Technical Tip: Working of 'source-ip' and 'source-interface' in 'ping-options' in FortiGate

jsarah · ‎01-30-2025

Description

This article describes how the 'source' and 'source interface', in 'ping-options' work in the packet level in the FortiGate.

Scope

FortiGate v6,v7.

Solution

The following options are present in the FortiGate for ping:

iron-kvm03 # execute ping-options
adaptive-ping Adaptive ping <enable|disable>.
data-size Integer value to specify datagram size in bytes.
df-bit Set DF bit in IP header <yes | no>.
interface Auto | <outgoing interface>.
interval Integer value to specify seconds between two pings.
pattern Hex format of pattern, e.g. 00ffaabb.
repeat-count Integer value to specify how many times to repeat PING.
reset Reset settings.
source Auto | <source interface IP>.
timeout Integer value to specify timeout in seconds.
tos IP type-of-service option.
ttl Integer value to specify time-to-live.
use-sdwan Use SD-WAN rules to get output interface <yes | no>.
validate-reply Validate reply data <yes | no>.
view-settings View the current settings for PING option.

To get complete information about 'ping-options', refer: Troubleshooting Tip: Using PING options from the FortiGate CLI.

If the option 'interface' is used, the packet will leave from that particular interface with the particular interface IP.

Example:

The IP addresses are as follows:

iron-kvm03 # diagnose ip address list
IP=10.5.141.32->10.5.141.32/255.255.192.0 index=3 devname=port1
IP=10.5.205.32->10.5.205.32/255.255.192.0 index=4 devname=port2
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=14 devname=root
IP=10.255.1.1->10.255.1.1/255.255.255.0 index=18 devname=fortilink
IP=10.25.13.32->10.25.13.32/255.255.192.0 index=19 devname=red
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=20 devname=vsys_ha
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=22 devname=vsys_fgfm

The default route is via port1 as shown below:

iron-kvm03 # get router info routing-table details
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default

Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.5.191.254, port1, [1/0]
C 10.5.128.0/18 is directly connected, port1
C 10.5.192.0/18 is directly connected, port2
C 10.25.0.0/18 is directly connected, red

The ping-options are used to initiate traffic from port1:

iron-kvm03 # execute ping-options interface port1

iron-kvm03 # execute ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=118 time=4.1 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=118 time=3.9 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=118 time=2.9 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=118 time=3.3 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=118 time=2.9 ms

When setting exec ping-options interface <interface_name>, the ICMP packets will leave via that interface, using its associated IP as the source. This ensures correct routing and allows the return packet to be received properly.

This is verified in the sniffer. The source IP is 10.5.141.32, which is port1 ip, going out via port1:

iron-kvm03 # diagnose sniffer packet any " host 8.8.8.8 and icmp" 4 0 a
Using Original Sniffing Mode
interfaces=[any]
filters=[ host 8.8.8.8 and icmp]
2025-01-30 04:24:24.720389 port1 out 10.5.141.32 -> 8.8.8.8: icmp: echo request
2025-01-30 04:24:24.723710 port1 in 8.8.8.8 -> 10.5.141.32: icmp: echo reply
2025-01-30 04:24:25.720709 port1 out 10.5.141.32 -> 8.8.8.8: icmp: echo request
2025-01-30 04:24:25.723718 port1 in 8.8.8.8 -> 10.5.141.32: icmp: echo reply
2025-01-30 04:24:26.720925 port1 out 10.5.141.32 -> 8.8.8.8: icmp: echo request
2025-01-30 04:24:26.723582 port1 in 8.8.8.8 -> 10.5.141.32: icmp: echo reply
2025-01-30 04:24:27.721173 port1 out 10.5.141.32 -> 8.8.8.8: icmp: echo request
2025-01-30 04:24:27.724116 port1 in 8.8.8.8 -> 10.5.141.32: icmp: echo reply
2025-01-30 04:24:28.721386 port1 out 10.5.141.32 -> 8.8.8.8: icmp: echo request
2025-01-30 04:24:28.724086 port1 in 8.8.8.8 -> 10.5.141.32: icmp: echo reply

In the next scenario, the options are reset, and 'source' option is added:

iron-kvm03 # execute ping-options reset
iron-kvm03 # execute ping-option source 10.5.205.32

iron-kvm03 # execute ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes

--- 8.8.8.8 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

Observation:

The packet's source IP is 10.5.205.32, which is port2 IP, but the packet leaves via port1.

iron-kvm03 # diagnose sniffer packet any " host 8.8.8.8 and icmp" 4 0 a
Using Original Sniffing Mode
interfaces=[any]
filters=[ host 8.8.8.8 and icmp]
2025-01-30 04:26:20.748737 port1 out 10.5.205.32 -> 8.8.8.8: icmp: echo request
2025-01-30 04:26:21.748965 port1 out 10.5.205.32 -> 8.8.8.8: icmp: echo request
2025-01-30 04:26:22.749199 port1 out 10.5.205.32 -> 8.8.8.8: icmp: echo request
2025-01-30 04:26:23.749398 port1 out 10.5.205.32 -> 8.8.8.8: icmp: echo request
2025-01-30 04:26:24.749626 port1 out 10.5.205.32 -> 8.8.8.8: icmp: echo request

When the reply comes from 8.8.8.8, it will come for IP 10.5.205.32 at port1. But this IP is configured at port2, hence the device will drop the reply. The reason is, as per the routing table, the packet should have come at the port2 interface.

Related article:

Technical Tip: Working of 'source-ip' and 'source-interface' in 'ping-options' in FortiGate

You are leaving our website