Local out traffic

Local out, or self-originating, traffic is traffic that originates from the FortiGate going to external servers and services. The traffic can be from Syslog, FortiAnalyzer logging, FortiGuard services, remote authentication, and others.

By default, local out traffic relies on routing table lookups to determine the egress interface that is used to initiate the connection. However, many types of local out traffic support selecting the egress interface based on SD-WAN or manually specified interfaces. When manually specifying the egress interface, the source IP address can also be manually configured.

Go to Network > Local Out Routing to configure the available types of local out traffic. Some types of traffic can only be configured in the CLI.


By default Local Out Routing is not visible in the GUI. Go to System > Feature Visibility to enable it. See Feature visibility for more information.

When VDOMs are enabled, the following entries are available on the local out routing page:

Global view


VDOM view

External Resources


LDAP Servers












Log FortiAnalyzer Override Settings


Log FortiAnalyzer Setting



Log Syslogd Override Settings


Log FortiAnalyzer Cloud Setting


RADIUS Servers


FortiGate Cloud Log Settings




Log Syslogd Setting








System DNS





System FortiGuard





System FortiSandbox




If a service is disabled, it is grayed out. To enable it, select the service and click Enable Service. If a service is enabled, there is a Local Out Setting button in the gutter of that service's edit page to directly configure the local-out settings.


To configure DNS local-out routing:
  1. Go to Network > Local Out Routing and double-click System DNS.

  2. For Outgoing interface, select one of the following: