Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tim_Cooper
New Contributor

How to manually specify IP used for traffic generated by the firewall itself?

Can someone confirm how one might manually specify the ip used for traffic a fortigate unit generates itself, such as retrieving AV updates etc. etc? It would appear it is choosing the IP based upon the subnet of the default route, in this case this is a secondary IP on the WAN interface which is a private address. I want to force this to use the Public IP address of the device as the source of the traffic if possible? Thanks in advance for any responses.
5 REPLIES 5
rwpatterson
Valued Contributor III

Welcome to the forums. Why would you place a private address on the WAN interface as a secondary?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
UkWizard
New Contributor

it should use the IP of the interface that is connected to the default gateway. so unless you have a private IP located default gateway, this doesn' t make sense. And if you do have a private IP as the default gateway, then it must be performing NAT anyway, so this isn' t an issue (except for push updates). Logically, how could it NOT use the IP that is connected to the default gateway? it would not be possible, would it.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
rwpatterson
Valued Contributor III

ORIGINAL: UkWizard it should use the IP of the interface that is connected to the default gateway.
This would be the outside address. If you' re connected to the Internet, go to any IP address checking site, and that IP will be what the FGT uses (only if you have no IP pools set up).

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Tim_Cooper
New Contributor

The default gateway has a public IP from a different subnet but is not performing NAT. It simply has a route for the Public IP range on the firewall via another interface, which in this instance is using private addressing. The Fortigate unit has replaced another firewall which had failed and we are still in the process of correcting a lot of the previous configuration issues. Unfortunately no public IP' s are currently free in the public subnet that the firewall is using. What we are looking to do is allow the Fortigate to retrieve updates until the re-numbering of the wan subnet is complete which will still take some time. It does not look like this is going to be possible however if there is no way to specify the source IP on the firewall. We know the current configuration is not ideal but we want to avoid having to rush the re-numbering just to get this working.
UkWizard
New Contributor

Tim, Sorry, its probably me, but i still don' t follow how you have this setup. would you mind posting some info in more detail.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
Labels
Top Kudoed Authors