Description
This article provides the details on how to Configure or Edit the Local-out Routing (Source-IP) using GUI for self-originating traffic.
Scope
FortiGate v7 andonwards.
Solution
By default, local out traffic relies on routing table lookups to determine the egress interface that is used to initiate the connection.
Assume the configured DNS on the firewall and it is reachable from the DMZ interface, then it will take the source-IP of the DMZ Interface to do the DNS Query.
In FortiGate, it is possible to set the 'source-IP' to be used by the FortiGate to communicate with the respective servers for the below configurations/services.
Logging:
config log FortiAnalyzer Override Settings
config log FortiAnalyzer Setting
config log Syslogd Override Settings
config log FortiAnalyzer Cloud Setting
System:
config system fortiguard
config system email-server
config system snmp user
config system dns
config system csf
Note:
The source-ip in security fabric is added from v7.2.8/v7.4.4.
Remote Auth:
config user LDAP
config user Radiur
config user TACACS
Check which source-ip is configured in an overview using the following CLI command:
get sys source-ip status
Example:
The following services force their communication to use a specific source IP address:
service=NTP source-ip=10.40.16.20
service=DNS source-ip=172.31.128.20
service=Fortiguard source-ip=172.31.128.20
service=Alert Email source-ip=172.31.128.20
=======finished getting system source-ip status=======
By default, Local Out Routing is not visible in the GUI. Go to System -> Feature Visibility to enable it. See Feature visibility for more information.
To configure local-out routing:
Go to Network -> Local Out Routing.
If a service is disabled, it is grayed out.
To enable it, select the service and select 'Enable Service'.
** The LDAP and other features will be visible only once it is configured.
For the Outgoing interface, please select one of the following:
Auto: Select the outgoing interface automatically based on the routing table.
SD-WAN: Select the outgoing interface using the configured SD-WAN interfaces and rules.
Specify: Select the outgoing interface from the dropdown.
* Use Interface IP - Use the primary IP, which cannot be configured by the user.
* Manually - Selected an IP from the list, if the selected interface has multiple IPs configured.
Some local out routing settings can only be configured using the CLI.
NTP:
config system ntp
config ntpserver
edit <id>
set interface-select-method {auto | sdwan | specify}
set interface <interface>
next
end
end
DHCP Relay:
config system interface
edit <interface>
set dhcp-relay-interface-select-method {auto | sdwan | specify}
set dhcp-relay-interface <interface>
next
end
Certificate:
config vpn certificate setting
set interface-select-method {auto | sdwan | specify}
set interface <interface>
end
Netflow:
config system {netflow | sflow | vdom-netflow | vdom-sflow}
set interface-select-method {auto | sdwan | specify}
set interface <interface>
end
** IPS, Ping, Traceroute, etc are also only configurable from CLI.
Related documents:
Technical Tip: CLI command to check the use of 'source-ip' setting in configuration
