Disable ARP on Virtual IP

Forum|Forum|7 years ago
August 15, 2018
1 reply
14019 views

I'm in the process of moving a customer from Cisco ASA to FortiGate and have run into a small issue with Virtual IP's.

The FG is setup parallell to the ASA on inside and wan interfaces for reachability/management, all other interfaces are disabled. The plan is to configure as much as possible on the FG before migrating.

Now to the issue.

When I configure the Virtual IP's which are used in ASA for various servers today, the FG starts responding to ARP creating a conflict on the external interface since both ASA and FG responds to the same IP. In ASA it's possible to disable a NAT policy and that way prepare policies without impacting production, but I can't find any way to disable VIP's.

Any ideas?

Best answer by Toshi_Esumi

Based on my experience, VIPs on FGT are sticky and act even without references. You probably need to shut down the incoming interface (wan) until the cut-over date.

On the other hand, they're relatively independent from other part of configuration except the policies that use them (if policy-based NAT). So you could leave the changes for the cut-over script.

Toshi_EsumiAnswer

SuperUser

Based on my experience, VIPs on FGT are sticky and act even without references. You probably need to shut down the incoming interface (wan) until the cut-over date.

On the other hand, they're relatively independent from other part of configuration except the policies that use them (if policy-based NAT). So you could leave the changes for the cut-over script.

LamsterAuthor

New Member

Okay, that's what I was suspecting. I guess I'll have to shut down the wan interface for now.

Thanks.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded