New Member

Question

Forti vm strange request

Forum|Forum|1 year ago
October 16, 2024
3 replies
1590 views

Hello,

I installed fortivm on an esx in the datacenter.

Maybe it may sound a little strange, but the following configuration is requested.

Datacenter gave me an external ip for example; 10.20.30.40/29 subnet.
As a gateway, I was informed that it was 10.20.30.43.

Step - 1 ) I will define the ip addresses 10.20.30.41 and 42 as wan ports on the port2 interface in the firewall. Servers in the local network will be able to access the internet via this wan port. Port1 is set as internal (Lan) and port2 as wan port and I can access the internet by giving static route (gw 10.20.30.43) and writing lan to wan rule.
There is no problem in this part.

Stage - 2 ) 1 db and 1 web service (iis) server 2019 machines that I have installed (iis) server 2019 machines without giving ip address from local network, giving 10.30.40.44 and 10.30.40.45 addresses statically from direct wan ip block and I am expected to pass the traffic on these machines through the firewall. If I write 10.30.40.43 as gw to the machines, the firewall is not activated. Somehow I need to direct this traffic to the firewall. The request seems a bit absurd, but this is how it is requested. Is it possible to do this? What kind of configuration should I do?

FortiGate

AEK

SuperUser

Hi

You can do as follows:

Put FGT/port1 and the two VMS (DB & IIS) on the same vSwitch
Configure them all three in the same subnet
Set the default gateway of the 2 VMs to the FGT/port1 IP address

AEK

nobody58Author

New Member

Exactly, I want to do the configuration in the marked area. I want to give my IIS and DB servers a real wan ip address and pass this traffic through the firewall. Is this possible?
If so, which interfaces should the DB and IIS servers be connected to on the firewall? What kind of rule or rules should be defined?

DC Firewall.png

AEK

SuperUser

VM3 and VM4 are on the same VLAN, so the natural way is to connect them to FG via a vSwitch (virtual switch provided by ESXi), and connect the same vSwitch to FGT to any port (lets say portX)

Then create a firewall rule typically like this:

source intf: portX
dest intf: wan1
source: all
dest: all (or only destinations you need)
service: all (or only services you need, like HTTPS, DNS, ... ets.)
Iinspection: Certificate Inspection
profiles: AV-default, IPS-default, WF-default, and other if needed

Hope it helps

AEK

pminarik

Staff

If the FGT-VM is supposed to "host" the 10.30.40.44 + 45 IPs on behalf of the two servers, in order for packets to reach teh FGT-VM, the other upstream hops (towards the sources of the traffic) must be configured with routes that say that those 10.30.40.44+45 IPs are routable via the FGT-VM (~via 10.20.30.41, for example). In other words, review how the rest of the network routes packets for those IPs, and make the appropriate changes. (static routes, dynamic routes (OSPF, BGP, RIP, ...)

nobody58Author

New Member

It did not work.
For example, I label Port4 as Lan and set it to 10.20.30.41.
I write 10.20.30.41 as gateway to the server with ip address 10.20.30.44.
How should I write a route on the firewall?
Should it be something like this
Incoming interface : Port4
Incoming source ip : 10.20.30.44/32
Outgoing interface : ? It should go to the internet via its own ip address
Destination ip address: 0.0.0.0.0/0.0.0.0
Gateway : 10.20.30.42
When I type tracert -d google.com as an example from the command line, it goes to 10.20.30.41 as the 1st step and then it is incorrect.

I think I need to do something as a route or rule.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded