FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Babitha_M
Staff
Staff
Article Id 271952
Description This article describes how to use source IP for the local out traffic in a static route.
Scope FortiGate v7.4.0 and above.
Solution

Preferred Source is a new feature for local-out routing introduced in FortiOS v7.4.0. See the new feature announcement 'New Feature: Allow better control over the source IP used by each egress interface for local out tra...'. 

 

In v7.4 and later, it is possible to add the preferred-source IP in the static route, SD-WAN rule, or router route-map.


Static Route:

 

config router static

edit <id>

set preferred-source <ip_address>

next

end

 

 

SD-WAN:

 

config system sdwan

config members

edit <id>

set preferred-source <ip_address>

next

end

end

 

BGP:


config router route-map

edit <name>

config rule

edit <id>

set set-ip-prefsrc <ip_address>

next

end

next

end

 

Note:

The BGP route-map should be applied to the neighbor as 'route-map-in'.

 

If a preferred-source is applied, this information will show in routing-table details:

get router info routing-table details 10.254.99.1

Routing table for VRF=0
Routing entry for 10.254.99.0/24
  Known via "static", distance 10, metric 0, best
  * vrf 0 10.255.2.2, via port1, prefsrc 10.127.100.1

 

IP Address must be a local IP address:

 

Unlike the source-ip setting in feature configuration, FortiOS does not enforce the requirement that preferred-source must match a 'local' IP address. However, if the preferred-source address does not match one configured on an existing device interface, reply traffic will be dropped.

 

This can be resolved by configuring one of the following:

  • a new loopback interface with the same IP address.
  • a matching secondary IP on an existing interface.
  • an IP pool with arp-reply enabled.

 

In the following examples, preferred-source was already configured on a static route but further configuration is needed to allow reply traffic to be received correctly.

 

config router static

edit <index>

set dst 10.254.99.0 255.255.255.0

set gateway 10.255.2.2

set preferred-source 10.127.100.1

set device "port1"

next

end


Loopback:


config system interface

edit "new loopback"

set vdom "root"

set ip 10.127.100.1 255.255.255.255

set type loopback

set role undefined

next

end

 

Secondary IP:

 

config system interface

edit "port1"

set secondary-IP enable

config secondaryip

edit <index>

set ip 10.127.100.1 255.255.255.255

next

end

next

end

 

IP Pool:

 

config firewall ippool

edit "new IP pool"

set startip 10.127.100.1

set endip 10.127.100.1

set arp-reply enable <-- enabled by default.

next

end

 

Note:

To configure a custom source IP address for SD-WAN health check probes, use 'set source X.X.X.X' in the SD-WAN member instead of preferred-source. See the article 'How to configure source IP for Secure SD-WAN Performance SLA'.

 

To configure a custom source IP address for a non-SD-WAN link monitor, use 'set source-ip X.X.X.X' in 'config system link-monitor' instead of preferred-source. See the article 'Technical Tip: Link-Monitor Explained'.

 

Where configured, 'source-ip' takes precedence over 'preferred-source':

Once configured, the new preferred-source address takes effect for any local-out management traffic using that route, unless source-ip is specified elsewhere.

 

For example, when a source IP address is specified in 'config system dns', FortiGate will continue to use the specified IP address as the source address for DNS lookups.

 

config system dns

set primary 96.45.46.46

set source-ip 10.133.200.4

end

 

config router static

edit 1

set gateway 10.5.31.254

set preferred-source 10.133.200.1

set device "port1"

next

end

 

The device's DNS lookups to 96.45.46.46 continue to use the source-ip specified in 'config system dns'.


FGT-A # diagnose sniffer packet any 'port 53 and host (10.133.200.1 or 10.133.200.4)' 4 2 l

interfaces=[any]

filters=[port 53 and host (10.133.200.1 or 10.133.200.4)]

2024-11-04 17:16:02.942575 port1 out 10.133.200.4.1898 -> 96.45.46.46.53: udp 46

2024-11-04 17:16:05.112552 port1 out 10.133.200.4.1898 -> 96.45.46.46.53: udp 42

 

Other local-out traffic from port1 will use the preferred-source address configured in the matching static route unless source-ip is otherwise specified.

 

For example, manual ping of remote address 1.2.3.4 from FortiGate CLI will use source address 10.133.200.1 by default.

 

FGT61F-A # diagnose sniffer packet any 'proto 1 and host 1.2.3.4' 4 2 l
interfaces=[any]
filters=[proto 1 and host 1.2.3.4]
2024-11-04 17:23:33.617169 port1 out 10.133.200.1 -> 1.2.3.4: icmp: echo request
2024-11-04 17:23:34.622553 port1 out 10.133.200.1 -> 1.2.3.4: icmp: echo request

 

Preferred-source affects many different kinds of local-out traffic, including the following:

  • FortiGuard web rating.
  • FortiGuard update.
  • FortiGate Cloud management tunnel.
  • FortiGate DNS lookup.
  • remote RADIUS and LDAP servers.
  • BGP peering traffic.

It is strongly recommended to verify FortiGate still has intended routing after configuring preferred-source.


A note on IPsec tunnels:

IPsec tunnel negotiation and ESP traffic do not use preferred-source. They use the configured local-gw if any, or the primary IP address of the parent interface if local-gw is not specified.

 

config vpn ipsec phase1-interface

edit "example tunnel"

set interface "port1"
set local-gw 10.5.31.200
set peertype any
set remote-gw 1.2.3.4

next

end

 

FGT61F-A # diagnose sniffer packet any 'port 500 and host 1.2.3.4' 4 2 l
interfaces=[any]
filters=[port 500 and host 1.2.3.4]
2024-11-04 17:44:57.692541 port1 out 10.5.31.200.500 -> 1.2.3.4.500: udp 572
2024-11-04 17:45:09.712549 port1 out 10.5.31.200.500 -> 1.2.3.4.500: udp 572

 

In v7.2 or below, there is no preferred-source feature for static route, SD-WAN, or BGP routes. If custom Source IP is required, configure this directly on the firewall function, or upgrade to a v7.4 or later release.