auto | sdwan | specify}
set interface <interface>
next
end
end
DHCP Relay:
config system interface
edit <interface>
set dhcp-relay-interface-select-method {auto | sdwan | specify}
set dhcp-relay-interface <interface>
next
end
Certificate:
config vpn certificate setting
set interface-select-method {auto | sdwan | specify}
set interface <interface>
end
Netflow:
config system {netflow | sflow | vdom-netflow | vdom-sflow}
set interface-select-method {auto | sdwan | specify}
set interface <interface>
end
** IPS, Ping, Traceroute, etc are also only configurable from CLI.
Related documents:
Technical Tip: CLI command to check the use of 'source-ip' setting in configuration
Local out traffic
