Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff

Created on ‎09-21-2009 08:05 AM Edited on ‎02-24-2025 04:59 AM By Community Manager

Article Id 192607

Technical Tip : Configuring and using a loopback interface on a FortiGate

Description This article describes some scenarios where a loopback interface can be used.
Scope FortiGate.
Solution

The advantage of an interface it that this logical interface is always up (no physical link dependency) and the attached subnets are always present in the routing table.


It allows connections to the FortiGate's loopback IP address without depending on one specific external port, and it is therefore possible to access it through several physical or VLAN interfaces (redundancy).


Multiple loopback interfaces can be configured in either non-VDOM mode or in each VDOM.

 

Note:

Using loopback interfaces requires the configuration of appropriate firewall policies to allow traffic to and from this (those) interface(s)

 

Some scenarios where a loopback interface can be used:

  • Management access
  • BGP (TCP) peering
  • PIM RP
  • Good practice for OSPF: setting the OSPF router ID the same as the loopback IP address makes it easier to troubleshoot OSPF and remember the management IP addresses (i.e. telnet to 'router ID').

 

Dynamic routing protocols can be enabled on loopback interfaces. For the blackhole static route, use the blackhole route type instead of the loopback interface.

 

Configuration example :

 

config system interface
    edit "Loopback0"
        set vdom "root"
        set ip 192.168.100.1 255.255.255.255
        set type loopback
        set allowaccess ping https ssh
        set status enable
    next
end

 

BGP peering and Management access scenario :


rmetzger_FD31045_loopback.JPG

 

The loopback interface is seen from the routing table as a connected interface:

FGT1 # get router info routing-table all

[......]

C       10.0.0.2/32 is directly connected, loopback
[......]

 

  • FGT2 and FGT1 can establish an iBGP peering to their respective loopback interface via Port4 or Port5 (routing and firewall policies must permit).
  • The Management station has only single IP addresses for FGT1 and FGT2, that can be accessed from any interface, and routed by RTR2 (routing and firewall policies must permit).

Configuring a loopback interface on FortiGate provides a flexible and reliable way to manage routing, VPNs, and administrative tasks. It is especially useful in complex network designs for better redundancy and stability.


See more details about BGP peering with a loopback interface in the related article at the end of this page.

 

Related articles:

Technical Note: Configuring BGP on a FortiGate with single-homed eBGP peering, iBGP peering, access-...

Technical Tip: How to control/change the FortiGate source IP for self-originating traffic : SNMP , ....
Labels:
72352
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.