Hi all,
I am configuring a 40F for a small branch site, using a VPN to the main core site. The VPN is up and running, but I am having problems with access to the core FortiManager and out to FortiGuard.
The FW is on a private address behind an ISP router.
The problem is that the FW is using the 192.168 IP from the inside of the ISP's router as the source for the FW originating traffic.
Is there a way to set the source to a routable address ?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
You can define source IP for FortiManager and FortiGuard settings in FortiGate Firewall as below.
config system central-management
set type fortimanager
set fmg "FMG-IPADDRESS"
set fmg-source-ip X.X.X.X
end
config system fortiguard
set source-ip X.X.X.X
end
Hope this is what you are looking for.
Best Regards,
Hi @championc1 ,
If you want to ping/traceroute from CLI and specify a source IP/interface use below options.
For ping
# execute ping-options source <IP-of Source-Interface>
# execute ping <DST-IP>
For traceroute
# #execute traceroute-options source <IP-of Source-Interface>
# execute traceroute <DST-IP>
BTW, thank you for sharing the get command.
Best Regards,
Hi,
You can define source IP for FortiManager and FortiGuard settings in FortiGate Firewall as below.
config system central-management
set type fortimanager
set fmg "FMG-IPADDRESS"
set fmg-source-ip X.X.X.X
end
config system fortiguard
set source-ip X.X.X.X
end
Hope this is what you are looking for.
Best Regards,
Created on 07-27-2023 01:07 PM Edited on 07-27-2023 01:26 PM
Thanks for that
Is there a way to source commands from the CLI ?
I think FortiManager is sorted, but FortiGuard is not, but since FortiGuard needs to route out to the internet, there may well be a missing rule in the core somewhere, but all looking good now (apart from CLI pinging / traceroute etc.)
I found details of a very useful command, which may help others in the future
get system source-ip status
Hi @championc1 ,
If you want to ping/traceroute from CLI and specify a source IP/interface use below options.
For ping
# execute ping-options source <IP-of Source-Interface>
# execute ping <DST-IP>
For traceroute
# #execute traceroute-options source <IP-of Source-Interface>
# execute traceroute <DST-IP>
BTW, thank you for sharing the get command.
Best Regards,
Yes, you can set the source IP address for the FortiGate's outgoing traffic to a routable address. To do this, you will need to configure Source NAT (SNAT) on the FortiGate. SNAT allows you to change the source IP address of packets leaving the FortiGate to a specific IP address or IP range.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.