I’m configuring a Fortigate 900D using an aggregate interface with a private IP connected to an upstream Cisco ASR which in-turn connects to the internet directly.
The ASR will be advertising a default-route and I want the Fortigate to learn this and then advertise the route downstream to another firewall.
The Fortigate is carved up into two VDOMs, a Root VDOM and a VPN VDOM. The Root VDOM has an Loopback interface configured to act as an explicit proxy and will be target directly by users to access the internet.
The explicit proxy is using the system DNS which can either be Fortiguard DNS or Google however because the external interface of the Root VDOM has an internal private address when the DNS/Fortiguard services need to reach the internet they are sourcing from an internal address which is not routable.
Users -> Proxy address x.x.x.x:8080-> Loopback Interface (explicit web proxy) -> Agg1 (private address) ->Cisco ASR (Public IP)
I then decided to re-IP the interface on both the external interface on the Fortigate and the internal interface of the ASR with a /30 which I took from a /25 range of public IP’s which would solve the routing issues, however when I now try and configure OSPF on the Cisco and the Fortigate they will not form an adjacency. As soon as I change the IP back to a private address the OSPF relationship is re-established.
• Is there a reason I cannot run OSPF with public IP addresses on a Fortigate?
• If I can’t use the public IP’s what are the option of using a Fortigate without a public IP address on the external internet facing interface?
• Once the proxy intercepts the users web request it should be source NAT’d from a public IP either by a security policy or using the external interface.
• The default-route needs be to advertised by a routing protocol so if we lose a critical path to the internet the default-route is lost it will be re-learnt elsewhere.
Do you have a topology map? It was very hard to follow you description. As far as public or private OSPF does not care. What I gathered, you are having trouble routing the exp-proxy address to the 2nd firewall?
As far as what your doing, we 've done that in a lot of case and just defined ippool for that explicit-proxy. We divided our network address_ranges in halves
"WEST goes thru one proxy and EAST thru a 2nd, this was done via system gpo push for the webclients btw"
1: Fix your reach-network-routing for the clients 1st
2: than work on the exp-fwpolicies and any SNAT that 's needed.
Here's a blog on explicit-proxy socpuppet style that I've done a few times now. The loop-back are carried in ospf across the network and we have proxy-control file for webclients to used for accessing the proxy for various domains ;)
We even deployed turn-around proxy using dedicated Fortigates for this also. So as long as the client can get to the proxy they are proxied by that devices. Great for sneaking thru GEOIP based blocking devices or other items doing control.