Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDRCloud
- FortiNDR (on-premise)
- FortiPhish
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- FortiAppSec Cloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- How to set the interface for the FortiGate to use...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to set the interface for the FortiGate to use as ' internal' ?
I deployed one FortiGate 60C using VLAN interfaces (a domain VLAN and a guest VLAN). Everything works fine between clients and servers across the VPNs, however, I just recently realized that the FortiGate itself cannot reach clients and servers across the VPNs. This means the FortiGate can' t reach FSSO across the VPN, or a mail server. The other FortiGate' s at the same company don' t use VLANs and have no such troubles,
How do I make the FortiGate aware of what interface to use by default for " internal" functions? Right now even ping fails from the FortiGate.
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Bump. Anyone?
To restate the issue another way:
With my IPSec interface-based site-to-site VPNs
- where the ' internal' interface is my Windows domain network, ping/email/etc from the FortiGate to anything at the other sites works fine. This behaviour is as expected and needed.
- where the ' internal' interface is not used itself, and instead has a VLAN sub-interface for the Windows domain network exists for routing inside the local site, while the clients and servers at that site can ping/email/file share/etc to anything at the other sites, the FortiGate itself cannot. This behaviour not as expected and needed.
Yet another way:
If I specify the mail server is 10.99.99.10, which is at another site, the FortiGate knows where that is from the static routes for that interface-based VPN, however, it tries to reach it using ' internal' , but the FortiGate itself doesn' t even have an IP on that interface to send from, so it can' t reach the mail server. How do I make the FortiGate aware of what interface it should use by default for these core functions?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A snapshot of your routing-table ( get router info ) would be better in your description but if I' m hearing you correctly........
The fortigate does route out that way , nor use the interface " internal" in the destination routing decision making. So you would have 2 options the 1st one is challenging;
1: Tell the fortigate to use interface X and ip_address blah blah
2: maybe and only a some way with NAT tricks and dst/port of the far end , you could tell it to map into a address with traffic to the remote subnet and for it to use the tunnel
or
3( this just cam up after I was thinking of #2 )
have you looked at maybe a VIP or ippool creation?
Now I never had to deal with these issues and these ideal/suggestion are just that ideals & suggestions
Also what services at the remote-subnet does the fortigate need to access? Maybe you have an alternative method to get the same outcome.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The command ' get router info' doesn' t return anything. I checked on the device having the routing problem and on my head office box, both are the same.
CHN_FGT60C~ # get router info CAN_FGT60C~ # get router infoI have attached a screen snip showing the static route for the VPN. Ping from head office (CAN) to remote office (CHN):
CAN_FGT60C~ # exec ping 10.20.x.1 PING 10.20.x.1 (10.20.x.1): 56 data bytes 64 bytes from 10.20.x.1: icmp_seq=0 ttl=255 time=210.9 ms 64 bytes from 10.20.x.1: icmp_seq=1 ttl=255 time=210.0 ms 64 bytes from 10.20.x.1: icmp_seq=2 ttl=255 time=210.1 ms 64 bytes from 10.20.x.1: icmp_seq=3 ttl=255 time=212.2 ms 64 bytes from 10.20.x.1: icmp_seq=4 ttl=255 time=210.0 ms --- 10.20.x.1 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 210.0/210.6/212.2 msPing from remote office (CHN) to head office (CAN):
CHN_FGT60C~ # exec ping 10.51.x.1 PING 10.51.x.1 (10.51.x.1): 56 data bytes --- 10.51.x.1 ping statistics --- 5 packets transmitted, 0 packets received, 100% packet lossWhy the different behaviour?! From a client at CHN I can ping the head office FortiGate just fine:
C:\Users\X>ping 10.51.x.1
Pinging 10.51.x.1 with 32 bytes of data:
Reply from 10.51.x.1: bytes=32 time=210ms TTL=254
Reply from 10.51.x.1: bytes=32 time=216ms TTL=254
Reply from 10.51.x.1: bytes=32 time=210ms TTL=254
Reply from 10.51.x.1: bytes=32 time=210ms TTL=254
Ping statistics for 10.51.x.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 210ms, Maximum = 216ms, Average = 211ms
There is no NAT involved here. No NAT traversal on the IPSec VPNs even; they are dedicated static IPs at each end point.
