Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor II

Allowing a vendor to VPN into their device on our network.

I have a situation where we are trying to allow a vendor to VPN into their device on our network, which is physically connected to our firewall.  See the diagram attached. We've tried to create firewall policies to allow WAN 1 > Port 2 and Port 2 > WAN 1, but we're not seeing any traffic hitting those rules.  They are at the top of the policy list to make sure nothing interferes.  Fortigate is on OS 7.2.7Vendor_IPSec_VPN.png


The vendor is initiating the VPN from

The WAN 1 interface to our Fortigate is /30

Port 2 on the Fortigate is configured with a public IP of /

The device they are trying to reach we've given a public IP of


1) What are the Virtual IP(s) that need to be setup?

2) What firewall policies are needed?


 I think it's already open. At least I could ping from my end (in the U.S.).
Since it's public IP on their device routed through your FGT without NAT, no VIP is needed.

[toshi_esumi@our_host]$ ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=234 time=176 ms
64 bytes from icmp_seq=2 ttl=234 time=176 ms
64 bytes from icmp_seq=3 ttl=234 time=176 ms
--- ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 176.009/176.186/176.409/0.166 ms

Since it has a separate public IP, you can allow "ALL" services to the device IP. It's a Cisco VPN device, which should have own access-control mechanism to block other unauthorized access like my pinging.

Just sniff on the interface:port2 after disabling auto-asic-offload on those policies.


Top Kudoed Authors