|
In general, the use of source IP allows control over how and through which interface a given traffic is sent. The scope of this traffic varies at large across mgmt/self-generating traffic or forwarding traffic traversing through Fortigate.
The application is not only limited to assisting with the forwarding decision in terms of control over the path but also helps in maintaining compliance and load balancing. However, the orchestration of this forwarding decision is based on the kernel index associated with the interface where this source IP is configured.
Different ways of the application are as below:
- FortiGate allows setting a global source IP address for management traffic across the device. This IP is used for all outgoing management traffic unless otherwise specified.
config system global
set source-ip <IP_address>
end
- For a more granular control, it allows to specify source-ip under services like FortiAnalyzer:
config log fortianalyzer setting
set source-ip <IP_address>
end
In some situations where FortiGate is configured to forward traffic to FortiAnalyzer, no need to define the source IP. Suppose the same FortiGate has to establish a connection with the FortiAnlyzer for log forwarding where the FortiAnalyzer is sitting across a VPN tunnel. In such cases, the use of source IP makes it crucial to make it work.
This is where the role of the kernel index comes in place. The below example will help to understand this more in detail:
FortiGate A (FGTA) is connected to FortiGate B (FGTB) via an IPsec tunnel, with a FortiAnalyzer (FAZ) sitting behind FGTB. In this setup, FGTA forwards logs to the FortiAnalyzer across the tunnel. By default, the FortiGate kernel uses the interface with the lowest kernel index to forward traffic. If this interface is unrelated to the tunnel, the connection can fail, even though there is Layer 3 connectivity.
To avoid such issues, it is best to explicitly define the source IP associated with the correct interface, ensuring that traffic is routed through the desired path.
|
