Technical Tip: how to use a source IP for internal...

FortiGate

FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.

Article Id 190413

Description
This article describes how to use a source IP for internal workings.

Solution
In this scenario, it’s assumed that Fortigate is behind a router/firewall that only allows traffic coming with a source IP address x.x.x.x

Normally, an IPPool can be configured and added to IPv4 policies to SNAT all internal traffic, however, it can’t SNAT local traffic that is specific to the internal workings of FortiOS like DNS, FortiGuard services, FortiManager connection IP, FortiAnalyzer logging, Syslog, alert email, SNMP and authorization requests.

Therefore, a loopback interface is to be created with the IP address x.x.x.x

#Config system interface
    edit "local-interface"
        set vdom "root"
        set ip x.x.x.x 255.255.255.255
        set type loopback
    next
end

Then, it can be added as a source-ip to the local service.

Examples:

FortiGuard system:

#Config sys fortiguard
set source-ip x.x.x.x
end

DNS system:

#config sys dns
set source-ip x.x.x.x
end

8096

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Technical Tip: how to use a source IP for internal workings

You are leaving our website