Description | This article describes how to use source IP for the local out traffic in a static route. |
Scope | FortiGate v7.4.0 and above. |
Solution |
Preferred Source is a new feature for local-out routing introduced in FortiOS v7.4.0. See the new feature announcement 'New Feature: Allow better control over the source IP used by each egress interface for local out tra...'.
In v7.4 and later, it is possible to add the preferred-source IP in the static route, SD-WAN rule, or router route-map.
config router static edit <id> set preferred-source <ip_address> next end
SD-WAN:
config system sdwan config members edit <id> set preferred-source <ip_address> next end end
BGP:
edit <name> config rule edit <id> set set-ip-prefsrc <ip_address> next end next end
Note: The BGP route-map should be applied to the neighbor as 'route-map-in'.
If a preferred-source is applied, this information will show in routing-table details: get router info routing-table details 10.254.99.1 Routing table for VRF=0
IP Address must be a local IP address:
Unlike the source-ip setting in feature configuration, FortiOS does not enforce the requirement that preferred-source must match a 'local' IP address. However, if the preferred-source address does not match one configured on an existing device interface, reply traffic will be dropped.
This can be resolved by configuring one of the following:
In the following examples, preferred-source was already configured on a static route but further configuration is needed to allow reply traffic to be received correctly.
config router static edit <index> set dst 10.254.99.0 255.255.255.0 set gateway 10.255.2.2 set preferred-source 10.127.100.1 set device "port1" next end
edit "new loopback" set vdom "root" set ip 10.127.100.1 255.255.255.255 set type loopback set role undefined next end
Secondary IP:
config system interface edit "port1" set secondary-IP enable config secondaryip edit <index> set ip 10.127.100.1 255.255.255.255 next end next end
IP Pool:
config firewall ippool edit "new IP pool" set startip 10.127.100.1 set endip 10.127.100.1 set arp-reply enable <-- enabled by default. next end
Note: To configure a custom source IP address for SD-WAN health check probes, use 'set source X.X.X.X' in the SD-WAN member instead of preferred-source. See the article 'How to configure source IP for Secure SD-WAN Performance SLA'.
To configure a custom source IP address for a non-SD-WAN link monitor, use 'set source-ip X.X.X.X' in 'config system link-monitor' instead of preferred-source. See the article 'Technical Tip: Link-Monitor Explained'.
Where configured, 'source-ip' takes precedence over 'preferred-source': Once configured, the new preferred-source address takes effect for any local-out management traffic using that route, unless source-ip is specified elsewhere.
For example, when a source IP address is specified in 'config system dns', FortiGate will continue to use the specified IP address as the source address for DNS lookups.
config system dns set primary 96.45.46.46 set source-ip 10.133.200.4 end
config router static edit 1 set gateway 10.5.31.254 set preferred-source 10.133.200.1 set device "port1" next end
The device's DNS lookups to 96.45.46.46 continue to use the source-ip specified in 'config system dns'.
interfaces=[any] filters=[port 53 and host (10.133.200.1 or 10.133.200.4)] 2024-11-04 17:16:02.942575 port1 out 10.133.200.4.1898 -> 96.45.46.46.53: udp 46 2024-11-04 17:16:05.112552 port1 out 10.133.200.4.1898 -> 96.45.46.46.53: udp 42
Other local-out traffic from port1 will use the preferred-source address configured in the matching static route unless source-ip is otherwise specified.
For example, manual ping of remote address 1.2.3.4 from FortiGate CLI will use source address 10.133.200.1 by default.
FGT61F-A # diagnose sniffer packet any 'proto 1 and host 1.2.3.4' 4 2 l
Preferred-source affects many different kinds of local-out traffic, including the following:
It is strongly recommended to verify FortiGate still has intended routing after configuring preferred-source.
IPsec tunnel negotiation and ESP traffic do not use preferred-source. They use the configured local-gw if any, or the primary IP address of the parent interface if local-gw is not specified.
config vpn ipsec phase1-interface edit "example tunnel" set interface "port1" next end
FGT61F-A # diagnose sniffer packet any 'port 500 and host 1.2.3.4' 4 2 l
In v7.2 or below, there is no preferred-source feature for static route, SD-WAN, or BGP routes. If custom Source IP is required, configure this directly on the firewall function, or upgrade to a v7.4 or later release. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.