Troubleshooting Tip: A specific case where FortiGuard reachability is not working with source IP setting as loopback interface private IP SNAT to public IP

Diagram:

In Few topologies like the above where the user does not want to use the source IP as a public IP to access the FortiGuard servers central SNAT is created for Natting the private IP to the selected public IP(151.253.140.156) address.

source IP is set as the private Ip address under the FortiGuard server configuration.
In such cases, FortiGuard connectivity fails when having 10.110.5.251 specified as source IP. This is most likely because this source IP is not allowed or reachable from the upstream.

If the upstream device (let's say ISP route) has no idea how to route back to this source IP, the connection will not be successful since FortiGuard server does not have route back to it.

Central SNAT configured for the traffic between looback interface and port 10.

However, the Central SNAT rule or the firewall policy with NAT enabled (when Central NAT is off) does not apply to the local-originated traffic but only the forwarding traffic. So, the traffic originated by the FortiGate will not be NATted to port 10 IP address when going out the FortiGate at port 10.

Based on this, the source IP under the FortiGuard setting needs to be the IP allowed and reachable by the upstream.