Created on
03-04-2025
10:26 PM
Edited on
08-25-2025
12:57 AM
By
Jean-Philippe_P
Description | This article describes the behavior of traffic(PING) when the source of the traffic is a Loopback IP and the destination is a Public IP. |
Scope | FortiGate. |
Solution |
Setup:
For testing purposes, assume that the FortiGate's port1 IP address 10.47.1.175/20 is a Public IP address.
Interface Setting:
Firewall Policy:
Initiating PING traffic from FortiGate using the Loopback IP 192.168.10.100 (Private IP) as the source IP and Public IP 1.1.1.1 as the destination IP. It will show that the PING will fail.
FortiGate-2 # execute ping-options source 192.168.10.100 FortiGate-2 # execute ping 1.1.1.1 --- 1.1.1.1 ping statistics ---
FortiGate-2 # diagnose sniff packet any "host 1.1.1.1 and icmp" 4 0 l
This is an expected behavior since the traffic generated from the source Loopback IP is considered as Local-Out traffic or Self-Generated traffic. This kind of traffic does not hit any Firewall Policy, which is why the Source NAT for this traffic will not be applied, and the source IP will remain as it is, which in this scenario is 192.168.10.100.
This is the same behavior when the PING source was a Physical Interface of the FortiGate, like on this link: Technical Tip: Unable to ping public servers (for testing) using ping-option source interface
The same behavior also occurs when a VLAN Interface IP was used as the source: Technical Tip: Testing Internet Connectivity from FortiGate VLAN Interface
The PING will become successful if the Loopback IP that will be used is a Public IP address, and if the traffic is still sourced from the FortiGate
Note: The scenarios above are only when the traffic was sourced from the FortiGate Loopback IP. If the scenario is the other way around, wherein the source of the PING is from a Public IP address and the destination is the FortiGate's Loopback interface Public IP, the PING will fail since the source of the PING traffic did not come from the FortiGate.
This scenario will need a Firewall Policy to allow the traffic, as explained on this link: Technical Tip: Best practice when IPSec VPN is bound to loopback interface
Related article: Technical Tip : Configuring and using a loopback interface on a FortiGate |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.