Local out traffic

Local out, or self-originating, traffic is traffic that originates from the FortiGate going to external servers and services. The traffic can be from Syslog, FortiAnalyzer logging, FortiGuard services, remote authentication, and others.

By default, local out traffic relies on routing table lookups to determine the egress interface that is used to initiate the connection. However, many types of local out traffic support selecting the egress interface based on SD-WAN or manually specified interfaces. When manually specifying the egress interface, the source IP address can also be manually configured.

Go to Network > Local Out Routing to configure the available types of local out traffic. Some types of traffic can only be configured in the CLI.


By default Local Out Routing is not visible in the GUI. Go to System > Feature Visibility to enable it. See Feature visibility for more information.

When VDOMs are enabled, the following entries are available on the local out routing page:

Global view


VDOM view

External Resources


LDAP Servers












Log FortiAnalyzer Override Settings


Log FortiAnalyzer Setting



Log Syslogd Override Settings


Log FortiAnalyzer Cloud Setting


RADIUS Servers


FortiGate Cloud Log Settings




Log Syslogd Setting








System DNS





System FortiGuard





System FortiSandbox




If a service is disabled, it is grayed out. To enable it, select the service and click Enable Service. If a service is enabled, there is a Local Out Setting button in the gutter of that service's edit page to directly configure the local-out settings.


To configure DNS local-out routing:
  1. Go to Network > Local Out Routing and double-click System DNS.

  2. For Outgoing interface, select one of the following:


    Select the outgoing interface automatically based on the routing table.


    Select the outgoing interface using the configured SD-WAN interfaces and rules.


    Select the outgoing interface from the dropdown.

  3. Use Interface IP

    Use the primary IP, which cannot be configured by the user.


    Selected an IP from the list, if the selected interface has multiple IPs configured.

    If Specify is selected, select a setting for Source IP:

  4. Click OK.

To edit local-out settings from a RADIUS server entry:
  1. Go to User & Authentication > RADIUS Servers and double-click an entry to edit it.

  2. Click Local Out Setting.

    The Edit Local Out Setting pane opens.

  3. Configure the settings for Outgoing interface and Source IP.

  4. Click OK.

To edit multiple entries concurrently:
  1. Go to Network > Local Out Routing.

  2. If applicable, select IPv4 or IPv6. IPv4+IPv6 does not support multi-select.

  3. Click Multi-Select Mode. All of the local out settings that can be edited concurrently are shown.

  4. Select the specific entries, or click Select All to select all of the entries.

  5. Click Edit and configure the local out settings as required.

  6. Click OK.

  7. Click Exit Multi-Select Mode to return to the normal view.

Configuring local out routing in the CLI

Some local out routing settings can only be configured using the CLI.


IPv4 and IPv6 pings can be configured to use SD-WAN rules:

execute ping-options use-sdwan {yes | no}
execute ping6-options use-sd-wan {yes | no}

IPv4 traceroute can be configured to use SD-WAN rules:

execute traceroute-options use-sdwan {yes | no}
Central management

Central management traffic can use SD-WAN rules or a specific interface:

config system central-management
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
NTP server