Fortinet white logo
Fortinet white logo

Administration Guide

Local out traffic

Local out traffic

Local out, or self-originating, traffic is traffic that originates from the FortiGate going to external servers and services. The traffic can be from Syslog, FortiAnalyzer logging, FortiGuard services, remote authentication, and others.

By default, local out traffic relies on routing table lookups to determine the egress interface that is used to initiate the connection. However, many types of local out traffic support selecting the egress interface based on SD-WAN or manually specified interfaces. When manually specifying the egress interface, the source IP address can also be manually configured.

Go to Network > Local Out Routing to configure the available types of local out traffic. Some types of traffic can only be configured in the CLI.

Note

By default Local Out Routing is not visible in the GUI. Go to System > Feature Visibility to enable it. See Feature visibility for more information.

When VDOMs are enabled, the following entries are available on the local out routing page:

Global view

VDOM view

External Resources

LDAP Servers

AWS_IP_Blacklist

ldap

AWS_Malware_Hash

Log

Log

Log FortiAnalyzer Override Settings

Log FortiAnalyzer Setting

Log Syslogd Override Settings

Log FortiAnalyzer Cloud Setting

RADIUS Servers

FortiGate Cloud Log Settings

fac_radius_server

Log Syslogd Setting

TACACS+

System

TACACS

System DNS

System FortiGuard

System FortiSandbox

If a service is disabled, it is grayed out. To enable it, select the service and click Enable Service. If a service is enabled, there is a Local Out Setting button in the gutter of that service's edit page to directly configure the local-out settings.

Examples

To configure DNS local-out routing:
  1. Go to Network > Local Out Routing and double-click System DNS.

  2. For Outgoing interface, select one of the following:

    Auto

    Select the outgoing interface automatically based on the routing table.

    SD-WAN

    Select the outgoing interface using the configured SD-WAN interfaces and rules.

    Specify

    Select the outgoing interface from the dropdown.

  3. Use Interface IP

    Use the primary IP, which cannot be configured by the user.

    Manually

    Selected an IP from the list, if the selected interface has multiple IPs configured.

    If Specify is selected, select a setting for Source IP:

  4. Click OK.

To edit local-out settings from a RADIUS server entry:
  1. Go to User & Authentication > RADIUS Servers and double-click an entry to edit it.

  2. Click Local Out Setting.

    The Edit Local Out Setting pane opens.

  3. Configure the settings for Outgoing interface and Source IP.

  4. Click OK.

To edit multiple entries concurrently:
  1. Go to Network > Local Out Routing.

  2. If applicable, select IPv4 or IPv6. IPv4+IPv6 does not support multi-select.

  3. Click Multi-Select Mode. All of the local out settings that can be edited concurrently are shown.

  4. Select the specific entries, or click Select All to select all of the entries.

  5. Click Edit and configure the local out settings as required.

  6. Click OK.

  7. Click Exit Multi-Select Mode to return to the normal view.

Configuring local out routing in the CLI

Some local out routing settings can only be configured using the CLI.

PING

IPv4 and IPv6 pings can be configured to use SD-WAN rules:

execute ping-options use-sdwan {yes | no}
execute ping6-options use-sd-wan {yes | no}
Traceroute

IPv4 traceroute can be configured to use SD-WAN rules:

execute traceroute-options use-sdwan {yes | no}
Central management

Central management traffic can use SD-WAN rules or a specific interface:

config system central-management
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end
NTP server

NTP server traffic can use SD-WAN rules or a specific interface:

config system ntp
    config ntpserver
        edit <id>
            set interface-select-method {auto | sdwan | specify}
            set interface <interface>
        next
    end
end
DHCP proxy

DHCP proxy traffic can use SD-WAN rules or a specific interface:

config system settings
    set dhcp-proxy-interface-select-method {auto | sdwan | specify}
    set dhcp-proxy-interface <interface>
end

dhcp-proxy-interface-select-method {auto | sdwan | specify}

Select the interface selection method:

  • auto: Set the outgoing interface automatically (default).
  • sdwan: Set the interface by SD-WAN or policy routing rules.
  • specify: Set the interface manually.

dhcp-proxy-interface <interface>

Specify the outgoing interface. This option is only available and must be configured when interface-select-method is specify.

DHCP relay

DHCP relay traffic can use SD-WAN rules or a specific interface:

config system interface
    edit <interface>
        set dhcp-relay-interface-select-method {auto | sdwan | specify}
        set dhcp-relay-interface <interface>
    next
end

dhcp-relay-interface-select-method {auto | sdwan | specify}

Select the interface selection method:

  • auto: Set the outgoing interface automatically (default).
  • sdwan: Set the interface by SD-WAN or policy routing rules.
  • specify: Set the interface manually.

dhcp-relay-interface <interface>

Specify the outgoing interface. This option is only available and must be configured when interface-select-method is specify.

