|
On Firmware 6.4.x,7.0.x, and 7.2.x to 7.2.4, FortiGate GUI may show a Public IP that is not provided by the ISP.
This issue gets triggered when FortiGuard settings are configured as follows:
config system fortiguard
set fortiguard-anycast enable
set fortiguard-anycast-source aws <---
end
When fortiguard-anycast is enabled and set to AWS, the IP shown in the GUI may be wrong. IP shown on the GUI belongs to AWS.
This is a GUI issue.
To confirm the actual IP used by FortiGate, run the following CLI command:
diagnose sys waninfo ipify ------------> to verify the WAN IP from the CLI and match it with the expected IP from the ISP.
Debugs:
diagnose debug application update -1
diagnose debug enable
execute update-now
Sample Output of the debugs when fortiguard-anycast-source is AWS:
get_fcpr_response[298]-Unpacked obj: Protocol=3.2|Response=300|Firmware=FPT033-FW-ddddSerialNumber=FPT-FGdddd01|Server=FDSG|Persistent=false|PEER_IP=Y.Y.Y.Y<=====Y.Y.Y.Y not matches the ISP provided IP and belongs to Amazon.com
diagnose internet-service match root Y.Y.Y.Y 255.255.255.255 <------ To check IP Y.Y.Y.Y matches which service (in this scenario amazon).
Solution:
Upgrade to 7.2.5 and higher or switch to fortiguard-anycast-source Fortinet from fortiguard-anycast-source AWS.
config sys fortiguard
set fortiguard-anycast enable
set fortiguard-anycast-source fortinet <--------------------
end
Sample Output of the debugs when fortiguard-anycast-source is Fortinet:
get_fcpr_response[298]-Unpacked obj:Protocol=3.0|Response=202|Firmware=FPdddddd9|SerialNumber=FPTFddddd2|Server=FDSG|Persistent=false|PEER_IP=x.x.x.x get_fcpr_response[338]-Wan ip=[X.X.X.X] X.X.X.X <-------- FortiGate actual Public IP.
diagnose sys waninfo ipify ------------> To verify that X.X.X.X matches the output of the WAN IP from the CLI.
|
