Skip to main content
A
Anonymous_User
Contributor
June 3, 2005
Question

Interface Aliases?

  • June 3, 2005
  • 4 replies
  • 5072 views
Sorry folks I have some unix/firewalling experience and I know that with ifconfig it was possible to add ip v4 aliases to interfaces. I am not looking for a vlan id. It could be a virtual IP I suppose but the address I intend to use would map to more than one host on the internal/dmz network... So I was wondering if it is possible to do the same with the Fortigate device? If so, how? The one I administer is a 200A. Many thanks in advance, Peter Verhagen

    4 replies

    A
    Anonymous_UserAuthor
    Contributor
    June 3, 2005
    Yes it can be done. You have to do it through the CLI though. If you need the IP addresses to be on the same subnet you have to issue this command: config sys global (global)# set allow-interface-subnet-overlap enable (global)# Then you can do this: conf sys int edit <port name> conf secondaryip edit <table entry number, starting at 0> set ip xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx type set ? to show all that you can do with the secondary IP' s Hope that helps. Ryan
    A
    Anonymous_UserAuthor
    Contributor
    June 3, 2005
    Thanks. That worked flawlessly.
    UkWizard
    UkWizard
    New Member
    June 3, 2005
    Just something worth noting; The subnet overlap command is only needed if you wanted to use a secondary ip that is in the same subnet as the first. So if the second ip is in a different subnet (which it usually is, when it is used) then turn the overlap back off, in case it causes problems. It is highly recommended NOT to use it unless you have too.
    A
    Anonymous_UserAuthor
    Contributor
    June 3, 2005
    Believe it or not, the secondary ip IS on the same subnet of the ip physically attached to that interface. Thanks for the warning!
    UkWizard
    UkWizard
    New Member
    June 4, 2005
    Oh okay, but you know you can use vips from the internal subnet anyway, without using a second ip on the actual interface. For example; Firewall interface may be 192.168.1.1 You can then VIP 192.168.1.10 -> DMZ host or VIP 192.168.1.10 -> External Host (or remote vpn host) Otherwise i cant really see a point of having a second ip on the same subnet.
    A
    Anonymous_UserAuthor
    Contributor
    June 6, 2005
    Well, unless you are migrating existing setup where 2 internet addressable ips are tied to a dns that charges per change, coupled with the fact that all of the other physical interfaces on the fortinet unit are already in use. ;)
    A
    Anonymous_UserAuthor
    Contributor
    June 26, 2005
    how about wan2 to be in the same subnet as wan1 will this command allow it?
    Terms & ConditionsAccessibility statement