CA and local certificate renewal with SCEP

Certificate renewal with SCEP traffic can use SD-WAN rules or a specific interface:

config vpn certificate setting
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end
IPS TLS protocol active probing

TLS active probing can use SD-WAN rules or a specific interface:

config ips global
    config tls-active-probe
        set interface-selection-method {auto | sdwan | specify}
        set interface <interface>
        set vdom <VDOM>
        set source-ip <IPv4 address>
        set source-ip6 <IPv6 address>
    end
end

interface-select-method {auto | sdwan | specify}

Select the interface selection method:

  • auto: Set the outgoing interface automatically (default).
  • sdwan: Set the interface by SD-WAN or policy routing rules.
  • specify: Set the interface manually.

interface <interface>

Specify the outgoing interface. This option is only available and must be configured when interface-select-method is specify.

vdom <VDOM>

Specify the VDOM. This option is only available and must be configured when interface-select-method is sdwan or specify.

source-ip <IPv4 address>

Specify the source IPv4 address. This option is only available and must be configured when interface-select-method is sdwan or specify.

source-ip6 <IPv6 address>

Specify the source IPv6 address. This option is only available and must be configured when interface-select-method is sdwan or specify.

Netflow and sflow

Netflow and sflow can use SD-WAN rules or a specific interface:

config system {netflow | sflow | vdom-netflow | vdom-sflow}
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end

interface-select-method {auto | sdwan | specify}

Select the interface selection method:

  • auto: Set the outgoing interface automatically (default).
  • sdwan: Set the interface by SD-WAN or policy routing rules.
  • specify: Set the interface manually.

interface <interface>

Specify the outgoing interface. This option is only available and must be configured when interface-select-method is specify.

FortiClient EMS

FortiClient EMS endpoint control traffic can use SD-WAN rules or a specific interface:

config endpoint-control fctems
    edit fctems1
        set interface-select-method {auto | sdwan | specify}
        set interface <interface>
    end
end
TACACS+

System log entries can be sent to external TACACS+ accounting servers. TACACS+ traffic can use SD-WAN rules or a specific IP address:

config log tacacs+accounting setting
    set interface-select-method {auto | sdwan | specify}
    set source-ip <IP address>
end

Local out traffic

Local out traffic

Local out, or self-originating, traffic is traffic that originates from the FortiGate going to external servers and services. The traffic can be from Syslog, FortiAnalyzer logging, FortiGuard services, remote authentication, and others.

By default, local out traffic relies on routing table lookups to determine the egress interface that is used to initiate the connection. However, many types of local out traffic support selecting the egress interface based on SD-WAN or manually specified interfaces. When manually specifying the egress interface, the source IP address can also be manually configured.

Go to Network > Local Out Routing to configure the available types of local out traffic. Some types of traffic can only be configured in the CLI.

Note

By default Local Out Routing is not visible in the GUI. Go to System > Feature Visibility to enable it. See Feature visibility for more information.

When VDOMs are enabled, the following entries are available on the local out routing page:

Global view

VDOM view

External Resources

LDAP Servers

AWS_IP_Blacklist

ldap

AWS_Malware_Hash

Log

Log

Log FortiAnalyzer Override Settings

Log FortiAnalyzer Setting

Log Syslogd Override Settings

Log FortiAnalyzer Cloud Setting

RADIUS Servers

FortiGate Cloud Log Settings

fac_radius_server

Log Syslogd Setting

TACACS+

System

TACACS

System DNS

System FortiGuard

System FortiSandbox

If a service is disabled, it is grayed out. To enable it, select the service and click Enable Service. If a service is enabled, there is a Local Out Setting button in the gutter of that service's edit page to directly configure the local-out settings.

Examples

To configure DNS local-out routing:
  1. Go to Network > Local Out Routing and double-click System DNS.

  2. For Outgoing interface, select one of the following:

    Auto

    Select the outgoing interface automatically based on the routing table.

    SD-WAN

    Select the outgoing interface using the configured SD-WAN interfaces and rules.

    Specify

    Select the outgoing interface from the dropdown.

  3. Use Interface IP

    Use the primary IP, which cannot be configured by the user.

    Manually

    Selected an IP from the list, if the selected interface has multiple IPs configured.

    If Specify is selected, select a setting for Source IP:

  4. Click OK.

To edit local-out settings from a RADIUS server entry:
  1. Go to User & Authentication > RADIUS Servers and double-click an entry to edit it.

  2. Click Local Out Setting.

    The Edit Local Out Setting pane opens.

