Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nsubramanian
Staff
Staff

Created on ‎11-08-2018 02:49 AM Edited on ‎12-30-2024 10:11 PM By Community Manager

Article Id 194903

Technical Tip: How to control/change the FortiGate source IP for self-generated traffic

Description

 
This article describes how to control/change the FortiGate source IP for self-generated traffic.
 
At times, an upstream device (a FortiGate placed behind another Router / Firewall) accepts only traffic from a specific IP address. 
In some cases, there may be a private IP configured in the FortiGate WAN interface as there is a upstream device.
 
Scope
 
FortiGate.


Solution

 

By default, the source IP is from the FortiGate egress interface.
 
For FortiGuard Services :
 
config system fortiguard
    set port 8888
    set source-ip 0.0.0.0     <----- Set the desired IP allowed in upstream.
    set source-ip6 ::
end
 
For DNS Service:
 
config system dns
    set primary 208.91.112.53
    set secondary 208.91.112.52
    set source-ip 0.0.0.0      <- Set the desired IP allowed in upstream.
end
 
For FortiManager Service:
 
config system central-management
    set fmg-source-ip 0.0.0.0      <----- It should set its FortiGate interface IP.
end
 
For a RADIUS server when the servers are located in a remote location and reachable through an IPSec tunnel:
 
config user radius
    edit "server_name"
        set source-ip 0.0.0.0                           <- Set the desired IP allowed in upstream.
end
 
For an LDAP server when the servers are located in a remote location and reachable through an IPSec tunnel.
 
config user ldap
    edit "server_name"
        set source-ip 0.0.0.0                               <----- Set the desired IP allowed in upstream.
end
 
Note:
When FortiGate tries to reach the DNS server configured under DNS settings, the firewall checks the routing table and checks which way (interface) it should go to the DNS server and Firewall uses the IP address configured on the interface to the DNS server.
 
However, in some cases, for instance, if the DNS server is behind an IPsec tunnel then FortiGate cannot use the IP address of the IPsec tunnel because in general, it is 0.0.0.0 so the firewall cannot reach the DNS server so it is necessary to configure a source-ip under DNS settings to use different IP address instead of IPsec interface IP
 
From the web interface (GUI), it is also possible to configure these settings:
 
Screenshot 2024-12-04 143926.jpg
 
From here, it is possible to enable the services desired, and configure the Source IP, outgoing interface, and IP version (IPv4 or IPv6):
 
Screenshot 2024-12-24 142451.jpg
 
For a Security Fabric server when the root FortiGate are located in a remote location and reachable through an IPSec tunnel which does not have an IP address configured on the IPsec VPN interface a source IP is needed to be configured for both the root FortiGate and the Downstream FortiGate to join the Security Fabric.
 
config system csf
    set source-ip x.x.x.x
end
 
 

Related documents:

Technical Tip: How to control/change the FortiGate source IP for self-originating traffic : SNMP , S...

Security Fabric over IPsec VPN

Labels:
69861
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.