Skip to main content
pjGmail
pjGmail
New Member
June 13, 2019
Question

Fortigate to act as a Router

  • June 13, 2019
  • 2 replies
  • 15166 views

I'm a newbie here, I have a WAN IP and public IPs from ISP. I want to used the Fortigate as the network firewall (directly connected to the WAN ISP) to pass all remote connections. Behind that Fortigate firewall are different firewalls (Cisco, Fortigate) for different networks that handle their own VPN connections. How do I configure the Fortigate to pass all the traffic from remote connections to go thru their own VPNs? 

    2 replies

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    June 13, 2019

    To do that you need to have either an additional public subnet from your ISP for LAN side of the outside FGT or set up tricky VIPs to forward all VPN traffic to VPN FWs' local/private IPs. I said tricky because you need to use source-filter to identify which VPN goes which FW, which would break when the source IP changes. I definitely prefer the former that can be done by even a simple router, and move FW features to VPN FWs that would simplify routing traffic coming/going over VPNs. 

    pjGmail
    pjGmailAuthor
    New Member
    June 13, 2019

    I have a WAN IP and 5 public IPs that is given by the ISP. I'm planning on assigning the 5 public IPs to the local VPN FWs and have the outside FGT as GW for those public IPs and pass thru all remote sessions, so essentially the FW is being used as a router. Do I need to create policies to allow all traffic from the internet/remote sessions?

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    June 14, 2019

    Nothing can pass through a FW without a policy. It doesn't matter if it's VPN or regular internet traffic.

    emnoc
    emnoc
    New Member
    June 14, 2019

    Sound like your doing a  stack-outer-inner firewall, yes you need policy even a ANY policy would work but I would not see the benefit for doing this if your running two-firewalls. It would be wash or waste imho

     

    Ken Felix

     

    rwpatterson
    rwpatterson
    New Member
    June 14, 2019

    Agreed. You can't do anything with the tunnel traffic from a firewall perspective aside from throttling it or flat out denying/allowing traffic. I would just go with a (not too) cheap switch.

    Terms & ConditionsAccessibility statement