Description
This article describes how to configure a specific IP address to connect FortiGate to FortiGate Cloud.
Scope
FortiGate, FortiGate Cloud.
Solution
By default, FortiGate uses the outgoing interface address as the source IP address to connect to FortiGate Cloud. Confirm the IP address in use with the following steps:
- Ping 'logctrl1.fortinet1.fortinet.com' to collect IP address:
FGT61F-B # execute ping logctrl1.fortinet.com
PING logctrl1.fortinet.com.geo.fortinet.net (173.243.132.23) 56 data bytes
--- logctrl1.fortinet.com.geo.fortinet.net ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
FGT61F-B #
If the ping shows 'Unable to resolve hostname', the FortiGate DNS lookup failed. See the article 'FortiGate Troubleshooting DNS commands' for troubleshooting in this case.
FGT61F-B # execute ping logctrl1.fortinet.com
Unable to resolve hostname.
FGT61F-B #
- In a separate window, run a sniffer on FortiGate against the resolved IP address from step 1.
FGT61F-B # diagnose sniffer packet any 'host 173.243.132.23 and port 443' 4 0 a
- Attempt to telnet to the resolved IP from step 1 using TCP port 443.
FGT61F-B # execute telnet 173.243.132.23 443
Trying 173.243.132.23...
Timeout!
Failed to connect to specified unit.
Console line is in use. Clear it before next try.
FGT61F-B #
It is also possible for telnet to show Connected if the server responds.
FGT61F-B # execute telnet 173.243.132.23 443
Trying 173.243.132.23...
Connected to 173.243.132.23.
Regardless of whether the server responds, the FortiGate's source address will show in the packet sniffer.
FGT61F-B # diagnose sniffer packet any 'host 173.243.132.23 and port 443' 4 0 a
interfaces=[any]
filters=[host 173.243.132.23 and port 443]
2024-11-14 16:52:56.033419 DC_TUNNEL out 10.255.1.1.21936 -> 173.243.132.23.443: syn 1758258563
2024-11-14 16:52:57.028975 DC_TUNNEL out 10.255.1.1.21936 -> 173.243.132.23.443: syn 1758258563
2024-11-14 16:52:59.028986 DC_TUNNEL out 10.255.1.1.21936 -> 173.243.132.23.443: syn 1758258563
2024-11-14 16:53:03.038978 DC_TUNNEL out 10.255.1.1.21936 -> 173.243.132.23.443: syn 1758258563
2024-11-14 16:53:11.048979 DC_TUNNEL out 10.255.1.1.21936 -> 173.243.132.23.443: syn 1758258563
Update source IP address (FortiGate Cloud Activation and Remote Logging):
If required to configure a different source IP address for FortiGate Cloud activation and remote logging, this is configured in 'config log fortiguard setting' in CLI. This is often required if the FortiGate is behind an IPsec tunnel and the outgoing interface has no IP.
config log fortiguard setting
set source-ip x.x.x.x <- Replace x.x.x.x with desired source IP.
end
Note:
Updating 'config log fortiguard setting' affects FortiGate Cloud activation and logging to FortiGate Cloud as well as retrieving the logs to view on FortiGate. Updating the source-ip here does not affect source-ip of the management tunnel to FortiGate Cloud.
Update source IP address (FortiGate Cloud management tunnel):
FortiGate Cloud central-management uses source-ip configured in 'config system fortiguard'. Central Management tunnel requires FortiGate Cloud activation.
config system fortiguard
set source-ip y.y.y.y <- Replace y.y.y.y with desired source IP.
end
config system central-management
set type fortiguard
end
diagnose fdsm contract-controller-update
Protocol=2.1|Response=202|Firmware=FAZ-4K-FW-2.50-100|SerialNumber=FAMS000000000000|Persistent=false|ResponseItem=HomeServer:<FortiGateCloudPortal>*AlterServer:<FortiGateCloudPortal>*AccountType:regular*Contract:20250314*NextRequest:86400*UploadConfig:False*ManagementMode:Local*ManagementID:<Cluster unique ID assigned by FortiGate Cloud>
Result=Success
FGT61F-B #
Update source IP Address (Preferred-source)
In v7.4 and later, preferred-source can be used to simultaneously set a custom source IP address for several kinds of local-out traffic, including FortiGate Cloud.
config router static
edit <id>
set preferred-source <ip_address>
next
end
When source-ip and preferred-source are both configured, source-ip is used. The intended use of preferred-source is to set a custom source address depending on the interface or route used to send the traffic. Configuring preferred-source affects multiple local-out management features. See 'New Feature: Allow better control over the source IP...'.
