Created on 11-29-2023 10:08 PM Edited on 11-30-2023 07:48 AM By Stephen_G
Description |
For some of the instances, the source IP address or interface can be mentioned for local out traffic. This article describes a case where it will not be possible to mention the interface in configuration through CLI. |
Scope | FortiGate. |
Solution |
When Kubernetes Connector (External Connectors) is configured the traffic will be generated from FortiGate's outgoing interface as shown below:
config system sdn-connector edit "Server" set type kubernetes set verify-certificate disable set server "100.69.100.69" set server-port 6443 set secret-token ENC_ANtoikSTV+V7yLbfBlrVOSrh9gc= next end
Routing table:
get router info routing-table all
Routing table for VRF=0 S* 0.0.0.0/0 [10/0] via 10.8.14.252, port2, [1/0] C 10.8.0.0/20 is directly connected, port2 C 172.16.16.0/24 is directly connected, port1 C 192.168.101.0/24 is directly connected, port3
VIP is configured to send the traffic to the internal server as below:
Note: VIP behavior varies based on the firmware. Refer to Technical Tip: IP pool and virtual IP behavior changes in FortiOS 6.4, 7.0, 7.2, and 7.4 for more information.
diagnose sniffer packet any ' port 6443' 4 0 l Using Original Sniffing Mode interfaces=[any] filters=[ port 6443] 2023-11-29 16:14:27.215451 port2 out 10.8.11.17.10732 -> 172.16.16.16.6443: syn 2452169806 2023-11-29 16:14:35.003888 port2 out 10.8.11.17.10738 -> 172.16.16.16.6443: syn 3742461600 ….
As a result, the status of the Connector will be down. There is no option through the CLI to specify source-IP address or interface.
(Server) # set *status <- Enable/disable connection to the remote SDN connector. *type <- Type of SDN connector. *verify-certificate <- Enable/disable server certificate verification. *server <- Server address of the remote SDN connector. server-port <- Port number of the remote SDN connector. *secret-token <- Secret token of Kubernetes service account. update-interval <- Dynamic object update interval (30 - 3600 sec, default = 60, 0 = disabled).
By default, local out traffic relies on routing table lookups to determine the egress interface that is used to initiate the connection. Assume the configured DNS on the firewall and it is reachable from the port3 interface, then it will take the source-IP of the port3 Interface to do the DNS Query.
To make it work, a static route can be configured as follows to point FortiGate to initiate the traffic through port1 interface as 172.16.16.16 will only be available if traffic will be going out through port1:
get router info routing-table all S* 0.0.0.0/0 [10/0] via 10.8.14.252, port2, [1/0] C 10.8.0.0/20 is directly connected, port2 S 100.69.100.69/32 [10/0] via 172.16.16.16, port1, [1/0] C 172.16.16.0/24 is directly connected, port1 C 192.168.101.0/24 is directly connected, port3
diagnose sniffer packet any ' port 6443' 4 0 l Using Original Sniffing Mode interfaces=[any] filters=[ port 6443] 2023-11-29 16:25:47.216421 port1 out 172.16.16.17.10742 -> 172.16.16.16.6443: syn 2462179886 2023-11-29 16:25:55.023988 port1 out 172.16.16.17.10748 -> 172.16.16.16.6443: syn 3242461802 ….
Related article: |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.