FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff
Article Id 192607

Description
This article describes some scenario where a loopback interface can be used.

The advantage of a interface it that this logical interface is always up (no physical link dependency) and the attached subnets always present in the routing table.
It allows connections to the FortiGate's loopback IP address without depending on one specific external port, and it is therefore possible to access it through several physical or VLAN interfaces (redundancy).
Multiple loopback interfaces can be configured in either non-VDOM mode or in each VDOM.

 

Note that using loopback interfaces requires the configuration of appropriate firewall policies to allow traffic to and from this (those) interface(s)

 

Some scenario where a loopback interface can be used:

  • Management access
  • BGP (TCP) peering
  • PIM RP
  • Good practice for OSPF : setting the OSPF router ID the same as loopback IP address makes it easier for troubleshooting OSPF and remember the management IP addresses (i.e. telnet to "router ID")

Note 1 : Dynamic routing protocols can be enabled on loopback interfaces
Note 2 : For blackhole static route, use the blackhole route type instead of the loopback interface.


Scope


Solution

 

 

Configuration example :

 

config system interface

 

 

    edit "loopback"

 

 

        set vdom "root"

 

 

        set ip 10.0.0.2 255.255.255.255

 

 

        set allowaccess ping

 

 

        set type loopback

 

 

    next

 

 

end

 

BGP peering and Management access scenario :

rmetzger_FD31045_loopback.JPG

The loopback interface is seen from the routing table as connected interface :

FGT1 # get router info routing-table all

 

 

 

 

[......]

 

C       10.0.0.2/32 is directly connected, loopback
[......]

 



  • FGT2 and FGT1 can establish an iBGP peering to their respective loopback interface via Port4 or Port5 (routing and firewall policies must permit).
  • The Management station has only single IP addresses for FGT1 and FGT2, that can be accessed from any interface, and routed by RTR2 (routing and firewall policies must permit).


See more details about BGP peering with a loopback interface in the related article at the end of this page  : "Technical Note: Configuring BGP on a FortiGate with single-homed eBGP peering, iBGP peering, access-list and OSPF"

Related Articles

Technical Note: Configuring BGP on a FortiGate with single-homed eBGP peering, iBGP peering, access-...

Technical Tip : How to control/change the FortiGate source IP for self-originating traffic : SNMP , ...

Contributors