Local out traffic
Local out, or self-originating, traffic is traffic that originates from the FortiGate going to external servers and services. The traffic can be from Syslog, FortiAnalyzer logging, FortiGuard services, remote authentication, and others.
By default, local out traffic relies on routing table lookups to determine the egress interface that is used to initiate the connection. However, many types of local out traffic support selecting the egress interface based on SD-WAN or manually specified interfaces. When manually specifying the egress interface, the source IP address can also be manually configured.
Go to Network > Local Out Routing to configure the available types of local out traffic. Some types of traffic can only be configured in the CLI.
By default Local Out Routing is not visible in the GUI. Go to System > Feature Visibility to enable it. See Feature visibility for more information. |
When VDOMs are enabled, the following entries are available on the local out routing page:
Global view |
VDOM view |
|||
---|---|---|---|---|
External Resources |
LDAP Servers |
|||
AWS_IP_Blacklist |
ldap |
|||
|
AWS_Malware_Hash |
Log |
||
Log |
|
Log FortiAnalyzer Override Settings |
||
Log FortiAnalyzer Setting |
|
Log Syslogd Override Settings |
||
|
Log FortiAnalyzer Cloud Setting |
RADIUS Servers |
||
|
FortiGate Cloud Log Settings |
fac_radius_server |
||
|
Log Syslogd Setting |
TACACS+ |
||
System |
|
TACACS |
||
System DNS |
|
|
||
|
System FortiGuard |
|
|
|
|
System FortiSandbox |
|
|
If a service is disabled, it is grayed out. To enable it, select the service and click Enable Service. If a service is enabled, there is a Local Out Setting button in the gutter of that service's edit page to directly configure the local-out settings.
Examples
To configure DNS local-out routing:
-
Go to Network > Local Out Routing and double-click System DNS.
-
For Outgoing interface, select one of the following:
Auto
Select the outgoing interface automatically based on the routing table.
SD-WAN
Select the outgoing interface using the configured SD-WAN interfaces and rules.
Specify
Select the outgoing interface from the dropdown.
-
Use Interface IP
Use the primary IP, which cannot be configured by the user.
Manually
Selected an IP from the list, if the selected interface has multiple IPs configured.
If Specify is selected, select a setting for Source IP:
-
Click OK.
To edit local-out settings from a RADIUS server entry:
-
Go to User & Authentication > RADIUS Servers and double-click an entry to edit it.
-
Click Local Out Setting.
The Edit Local Out Setting pane opens.
-
Configure the settings for Outgoing interface and Source IP.
-
Click OK.
To edit multiple entries concurrently:
-
Go to Network > Local Out Routing.
-
If applicable, select IPv4 or IPv6. IPv4+IPv6 does not support multi-select.
-
Click Multi-Select Mode. All of the local out settings that can be edited concurrently are shown.
-
Select the specific entries, or click Select All to select all of the entries.
-
Click Edit and configure the local out settings as required.
-
Click OK.
-
Click Exit Multi-Select Mode to return to the normal view.
Configuring local out routing in the CLI
Some local out routing settings can only be configured using the CLI.
PING
IPv4 and IPv6 pings can be configured to use SD-WAN rules:
execute ping-options use-sdwan {yes | no} execute ping6-options use-sd-wan {yes | no}
Traceroute
IPv4 traceroute can be configured to use SD-WAN rules:
execute traceroute-options use-sdwan {yes | no}
Central management
Central management traffic can use SD-WAN rules or a specific interface:
config system central-management set interface-select-method {auto | sdwan | specify} set interface <interface> end
NTP server
NTP server traffic can use SD-WAN rules or a specific interface:
config system ntp config ntpserver edit <id> set interface-select-method {auto | sdwan | specify} set interface <interface> next end end
DHCP proxy
DHCP proxy traffic can use SD-WAN rules or a specific interface:
config system settings set dhcp-proxy-interface-select-method {auto | sdwan | specify} set dhcp-proxy-interface <interface> end
dhcp-proxy-interface-select-method {auto | sdwan | specify} |
Select the interface selection method:
|
dhcp-proxy-interface <interface> |
Specify the outgoing interface. This option is only available and must be configured when |
DHCP relay
DHCP relay traffic can use SD-WAN rules or a specific interface:
config system interface edit <interface> set dhcp-relay-interface-select-method {auto | sdwan | specify} set dhcp-relay-interface <interface> next end
dhcp-relay-interface-select-method {auto | sdwan | specify} |
Select the interface selection method:
|
dhcp-relay-interface <interface> |
Specify the outgoing interface. This option is only available and must be configured when |
CA and local certificate renewal with SCEP
Certificate renewal with SCEP traffic can use SD-WAN rules or a specific interface:
config vpn certificate setting set interface-select-method {auto | sdwan | specify} set interface <interface> end
IPS TLS protocol active probing
TLS active probing can use SD-WAN rules or a specific interface:
config ips global config tls-active-probe set interface-selection-method {auto | sdwan | specify} set interface <interface> set vdom <VDOM> set source-ip <IPv4 address> set source-ip6 <IPv6 address> end end
interface-select-method {auto | sdwan | specify} |
Select the interface selection method:
|
interface <interface> |
Specify the outgoing interface. This option is only available and must be configured when |
vdom <VDOM> |
Specify the VDOM. This option is only available and must be configured when |
source-ip <IPv4 address> |
Specify the source IPv4 address. This option is only available and must be configured when |
source-ip6 <IPv6 address> |
Specify the source IPv6 address. This option is only available and must be configured when |
Netflow and sflow
Netflow and sflow can use SD-WAN rules or a specific interface:
config system {netflow | sflow | vdom-netflow | vdom-sflow} set interface-select-method {auto | sdwan | specify} set interface <interface> end
interface-select-method {auto | sdwan | specify} |
Select the interface selection method:
|
interface <interface> |
Specify the outgoing interface. This option is only available and must be configured when |
FortiClient EMS
FortiClient EMS endpoint control traffic can use SD-WAN rules or a specific interface:
config endpoint-control fctems edit fctems1 set interface-select-method {auto | sdwan | specify} set interface <interface> end end
TACACS+
System log entries can be sent to external TACACS+ accounting servers. TACACS+ traffic can use SD-WAN rules or a specific IP address:
config log tacacs+accounting setting set interface-select-method {auto | sdwan | specify} set source-ip <IP address> end