Description
This article describes how to control/change the FortiGate source IP for self-generated traffic.
At times, an upstream device (a FortiGate placed behind another Router / Firewall) accepts only traffic from a specific IP address.
In some cases, there may be a private IP configured in the FortiGate WAN interface as there is a upstream device.
Scope
FortiGate.
Solution
By default, the source IP is the one from the FortiGate egress interface.
For FortiGuard Services :
config system fortiguard
set port 8888
set source-ip 0.0.0.0 <- Set the desired IP allowed in upstream.
set source-ip6 ::
end
For DNS Service:
config system dns
set primary 208.91.112.53
set secondary 208.91.112.52
set source-ip 0.0.0.0 <- Set the desired IP allowed in upstream.
end
For FortiManager Service:
config system central-management
set fmg-source-ip 0.0.0.0 <- It should set its FortiGate interface IP.
For a RADIUS server when the servers are located in a remote location and reachable through an IPSec tunnel:
config user radius
edit "server_name"
set source-ip 0.0.0.0 <- Set the desired IP allowed in upstream.
end
For an LDAP server when the servers are located in a remote location and reachable through an IPSec tunnel.
config user ldap
edit "server_name"
set source-ip 0.0.0.0 <- Set the desired IP allowed in upstream.
end
Note: When FortiGate tries to reach the DNS server configured under DNS settings, the firewall checks the routing table and checks which way (interface) it should go to the DNS server and Firewall uses the IP address configured on the interface to the DNS server.
However, in some cases, for instance, if the DNS server is behind an IPsec tunnel then FortiGate cannot use the IP address of the IPsec tunnel because in general, it is 0.0.0.0 so the firewall cannot reach the DNS server so it is necessary to configure a source-ip under DNS settings to use different IP address instead of IPsec interface IP.
Related article:
Technical Tip: How to control/change the FortiGate source IP for self-originating traffic : SNMP , S....