  3. Configure the settings for Outgoing interface and Source IP.

  4. Click OK.

To edit multiple entries concurrently:
  1. Go to Network > Local Out Routing.

  2. If applicable, select IPv4 or IPv6. IPv4+IPv6 does not support multi-select.

  3. Click Multi-Select Mode. All of the local out settings that can be edited concurrently are shown.

  4. Select the specific entries, or click Select All to select all of the entries.

  5. Click Edit and configure the local out settings as required.

  6. Click OK.

  7. Click Exit Multi-Select Mode to return to the normal view.

Configuring local out routing in the CLI

Some local out routing settings can only be configured using the CLI.

PING

IPv4 and IPv6 pings can be configured to use SD-WAN rules:

execute ping-options use-sdwan {yes | no}
execute ping6-options use-sd-wan {yes | no}
Traceroute

IPv4 traceroute can be configured to use SD-WAN rules:

execute traceroute-options use-sdwan {yes | no}
Central management

Central management traffic can use SD-WAN rules or a specific interface:

config system central-management
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end
NTP server

NTP server traffic can use SD-WAN rules or a specific interface:

config system ntp
    config ntpserver
        edit <id>
            set interface-select-method {auto | sdwan | specify}
            set interface <interface>
        next
    end
end
DHCP proxy

DHCP proxy traffic can use SD-WAN rules or a specific interface:

config system settings
    set dhcp-proxy-interface-select-method {auto | sdwan | specify}
    set dhcp-proxy-interface <interface>
end

dhcp-proxy-interface-select-method {auto | sdwan | specify}

Select the interface selection method:

  • auto: Set the outgoing interface automatically (default).
  • sdwan: Set the interface by SD-WAN or policy routing rules.
  • specify: Set the interface manually.

dhcp-proxy-interface <interface>

Specify the outgoing interface. This option is only available and must be configured when interface-select-method is specify.

DHCP relay

DHCP relay traffic can use SD-WAN rules or a specific interface:

config system interface
    edit <interface>
        set dhcp-relay-interface-select-method {auto | sdwan | specify}
        set dhcp-relay-interface <interface>
    next
end

dhcp-relay-interface-select-method {auto | sdwan | specify}

Select the interface selection method:

  • auto: Set the outgoing interface automatically (default).
  • sdwan: Set the interface by SD-WAN or policy routing rules.
  • specify: Set the interface manually.

dhcp-relay-interface <interface>

Specify the outgoing interface. This option is only available and must be configured when interface-select-method is specify.

CA and local certificate renewal with SCEP

Certificate renewal with SCEP traffic can use SD-WAN rules or a specific interface:

config vpn certificate setting
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end
IPS TLS protocol active probing

TLS active probing can use SD-WAN rules or a specific interface:

config ips global
    config tls-active-probe
        set interface-selection-method {auto | sdwan | specify}
        set interface <interface>
        set vdom <VDOM>
        set source-ip <IPv4 address>
        set source-ip6 <IPv6 address>
    end
end

interface-select-method {auto | sdwan | specify}

Select the interface selection method:

  • auto: Set the outgoing interface automatically (default).
  • sdwan: Set the interface by SD-WAN or policy routing rules.
  • specify: Set the interface manually.

interface <interface>

Specify the outgoing interface. This option is only available and must be configured when interface-select-method is specify.

vdom <VDOM>

Specify the VDOM. This option is only available and must be configured when interface-select-method is sdwan or specify.

source-ip <IPv4 address>

Specify the source IPv4 address. This option is only available and must be configured when interface-select-method is sdwan or specify.

source-ip6 <IPv6 address>

Specify the source IPv6 address. This option is only available and must be configured when interface-select-method is sdwan or specify.

Netflow and sflow

Netflow and sflow can use SD-WAN rules or a specific interface:

config system {netflow | sflow | vdom-netflow | vdom-sflow}
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end

interface-select-method {auto | sdwan | specify}

Select the interface selection method:

  • auto: Set the outgoing interface automatically (default).
  • sdwan: Set the interface by SD-WAN or policy routing rules.
  • specify: Set the interface manually.

interface <interface>

Specify the outgoing interface. This option is only available and must be configured when interface-select-method is specify.

FortiClient EMS

FortiClient EMS endpoint control traffic can use SD-WAN rules or a specific interface:

config endpoint-control fctems
    edit fctems1
        set interface-select-method {auto | sdwan | specify}
        set interface <interface>
    end
end
TACACS+

System log entries can be sent to external TACACS+ accounting servers. TACACS+ traffic can use SD-WAN rules or a specific IP address:

config log tacacs+accounting setting
    set interface-select-method {auto | sdwan | specify}
    set source-ip <IP address>
end