Skip to main content
Network_Engineer
Network_Engineer
Visitor III
March 17, 2022
Solved

Firewall Questions

  • March 17, 2022
  • 3 replies
  • 3459 views

Q1 What is the difference between fortigate and fortinet ?20220309_113247 (1).jpg

 

Q2 For this diagram, is it possible not to configure any ip addresses
on the first interface and any configure on the sub interfaces?

 

Q3 Is it possible to form an etherchannel
and configure ip address only on the sub interfaces?

 

Q4 What commands can I type to troubleshoot site to site vpn not working with other vendor?

Best answer by AlexC-FTNT

Yes, it is possible. By default it has no address configured:

AlexCFTNT_0-1647613618747.png

Also on a non-aggregate interface:

AlexCFTNT_1-1647613725486.png

So, yes, as long as you specify the main interface you base the subinterface on, you can create as many subinterfaces as you like (within the limits of the FortiGate you have)

3 replies

AlexC-FTNT
Staff
AlexC-FTNT
Staff
March 17, 2022

Q1: FortiGate is the firewall product of the company called Fortinet. There are a lot of other products we provide: FortiAnalyzer, FortiManager, FortiClient, etc.
Q2: you already have IPs configured - what is your question?
Q3: No. Etherchannel is a link-aggregation technology. You can route different VLANs over this construct, but not assign separate IPs to its interfaces (separately). This would prevent the aggregation to work
Q4: All of them one search away:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Troubleshooting-IPsec-VPNs/ta-p/195955

    Network_Engineer
    Network_EngineerAuthor
    Visitor III
    March 18, 2022

    For Q2, I want no ip addresses to be configured on the main interface but ip addresses to be configured on the sub interface. Is it possible?

     

    Q3 I am talking about etherchannel with subinterfaces. Is such a setting possible with Fortigate? 

    AlexC-FTNT
    Staff
    AlexC-FTNTAnswer
    Staff
    March 18, 2022

    Yes, it is possible. By default it has no address configured:

    AlexCFTNT_0-1647613618747.png

    Also on a non-aggregate interface:

    AlexCFTNT_1-1647613725486.png

    So, yes, as long as you specify the main interface you base the subinterface on, you can create as many subinterfaces as you like (within the limits of the FortiGate you have)

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    March 18, 2022

    To delete a configured address in the interface setup, enter '0.0.0.0/0'. This is the default and will effectively delete the IP address.

    In CLI, 'unset ip'.

     

    Regarding the 'etherchannel' / LACP port, of course you can define it without assigning an IP address, and then create numbered VLAN ports as sub-interfaces. This is BTW the way I hook up bigger FGTs to the core switch(es) to grant each VLAN the maximum bandwidth if needed.

    Network_Engineer
    Network_EngineerAuthor
    Visitor III
    April 19, 2022

    In the end to solve my problem, I had to put static route:  0.0.0.0/0 <management ip add of switch> so that all the interfaces can talk to one another.

    Terms & ConditionsAccessibility statement