Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Network_Engineer
New Contributor III

Firewall Questions

Q1 What is the difference between fortigate and fortinet ?20220309_113247 (1).jpg

 

Q2 For this diagram, is it possible not to configure any ip addresses
on the first interface and any configure on the sub interfaces?

 

Q3 Is it possible to form an etherchannel
and configure ip address only on the sub interfaces?

 

Q4 What commands can I type to troubleshoot site to site vpn not working with other vendor?

1 Solution
AlexC-FTNT
Staff
Staff

Yes, it is possible. By default it has no address configured:

AlexCFTNT_0-1647613618747.png

Also on a non-aggregate interface:

AlexCFTNT_1-1647613725486.png

So, yes, as long as you specify the main interface you base the subinterface on, you can create as many subinterfaces as you like (within the limits of the FortiGate you have)


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -

View solution in original post

7 REPLIES 7
AlexC-FTNT
Staff
Staff

Q1: FortiGate is the firewall product of the company called Fortinet. There are a lot of other products we provide: FortiAnalyzer, FortiManager, FortiClient, etc.
Q2: you already have IPs configured - what is your question?
Q3: No. Etherchannel is a link-aggregation technology. You can route different VLANs over this construct, but not assign separate IPs to its interfaces (separately). This would prevent the aggregation to work
Q4: All of them one search away:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Troubleshooting-IPsec-VPNs/ta-p/195955


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
Network_Engineer

For Q2, I want no ip addresses to be configured on the main interface but ip addresses to be configured on the sub interface. Is it possible?

 

Q3 I am talking about etherchannel with subinterfaces. Is such a setting possible with Fortigate? 

AlexC-FTNT
Staff
Staff

Yes, it is possible. By default it has no address configured:

AlexCFTNT_0-1647613618747.png

Also on a non-aggregate interface:

AlexCFTNT_1-1647613725486.png

So, yes, as long as you specify the main interface you base the subinterface on, you can create as many subinterfaces as you like (within the limits of the FortiGate you have)


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
ede_pfau
Esteemed Contributor III

To delete a configured address in the interface setup, enter '0.0.0.0/0'. This is the default and will effectively delete the IP address.

In CLI, 'unset ip'.

 

Regarding the 'etherchannel' / LACP port, of course you can define it without assigning an IP address, and then create numbered VLAN ports as sub-interfaces. This is BTW the way I hook up bigger FGTs to the core switch(es) to grant each VLAN the maximum bandwidth if needed.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Network_Engineer

Hi,

One question 

How do i configure in ter vlan routing for your vlan in port 2?

 

Is it possible to select from source zone lan to destination zone lan accept?

 

I also realize that the interface name cannot be changed. So i have to delete it and redo?

ede_pfau
Esteemed Contributor III

Inter-VLAN routing for connected VLANs is possible because FortiOS automatically creates routes for each connected network, be it physical, VLAN or such.

 

You will need a policy from VLAN1 to VLAN2, not from the physical port which 'hosts' the VLANs. (But, yes, LAN-to-LAN policies are possible and sometimes make sense. If youn you  have 2 different address spaces on one port, and use a secondary IP address on the port, then you would need this.)

 

And lastly ("One question"), VLAN names or IDs (!) cannot be changed after creation. You will have to remove all references to it (policies, DHCP server etc.) to be able to delete it, and recreate. There is a more convenient way in FortiOS 7, though (port migration wizard).


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Network_Engineer
New Contributor III

In the end to solve my problem, I had to put static route:  0.0.0.0/0 <management ip add of switch> so that all the interfaces can talk to one another.

Labels
Top Kudoed Authors