Description
This article describes how to configure a specific IP address to connect FortiGate to FortiGate Cloud.
Scope
FortiGate, FortiGate Cloud.
Solution
By default, FortiGate uses the outgoing interface address as the source IP address to connect to FortiGate Cloud. Confirm the IP address in use with the following steps:
- Ping 'logctrl1.fortinet1.fortinet.com' to collect IP address:
FGT61F-B # execute ping logctrl1.fortinet.com
PING logctrl1.fortinet.com.geo.fortinet.net (173.243.132.23) 56 data bytes
--- logctrl1.fortinet.com.geo.fortinet.net ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
FGT61F-B #
If the ping shows 'Unable to resolve hostname', the FortiGate DNS lookup failed. See: 'Technical Tip: FortiGate Troubleshooting DNS commands' for troubleshooting in this case.
FGT61F-B # execute ping logctrl1.fortinet.com
Unable to resolve hostname.
FGT61F-B #
- In a separate window, run a sniffer on FortiGate against the resolved IP address from step 1.
FGT61F-B # diagnose sniffer packet any 'host 173.243.132.23 and port 443' 4 0 a
- Attempt to telnet to the resolved IP from step 1 using TCP port 443.
FGT61F-B # execute telnet 173.243.132.23 443
Trying 173.243.132.23...
Timeout!
Failed to connect to specified unit.
Console line is in use. Clear it before next try.
FGT61F-B #
It is also possible for telnet to show Connected if the server responds.
FGT61F-B # execute telnet 173.243.132.23 443
Trying 173.243.132.23...
Connected to 173.243.132.23.
Regardless of whether the server responds, the FortiGate's source address will show in the packet sniffer.
FGT61F-B # diagnose sniffer packet any 'host 173.243.132.23 and port 443' 4 0 a
interfaces=[any]
filters=[host 173.243.132.23 and port 443]
2024-11-14 16:52:56.033419 DC_TUNNEL out 10.255.1.1.21936 -> 173.243.132.23.443: syn 1758258563
2024-11-14 16:52:57.028975 DC_TUNNEL out 10.255.1.1.21936 -> 173.243.132.23.443: syn 1758258563
2024-11-14 16:52:59.028986 DC_TUNNEL out 10.255.1.1.21936 -> 173.243.132.23.443: syn 1758258563
2024-11-14 16:53:03.038978 DC_TUNNEL out 10.255.1.1.21936 -> 173.243.132.23.443: syn 1758258563
2024-11-14 16:53:11.048979 DC_TUNNEL out 10.255.1.1.21936 -> 173.243.132.23.443: syn 1758258563
Also, verify the routing table to make sure there is a route to send the traffic to the FortiGate Cloud server. In the above sniffer, traffic is routed with a tunnel interface DC_TUNNEL.
get router info routing-table all
S* 0.0.0.0/0 [1/0] via DC_TUNNEL tunnel x.x.x.x, [1/0]
[1/0] via y.y.y.y, wan2, [5/0]
Update source IP address (FortiGate Cloud Activation and Remote Logging):
If required to configure a different source IP address for FortiGate Cloud activation and remote logging, this is configured in 'config log fortiguard setting' in the CLI. This is often required if the FortiGate is behind an IPsec tunnel and the outgoing interface has no IP.
config log fortiguard setting
set source-ip x.x.x.x <----- Replace x.x.x.x with desired source IP.
end
Note:
Updating 'config log fortiguard setting' affects FortiGate Cloud activation and logging to FortiGate Cloud as well as retrieving the logs to view on FortiGate. Updating the source-ip here does not affect the source-ip of the management tunnel to FortiGate Cloud.
Update source IP address (FortiGate Cloud management tunnel): FortiGate Cloud central-management uses the 'source-ip' setting configured in 'config system fortiguard'. The Central Management tunnel requires FortiGate Cloud activation.
config system fortiguard
set source-ip y.y.y.y <----- Replace y.y.y.y with desired source IP.
end
config system central-management
set type fortiguard
end
diagnose fdsm contract-controller-update
Protocol=2.1|Response=202|Firmware=FAZ-4K-FW-2.50-100|SerialNumber=FAMS000000000000|Persistent=false|ResponseItem=HomeServer:<FortiGateCloudPortal>*AlterServer:<FortiGateCloudPortal>*AccountType:regular*Contract:20250314*NextRequest:86400*UploadConfig:False*ManagementMode:Local*ManagementID:<Cluster unique ID assigned by FortiGate Cloud>
Result=Success
FGT61F-B #
From the web interface (GUI), it is also possible to configure these settings: By default, Local Out Routing is not visible in the GUI.
Go to System -> Feature Visibility to enable it.
Once the 'Local Out Routing' feature is visible, navigate to Network -> Local Out Routing and select 'System Fortiguard' to configure the source IP and outgoing interface.
Update source IP Address (Preferred-source):
In v7.4 and later, preferred-source can be used to simultaneously set a custom source IP address for several kinds of local-out traffic, including FortiGate Cloud.
config router static
edit <id>
set preferred-source <ip_address>
next
end
Note: As all local-out traffic based on the configured static route will use the specified preferred address, implement the command with caution for the local-out management traffic. Unless the specified preferred IP fills the needs of the management traffic, make sure to use the 'source-ip' setting for the required management service. When 'source-ip' and 'preferred-source' settings are both configured, 'source-ip' takes precedence. The intended use of 'preferred-source' is to set a custom source address depending on the interface or route used to send the traffic.
Related documents:
Allow better control over the source IP used by each egress interface for local out traffic