I need two services to work from the FortiGate itself to head office servers: SMTP and FSSO. It would be nice for ping to work too for periodic performance measurement (e.g., latency) and troubleshooting. And beyond that I would really like it to work the same as my other FortiGates. I don' t want it to be complicated; the main reason I introduced VLANs was so that I could eliminate the separate interfaces for wireless access.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Another piece of information: I do not experience this issue with a FortiGate on a VLAN reaching devices on the same VLAN in the same site. So I can ping the switch, clients, servers at the same site without issue, and also access local SMTP.
Since my routing table is correct - the clients couldn' t access anything if it wasn' t, this is why I summarize the problem as the FortiGate not knowing which of it' s IP addresses to use to access an IP address at the other site.
And to prove my routing table is functional, if I force the source address I can ping across the VPN:
CHN_FGT60C~ # execute ping-options source 10.20.x.1 CHN_FGT60C~ # execute ping 10.51.x.1 PING 10.51.x.1 (10.51.x.1): 56 data bytes 64 bytes from 10.51.x.1: icmp_seq=0 ttl=255 time=210.6 ms 64 bytes from 10.51.x.1: icmp_seq=1 ttl=255 time=210.3 ms 64 bytes from 10.51.x.1: icmp_seq=2 ttl=255 time=210.1 ms 64 bytes from 10.51.x.1: icmp_seq=3 ttl=255 time=210.3 ms 64 bytes from 10.51.x.1: icmp_seq=4 ttl=255 time=215.2 ms --- 10.51.x.1 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 210.1/211.3/215.2 ms
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Couldn' t you just define an IP address on the VLAN (on the FGT in question)?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I' ve opened a ticket with support to help me get this figured out. I will post the resolution.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
veechee wrote:Hi everyone and sorry to bump up this old post, I have exactly the same problem with FortiGate 200D and the last FortiOS version available: v5.6.3 build1547 (GA).
I' ve opened a ticket with support to help me get this figured out. I will post the resolution.
Is there any way to set the source IP of the FG as the "internal" interface only for ICMP requests?
I've searched around but didn't find anything related.
Thanks in advance!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Support solved my issue for SMTP:
" Technical Tip : How to control/change the FortiGate source IP for self-originating traffic : SNMP , ..."
Unfortunately I cannot achieve the same thing for FSSO unless I upgrade to FOS 5.0 or start using multiple phase 2' s for my IPSec VPNs, so I will live without that for now.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,806 -
FortiClient
1,787 -
5.2
801 -
FortiManager
745 -
5.4
639 -
FortiAnalyzer
566 -
FortiSwitch
481 -
FortiAP
476 -
FortiClient EMS
439 -
6.0
416 -
5.6
362 -
FortiMail
324 -
SSL-VPN
256 -
6.2
251 -
FortiAuthenticator v5.5
234 -
IPsec
217 -
FortiWeb
211 -
5.0
196 -
FortiNAC
195 -
FortiGuard
139 -
6.4
128 -
SD-WAN
118 -
FortiAuthenticator
110 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
98 -
FortiToken
92 -
Firewall policy
86 -
Wireless Controller
81 -
Customer Service
80 -
4.0MR3
64 -
FortiProxy
61 -
High Availability
60 -
Fortivoice
57 -
FortiADC
54 -
VLAN
53 -
FortiEDR
52 -
ZTNA
50 -
Routing
49 -
DNS
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
NAT
37 -
RADIUS
36 -
Certificate
36 -
FortiGate v5.4
35 -
SAML
35 -
FortiSwitch v6.4
34 -
SSO
33 -
Interface
32 -
VDOM
32 -
FortiConnect
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
Virtual IP
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
FortiGate-VM
23 -
SSL SSH inspection
23 -
FortiPAM
22 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
Fortigate Cloud
19 -
FortiMonitor
18 -
Traffic shaping
18 -
OSPF
16 -
SSID
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
SNMP
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
IPS signature
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
API
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
Service
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1744 | |
| 1114 | |
| 760 | |
| 447 | |
| 241 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.