Description

Scope

FortiGate.

Solution

For FSSO.

config user fsso
    edit <FSSO object name>
        set source-ip <IP address associated an interface>
end

For LDAP.

config user ldap
    edit <LDAP object name>
        set source-ip <IP address associated an interface>
end

For RADIUS:

config user radius

    edit <radius object name>

        set source-ip <IP address associated an interface or client configured on radius server>

end

Warning:
This setting does not exist for local polling.

config user fsso
    edit "Local FSSO Agent"
end

Note:

The source-IP should be configured/assigned as the interface IP.
If the traffic is going over the IPsec tunnel, the source-ip should match the Local Address/Remote Address in Phase2 selector on both Firewalls.

Using the below config admin can send the LDAP traffic via an IPSec tunnel.

Simple traffic flow:

FGT-VM1 (port2 IP 10.109.3.119) <IPSec Tunnel> FGT-VM2 (port2 IP 10.108.3.123) <-> LDAP server (10.108.3.15).

From FGT-VM1 LDAP server is unreachable.

To achieve this admin needs to configure the Source IP address on the LDAP configuration.

The tunnel is up and running:

diagnose vpn tunnel list

name=hercules-kvm15 ver=1 serial=2 10.0.20.119:0->10.0.20.123:0 nexthop=0.0.0.0 tun_id=10.0.20.123 tun_id6=::10.0.20.123 dst_mtu=1500 dpd-link=on weight=1
bound_if=3 real_if=3 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=primary accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=4 ilast=342 olast=342 ad=/0
stat: rxp=18 txp=21 rxb=10740 txb=1480
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
fec: egress=0 ingress=0
proxyid=hercules-kvm15 proto=0 sa=1 ref=4 serial=1
src: 0:10.109.0.0-10.109.15.255:0  >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Source subnet
dst: 0:10.108.0.0-10.108.15.255:0  >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Remote subnet
SA: ref=3 options=30202 type=00 soft=0 mtu=1438 expire=42370/0B replaywin=2048
seqno=16 esn=0 replaywin_lastseq=00000013 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42928/43200
dec: spi=419e8010 esp=aes key=16 0fb94d296acac0a86afccc0a1b15fde9
ah=sha1 key=20 6e9c59fbfe1912114d05aeb653d4147c56b73d1e
enc: spi=43bee6f7 esp=aes key=16 27d3c8d057d30e562314eeb3e43ca2d6
ah=sha1 key=20 e37e941b48f75b03947005c81070c90c8b41c138
dec:pkts/bytes=36/21480, enc:pkts/bytes=42/4352
npu_flag=00 npu_rgwy=10.0.20.123 npu_lgwy=10.0.20.119 npu_selid=0 dec_npuid=0 enc_npuid=0
run_tally=0

LDAP configuration and configured the source IP address as the port2 interface IP address on FGT-FM1:

config user ldap
    edit "new_ldap"
        set server "10.108.3.15"
        set source-ip "10.109.3.119" >>>> Port2 interface IP address
        set cnid "sAMAccountName"
        set dn "dc=dxb-nse8,dc=lab"
        set type regular
        set username "cn=administrator,cn=users,dc=dxb-nse8,dc=lab"
        set password ENC fortnet

    next

end

Port2 interface config:

config system interface
    edit "port2"
        set vdom "root"
        set ip 10.109.3.119 255.255.240.0
        set allowaccess ping https ssh http telnet fgfm
        set type physical
        set snmp-index 2
    next
end

Since port2 subnet is configured as source subnet on IPSec phase2 quick mode selector, traffic will be allowed via IPSec tunnel when admin set the port2 interface IP address as source-ip on LDAP config, refer the below screen capture.