| Description | This article discusses steps that need to be taken to ensure everything else in a FortiGate setup works as expected after changing the WAN IP. |
| Scope | FortiGate. |
| Solution |
To change the WAN IP to a new IP address, make sure to make changes as follows:
Go to Network -> Interface -> WAN interface and provide a new IP address.
Under Network -> Static routes, provide a new gateway IP address on the static route.
If the WAN interface is a member of an SD-WAN zone, update the Gateway in SD-WAN settings. Go to Network -> SD-WAN -> SD-WAN Zones. Select the WAN interface and update the Gateway IP.
Also, if SSL VPN is used, make sure the FortiClient -> Remote access -> Remote gateway field has been changed with the new WAN IP address.
If site-to-site VPN is configured, make sure to change the remote IP address of the remote side of the tunnel to the new WAN IP.
Perform this process during a maintenance window to avoid impairing traffic. Additionally, check if VIPs are being used. If they are used, the WAN IP needs to be changed on VIPs as well.
Navigate to Policy and Objects -> Virtual IPs:
Make sure to change the gateway IP in the policy route as well:
Make sure to make changes in the link-monitor configuration as well if applicable: config system link-monitor end
Note: If source-ip was set on self-originating traffic (DNS, FortiGuard, FortiAnalyzer, FortiManager, syslog, etc), update the source-ip with a new IP address.
For example:
config system dns config sys fortiguard set source-ip 10.9.15.159 <- New WAN IP address. end
It is possible to check where the WAN IP was previously configured by running the following command, where x.x.x.x is the WAN IP:
show | grep -f x.x.x.x
 |
