FortiGate behind a Verizon FIOS G1100 residential connection

Question

Hello,

First post here, and I am new to Fortinet products. I am looking to replace an EOL'd WatchGuard firewall with a FortiGate (e.g., 71F/G). Its a Verizon FIOS residential circuit using their G1100 Quantum router behind their ONT. That means: (1) the G1100 cannot be placed in bridge mode, (2) Verizon does not issue publicly-routable static IPs to residential customers, and (3) the WAN side of my firewall will be getting a local (i.e., non-routable) address from the G1100. The WG operates in this unfortunate double-NAT situation acceptably - it gets its updates and it moves traffic. A couple of other relevant details: (1) elimination of the G1100 isn't acceptable due to a MOCA requirement for three set top boxes, and (2) those set top boxes are on the other side of my firewall (i.e., the current WG firewall is the single point of connection for my network to the G1100 LAN side). Also, I am not currently using a VPN client to connect to my network from the Internet, but would like to allow that once the new FG is in place. I understand a ddns service will be necessary, as will port forwarding for select ports in use by the VPN.

I have read a lot of forum posts and the FG Admin Guide, trying to confirm whether or not a FG firewall will operate in the described environment. I've read forum posts where it is indicated that the FG must have a publicly routable IP at its WAN or it will not receive updates or push notifications (not entirely sure what those are just yet). I have read posts where getting the VPN working was the problem to be resolved, thus inferring that the FG will get updates behind the double NAT. I have not yet been able to confirm the FG will function in a double-NAT environment. I have struggled to get pre-sales technical support from Fortinet and from the two distributors I have contacted. In fact I've struggled to get a quote for a firewall and four 100-series switches, but I can be patient working that problem if I know the equipment is going to operate in this environment.

Can I get a confirmation that this is a supported scenario? Please let me know. Thanks for whatever help you can offer. Much appreciated.

Toshi_Esumi · Answer

It's not about WG or FGT or any other FW devices, but it's about if your FIOS home service is via CG-NAT or not. Probably any FGT would be able to do what your current WG is doing. But if your service is behind CG-NAT, the public IP seen from the outside is shared with multiple customers, therefore, any access like dialup VPN to the public IP wouldn't be delivered to your circuit exclusively.
I haven't dealt with any FIOS home circuit (we have a FIOS business with a static IP) before so I can't tell either way but somebody else might know about it in this community.

One thing you can try yourself without asking VZN if it's CG-NAT or not is getting in the VZN's modem/router (if you have access) then check what IP it's pulling from the GW/NAT device in VZN. If it's something like 100.64.x.x, it's most likely CG-NAT. It might show in your trance route toward the internet.
Asking them should be the most sured way if they can provide the answer.

Toshi

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded