Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fred339
Contributor

Fortigate on one of multiple subnets with inter-subnet routing

I have multiple internal subnets which are all internally routed so that each subnet can reach all the others.  

There is a Fortigate 6.4.9 to be accessing public addresses as usual and is connected to one of the internal subnets: subnet 1.  It is the default gateway for all of the hosts on the multiple subnets.

For example,

host at subnet 2 has destination on some public address.

The internal routing sends the packet sourced on subnet 2 to the Fortigate internal address on subnet 1.

 

How are the other subnets best included in the Fortigate settings?

For example: I might want to set up an Address Group called INNER.

And, an Address range or Group for each of the subnets that would be included in INNER.

Does that make sense?

Where is the interface on the Fortigate to be entered in this case?

 

 

Fred Marshall
1 Solution
vsahu

Hello Fred,

 

If you bind an address with a specific interface, you can only see that address in the firewall policy when you use that interface, otherwise, it will not show.

So A address is bound with port 1 and B address bound with port 2

So when you create a policy from port 1 to port 2, you can only add source as A and destination as B, not vice versa.

If you manage a huge number of addresses it may be quicker to select suitable ones when creating policies.


Regards,
Vishal Sahu

View solution in original post

6 REPLIES 6
vsahu
Staff
Staff

Hello Fred,

Your setup makes sense, as you want your Internal LAN to communicate with each other, also that traffic should not reach the firewall as it will increase the load also that's your Internal traffic so it's better to route that traffic internally, But if you want to apply some security policies to "Internal to Internal traffic" then you can route it through the firewall and enable Security profile in the respective policy. 

You can configure either the address group or the Address range as per your requirement and the Interface in the address configuration you can leave it as any, It will work without issues. You can refer to the below snapshot.

vsahu_0-1661938213363.png

vsahu_1-1661938258057.png


Also if you want to exclude some IP's you can refer the below link

https://docs.fortinet.com/document/fortigate/6.4.9/administration-guide/219540/address-group-exclusi...


 



Regards,
Vishal Sahu
fred339
Contributor

Vishal:  Thank you!

Well, just to be clear, all of the internet traffic goes through the Fortigate.  So, from each of the subnets.  There is no loading problem with that.  

As I said: "It is the default gateway for all of the hosts on the multiple subnets."


We've had trouble with LAN-LAN traffic management in the past with other firewalls and will avoid it at this point.  I just need to get this system up and running in some minimally acceptable way.  We plan to use Policy-based NGFW Mode.

Fred Marshall
vsahu
Staff
Staff

Fred,
Understood as per your requirement then it seems appropriate, You can configure as mentioned it will work

 

 

Regards,
Vishal Sahu
fred339
Contributor

OK.  Well, I think I'm getting confused by the use of ANY vs. some specific Interface and how/where the Fortinet LAN interface is/would be entered.

 

Fred Marshall
vsahu

Hello Fred,

 

If you bind an address with a specific interface, you can only see that address in the firewall policy when you use that interface, otherwise, it will not show.

So A address is bound with port 1 and B address bound with port 2

So when you create a policy from port 1 to port 2, you can only add source as A and destination as B, not vice versa.

If you manage a huge number of addresses it may be quicker to select suitable ones when creating policies.


Regards,
Vishal Sahu
fred339

Thank you!

Fred Marshall