Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
championc1
New Contributor

NATing a DMZ Wan address on a Fortigate 40F - Help needed

Hi all,

 

I am configuring a 40F for a small branch site, using a VPN to the main core site.  The VPN is up and running, but I am having problems with access to the core FortiManager and out to FortiGuard.

 

The FW is on a private address behind an ISP router.

 

The problem is that the FW is using the 192.168 IP from the inside of the ISP's router as the source for the FW originating traffic.

 

Is there a way to set the source to a routable address ?  

Cormac Champion
Cormac Champion
2 Solutions
saneeshpv_FTNT

Hi,

 

You can define source IP for FortiManager and FortiGuard settings in FortiGate Firewall as below.

 

config system central-management
set type fortimanager
set fmg "FMG-IPADDRESS"
set fmg-source-ip X.X.X.X
end

 

config system fortiguard
set source-ip X.X.X.X
end

 

Hope this is what you are looking for.

 

Best Regards,

View solution in original post

saneeshpv_FTNT

Hi @championc1 ,

 

If you want to ping/traceroute from CLI and specify a source IP/interface use below options.

 

For ping

# execute ping-options source <IP-of Source-Interface>

# execute ping <DST-IP>

 

For traceroute

# #execute traceroute-options source <IP-of Source-Interface>

# execute traceroute <DST-IP>

 

BTW, thank you for sharing the get command.

 

Best Regards,

 

View solution in original post

4 REPLIES 4
saneeshpv_FTNT

Hi,

 

You can define source IP for FortiManager and FortiGuard settings in FortiGate Firewall as below.

 

config system central-management
set type fortimanager
set fmg "FMG-IPADDRESS"
set fmg-source-ip X.X.X.X
end

 

config system fortiguard
set source-ip X.X.X.X
end

 

Hope this is what you are looking for.

 

Best Regards,

championc1

Thanks for that

Is there a way to source commands from the CLI ?

I think FortiManager is sorted, but FortiGuard is not, but since FortiGuard needs to route out to the internet, there may well be a missing rule in the core somewhere, but all looking good now (apart from CLI pinging / traceroute etc.)

I found details of a very useful command, which may help others in the future
get system source-ip status

Cormac Champion
Cormac Champion
saneeshpv_FTNT

Hi @championc1 ,

 

If you want to ping/traceroute from CLI and specify a source IP/interface use below options.

 

For ping

# execute ping-options source <IP-of Source-Interface>

# execute ping <DST-IP>

 

For traceroute

# #execute traceroute-options source <IP-of Source-Interface>

# execute traceroute <DST-IP>

 

BTW, thank you for sharing the get command.

 

Best Regards,

 

Beausilas
New Contributor

Yes, you can set the source IP address for the FortiGate's outgoing traffic to a routable address. To do this, you will need to configure Source NAT (SNAT) on the FortiGate. SNAT allows you to change the source IP address of packets leaving the FortiGate to a specific IP address or IP range.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors