Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
marc10k
New Contributor

Changing all the IPs in the firewall objects settings

Hello 

The Fortigate 60D is used for a small industrial network where it just does some NATing from IPv6 and IPv4 into IPv4. The complete network is installed inside the customers network. Security is not the most important because this is the customers responsibility. 

The internal IP addresses are always the same. Depending on the customers network infrastructure the external IP addresses does change. This results in over 140 changes in the virtual IP settings for IPv6 and IPv4. Up to now the configuration is downloaded, all the old IPs are replaced with the new one using a text editor and the configuration is uploaded again. This procedure can be prone to errors and the fault finding can be difficult because our on site technician is not a network guy. 

Is there a possibility to make this process easier like using a variable in the virtual IP settings or something else?

 

Marcus

6 REPLIES 6
AndreaSoliva
Contributor III

Hi

 

I can not follow to 100% but if you define a VIP with external address 0.0.0.0 and you define as example wan1 this will work which means the VIP Object will use always the IP which is at the moment on wan1. In many configurations within the FGT 0.0.0.0 means "dynamic config" using IP of interface or something like that.

 

hope this helps

 

Have fun

 

Andrea

marc10k

Hello Andrea

Thank you for your answer. Your understanding is correct. It works fine with IPv4 and does what I want. I was just thinking too complicated. The Foritnet routers are still quite new for me. Is there a 0.0.0.0 IPv4 counterpart for IPv6? When I use 0:0:0:0:0:0:0:0 or :: as the external address I get "Input value is invalid." after try to save it.

 

Marcus

AndreaSoliva

Hi

 

sorry no clou do not use IPv6 :) what you can do is go to CLI to find out what you have to define. If you go to cli with config firewall vip6 and you set extip 0:0:0:0:0:0:0:0 or :: it works :) Do the config over CLI and have a look. Can be a gui problem.

 

have fun

 

Andrea

marc10k

Hello 

Changing the VIP6 settings are ok in CLI and web. But I also have some VIP64 settings and here it does not accept the 0:0:0:0:0:0:0:0 or :: via CLI or web. In the VIP64 I cannot tell the router which interface to use like wan1 or similar.

 

Marcus 

AndreaSoliva

 

Hi

 

ok should work because in the CLI which is always your refrence is written:

 

Enter the IP address or address range on the external

interface that you want to map to an address or address

range on the destination network.

If

[LEFT][size="2"]mappedip [/size][size="2"]is an IP address range, the FortiGate unit[/size][/LEFT]

uses

[LEFT][size="2"]extip [/size][size="2"]as the first IP address in the external IP[/size][/LEFT]

address range, and calculates the last IP address

required to create an equal number of external and

mapped IP addresses for one-to-one mapping.

To configure a dynamic virtual IP that accepts

connections destined for any IP address, set

[size="2"]extip [/size][size="2"]to ::.[/size]

 

[size="2"]From this point of view should work can work can be a bug but at least the ref is clear should work with ::[/size]

 

[size="2"]Hope this helps[/size]

 

[size="2"]have fun[/size]

 

[size="2"]Andrea[/size]

marc10k

Hello 

 

I have opened a ticket regarding the issue and Fortinet has told me that this matches a known bug and is currently under investigation. 

 

Marcus

Labels
Top Kudoed Authors