Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
hgl-it
New Contributor

FortiGate unable to reach FortiGuard when using VPN

Hello,

 

We are new to Fortinet products, having just purchased a Fortigate (FG-60F) and setting it up as a VPN site router/firewall, to connect back to our headquarters.

 

We have created the VPN tunnel etc (mostly via the wizard), which sends all traffic from 0.0.0.0/0 to 0.0.0.0/0 down the tunnel. This works as expected, as we wanted all traffic, including internet, to hit our headquarters.

 

The problem is that the Fortigate itself is unable to access any FortiGuard services. We assume this is because its own internet requests are being sent down the tunnel.

 

We have tried to split-tunnel the VPN using policy routing but to no avail. The biggest issue we seem to have is that we are unable to specify the Fortigate itself as a source to exclude from the VPN rules.

 

Can anyone with more experience point us in the right direction? How can we send ALL traffic down the tunnel EXCEPT FortiGate's own update/maintenance requests?

 

Thank you

1 Solution
aionescu
Staff
Staff

Hi @hgl-it ,

 

Welcome to the community.

Fortiguard, among other traffic, is considered self-origintatig traffic.

Under the fortiguard settings there are a few options that allow the control of this traffic.

For example:

config system fortiguard
      set source-ip {ipv4-address}
      set interface-select-method [auto|sdwan|...]
      set interface {string}
  end

More information about the self-originating traffic can be found at:

Administration Guide | FortiGate / FortiOS 7.2.0 | Fortinet Documentation Library

More information about the fortiguard configuration can be found at:

CLI Reference | FortiGate / FortiOS 6.2.4 | Fortinet Documentation Library

 

Please let us know if this helped you fix the issue. 

View solution in original post

3 REPLIES 3
aionescu
Staff
Staff

Hi @hgl-it ,

 

Welcome to the community.

Fortiguard, among other traffic, is considered self-origintatig traffic.

Under the fortiguard settings there are a few options that allow the control of this traffic.

For example:

config system fortiguard
      set source-ip {ipv4-address}
      set interface-select-method [auto|sdwan|...]
      set interface {string}
  end

More information about the self-originating traffic can be found at:

Administration Guide | FortiGate / FortiOS 7.2.0 | Fortinet Documentation Library

More information about the fortiguard configuration can be found at:

CLI Reference | FortiGate / FortiOS 6.2.4 | Fortinet Documentation Library

 

Please let us know if this helped you fix the issue. 

hgl-it
New Contributor

Thank you so much for this information. Hopefully it's the piece of the puzzle we're missing.

I will go and experiment now :)

hgl-it
New Contributor

I can confirm that this worked like a charm.

We had to enable the feature 'Local Out Routing', then the option was configurable via the GUI.

Labels
Top Kudoed Authors