Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BWiebe
Contributor

Odd Routing Question With Two Firewalls Inline

We have a remote client that uses a non-Fortinet firewall for most of their activities (scheduled to be replaced in the next few months) - but in all the kerfuffle with quarantining, etc, we were asked to give them a quick VPN solution to use that they could remote to their desktop PCs, servers, etc.  

 

So we gave them a Fortigate that was destined for another project - had them wipe it remotely - and asked them to IP it and setup a WAN port so we could go in and access it.  The WAN port was set to an unused IP on one of 3 ISPs they have in their location.

 

The client's LAN network is 10.10.100.0/22, their main non Fortinet firewall is at 10.10.100.3 and is connected to 3 different ISPs.  The Fortigate was IPd at 10.10.100.146.  The default network gateway is an MPLS router which allows them access to their remote sites through 10.10.100.1.

 

This setup was done Friday and late today I had an email from the tech we worked with that 3 websites they host in the 10.10.100.0/22 network are no longer working.  These are NATted to a different ISP entirely and from what we can see nothing has changed on the non-Fortigate firewall with respect to policies, NATs, etc.

 

The only thing that gives me pause is that these two firewalls are on the same LAN and I'm wondering if the Fortigate is somehow causing an issue.

 

I vaguely recall having a similar issue before with a similar setup where to fix this - I had to policy route the traffic for the LAN to the default gateway through the same interface - which is a bit of an odd setup - but it worked.  Not sure if that's relevant here or not.

 

Because they are relying on this firewall for remote workers - I can't easily just reboot the Fortigate to see validate if it doesn't fix the issue.  I've done a few random sniffs on the firewall and don't see any of the traffic referenced.

 

In retrospect, probably setting up the firewall in transparent mode may have made more sense since all they wanted was a VPN gateway so they can easily reach all their remote sites from offsite.

 

Any thoughts?  I don't believe this is coincidental that it stopped working after we put another firewall inline.....

 

Thanks!

0 REPLIES 0
Labels
Top Kudoed Authors