Firewall on a stick

Forum|Forum|11 years ago
September 27, 2014
5 replies
10175 views

Anyone run a Fortigate on a stick and actually able to use layer 7 stuff? IP: 10.100.100.1 Default Route of 0.0.0.0/0 > WAN1 GW IP You have a fortigate hanging off a switch with the following IP: 10.100.100.254 Default route of 0.0.0.0/0 > 10.100.100.1 Port 1 on the fortigate is the only thing connected(to the same switch as the rest of the network). so it is basically a " Firewall on a stick" I have this setup in an environment at my house....my pc uses .254 as the default gateway. I have a VM Fortigate setup as .254 no policy to allow traffic. I have a physical fortigate setup as 10.100.100.1 with normal policies. I can get to the internet as long as the VM fortigate is on along with my physical one.... If I power off the VM fortigate (.254) my internet dies because it' s default gateway is now dead (for the clients) The problem is I don' t see any traffic hitting the VM...it is as though it is acting as a router only and not actually processing any of the traffic on the policies listed etc. Is there a way to make the Firewall on a stick method work?

emnoc

New Member

You need to draw that out and post a topology map. But it sounds like you want the Fgt-VM to route traffic but not process any policies ? That doses not make any sense or I' m not see the clear picture. Also why do you need 2 firewalls? And is it save to assume the modes are all NAT-ROUTED?

ede_pfau

SuperUser

Mike, you are right in assuming that the VM FGT is only routing. The problem is in the design: only traffic passing through the FGT will be subject to policying and UTM measures. As in your " one-arm sniffer" mode the only visible effect is routing. To be exact, one-arm sniffing can be used for UTM but only for monitoring. The FGT will see the traffic on one interface (' internal' ) connected to your LAN, and apply AV, IPS or whatever you specify. For this to happen, you need an active policy because UTM is only put into action in policies. But before I begin writing nonsense I' d like to refer you to the FortiOS Handbook, chapter " One-arm sniffing" . You will find more detail on this special mode there.

MikePruettAuthor

New Member

Yeah I was trying to add a fgt to the mix and be able to do policies without changing the environment much. Thought maybe I could do a port 1 to port 1 policy set. Dang. Gonna have to change some things. Transparent mode won' t work because I need to add a second ISP to the mix for redundancy.

emnoc

New Member

Still not getting why you need this setup, but maybe you could craft a secondary on port1 and route via the primary to secondary address. Not sure if this is possible or what drawback might come up. i.e config sys inter edit " portl1" set vdom " root" set ip 10.100.100.177 255.255.255.0 set allowaccess ping https ssh set secondary-IP enable config secondaryip edit 1 set ip 1.1.1.1 255.255.255.0 set allowaccess ping next end next end You will a route to the firewall and then to the ASA on 2 unique subnets.

MikePruettAuthor

New Member

Yeah, I realized the fortigate operates as a router only in this situation. The more I think about it the more I realized I brain farted on what I was trying to get situated. I need to start getting more sleep.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded