Technical Tip: Configuring source IP for local-out traffic

Preferred Source is a new feature for local-out routing introduced in FortiOS v7.4.0. See the new feature announcement 'New Feature: Allow better control over the source IP used by each egress interface for local out tra...'. 

In v7.4 and later, it is possible to add the preferred-source IP in the static route, SD-WAN rule, or router route-map.

Static Route:

SD-WAN:

Note:

To configure a custom source IP address for SD-WAN health check probes, use 'set source X.X.X.X' in the SD-WAN member instead of preferred-source. See the article 'How to configure source IP for Secure SD-WAN Performance SLA'.

Where configured, 'source-ip' takes precedence over 'preferred-source':

Once configured, the new preferred-source address takes effect for any local-out management traffic using that route, unless source-ip is specified elsewhere

For example, when source-ip is specified in 'config system dns', FortiGate will continue to use the specified IP address as the source address for DNS lookups.

config router static

edit 1

set gateway 10.5.31.254

set preferred-source 10.133.200.1

set device "port1"

next

end

config system dns

set primary 96.45.46.46

set source-ip 10.133.200.4

end

The device's DNS lookups to 96.45.46.46 continue to use the source-ip specified in 'config system dns'.

FGT-A # diagnose sniffer packet any 'port 53 and host (10.133.200.1 or 10.133.200.4)' 4 2 l

interfaces=[any]

filters=[port 53 and host (10.133.200.1 or 10.133.200.4)]

2024-11-04 17:16:02.942575 port1 out 10.133.200.4.1898 -> 96.45.46.46.53: udp 46

2024-11-04 17:16:05.112552 port1 out 10.133.200.4.1898 -> 96.45.46.46.53: udp 42

Other local-out traffic from port1 will use the preferred-source address configured in the matching static route unless source-ip is otherwise specified.

For example, manual ping of remote address 1.2.3.4 from FortiGate CLI will use source address 10.133.200.1 by default.

FGT61F-A # diagnose sniffer packet any 'proto 1 and host 1.2.3.4' 4 2 l
interfaces=[any]
filters=[proto 1 and host 1.2.3.4]
2024-11-04 17:23:33.617169 port1 out 10.133.200.1 -> 1.2.3.4: icmp: echo request
2024-11-04 17:23:34.622553 port1 out 10.133.200.1 -> 1.2.3.4: icmp: echo request

Preferred-source affects many different kinds of local-out traffic, including the following:

• FortiGuard web rating.
• FortiGuard update.
• FortiGate Cloud management tunnel.
• FortiGate DNS lookup.
• remote RADIUS and LDAP servers.

It is strongly recommended to verify FortiGate still has intended routing after configuring preferred-source.

A note on IPsec tunnels:

IPsec tunnel negotiation and ESP traffic do not use preferred-source. They use the configured local-gw if any, or the primary IP address of the parent interface if local-gw is not specified.

config vpn ipsec phase1-interface

edit "example tunnel"

set interface "port1"
set local-gw <custom source ip>
set peertype any
set remote-gw 1.2.3.4

next

end

FGT61F-A # diagnose sniffer packet any 'port 500 and host 1.2.3.4' 4 2 l
interfaces=[any]
filters=[port 500 and host 1.2.3.4]
2024-11-04 17:44:57.692541 port1 out 10.5.31.200.500 -> 1.2.3.4.500: udp 572
2024-11-04 17:45:09.712549 port1 out 10.5.31.200.500 -> 1.2.3.4.500: udp 572

In v7.2 or below, there is no option to provide the Preferred Source IP in the static route and the SD-WAN:

Static Route:

 SD-WAN: