Point to Point Fortigate 80C

Forum|Forum|11 years ago
July 8, 2014
4 replies
7418 views

Is there a way to use one of the connections for a Fortigate 80C as a point to point to connect 2 offices? So I will have either 1 or 2 WAN connections, my private 172.16.x.x network, and then a shared 10.10.x.x network for a point to point and then route the traffic btwn the offices over that link rather than through a vpn as they currently are. I looked at the config through the gui and seems to only have a lan and wan section. Would I be able to use and unused lan port for this point to point and set it as a separate zone or network?

rwpatterson

New Member

The port names designated on the units are for human readability. They can be purposed for whatever you want. The only differences are usually only the speed of the ports or the interface types (RJ-45 vs fiber, etc.).

mumbles202Author

New Member

Ok great. So I can use a port one of the spare ports for the point to point. I' ll log back into it and see if I can make sense of doing it from the gui; else I' ll see if it makes more sense from the cli.

ede_pfau

SuperUser

The " internal" ports on a FG-80C are in ' switch' mode by default. That is, all physical ports are switched to one logical " internal" port. If this is the case you can only see " internal" , " wan1" , " wan2" and " dmz" in System>Network>Interface. You can change the port mode into ' interface' mode by a CLI command: ' conf sys global set inter int end' The FGT will prompt to be rebooted. One catch is that the internal port must not be used anywhere in the configuration before you are allowed to change the port mode. This includes - IP address - DHCP server - static route - DNS - policies - bound address objects etc. ... If you start from ' exec factoryreset' then you have to remove - interface IP address - DHCP server on ' internal' - in FOS v5 only: sniffer mode This implies that you connect to the FGT not via ' internal' but e.g. ' wan2' which you have to configure in advance. Doable but better done right at the beginning.

mumbles202Author

New Member

Ouch. Guess that will require an onsite visit then since it sounds like I' ll have to redo the configuration from scratch. Once I make the change w/ this: ' conf sys global set inter int end' Will the remaining unused ports be able to be put back into a " switch" mode to be part of the internal network again? If worse comes to worse I can possibly use the DMZ port or the 2nd WAN port on each of the units for the e-lan circuit since they' ll have internet through this line as well. Actually I just double checked and only one of the units is a 80C. The other 2 are 50B units. Will I be able to do the same thing on those in terms of putting them into interface mode?

ede_pfau

SuperUser

No, the 50B cannot be switched to interface mode. Changing this mode definitely requires local presence, preferably a serial connection to the console port. To save effort you can download the config (unencrypted) and edit it in an text file editor. You will have to change all occurrences of ' internal' to one of ' internal1' ...' internal6' . Then do the factory reset, change the mode and restore the config via http(s). It does take some time. If you only need 1 more port just use the ' dmz' or ' wan2' port. Benefit: these are GbE ports, the ' internal' s are only 10/100. I' m not sure about reforming a (smaller) switch, it depends on hardware and FOS version.

rwpatterson

New Member

For what it' s worth, you can change the mode in the edited file, and restore to the new configuration.

  conf sys global  set inter int  end

Sean_Toomey_FTNT

Staff

That' s a good suggestion, rwpatterson, That would probably do the trick, but you would ideally want hands/eyes on site with a serial console cable and a laptop just in case it doesn' t go as planned.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded