Hey all, I’m new to fortigate products and I’m trying to get a second subnet created. My first subnet is set up on lan hardware switch to port 1 which I have enabled some security policies that block all access to the internet and only allows me to configure my firewall. So my question is is how should I set up the second subnet? Incoming traffic from wan to the port I’m using and then create security policies for that subnet? Any help is appreciated.
Thanks in advance
What model of FGT? Sounds like a small one like 40F since you said "lan" for the hard-switch. Are you realizing "lan" includes all internal ports? Then, did you separated the lan1(port1) port from the hard-switch?
Also as any FW appliances, by default, nothing is allowed unless you configure something with policies.
Then you wan to set up a lan network/subnet to allow out(internet)-to-in access? Unless you have a web-server, FTP server, or whatever other internet service servers, that shouldn't be configured. That generally require VIPs to make holes on the wall to let them come inside.
If you want to make the lan1 as your management port, you just needed to separate the interface from the lan hard-switch then the rest of lan ports stay in "lan" hard-switch so that you can use it as regular user ports. So that you can set in-to-out internet access policy. That should be already there by default for those smaller models.
Hello and thanks for your reply. I do have a smaller model..30E and yes, all the ports are in there by default like you said. What I have tried is to remove lan2, give it and address and set up policies. Which incoming interface to use lan hard switch, port2 or wan? Then which out going port2 or wan? I’ve set up some default policies but my machine can’t reach the dhcp server.
I appreciate your help.
The 30E should have one wan and four lan ports. If you have just removed lan2 from lan hard-switch (didn't mess up any dhcp server and lan interface config), the default lan IP 192.168.1.99/24 should be on the lan interface and DHCP server 1 is configured with that subnet. So when you hook up your devices on lan1, 3 or 4, they should be able to pull one of those IPs (I think the range was like .110-.210). If not, and your set up seems to be simple, I would rather factory-reset it again and start-over.
But this time, you should test the regular user path first to make sure it works with the default policy. Only after that, You can take lan2 out of lan then assign a separate subnet, say 192.168.200.1/24 for example, then either user static IP on the device side or add a DHCP server 2 to existing one to that subnet.
Hey Tishi, I’ve got it set up and working properly. I had done just what you had said to do with the help of a forti rep. My first subnet lan=hardware switch is on port1 and had all four ports on that subnet by default. I had some hacker issues while trying to configure my firewall whom kept messing up my configurations and deleted all my back ups. So. I set up some IVP4 security policies that blocks all inbound and outbound traffic on that subnet. That subnet is only able to connect to the fortigate firewall to configure the device. I set up trusted host and the FortiToken as well. So, I pull port2 from that IP range and created another subnet using port2 for inbound traffic and wan for out going traffic. I enabled automatic dhcp server and I got my connection to the net on the second subnet. I also enabled some security policies on that subnet and set up IVP4 policies to block all hping3 (dos) attacks. Did the same for all inbound ports and I see some attacks in my logs already so, I got everything working as it should and I have locked out my wife’s ex-husband and his mentor. So, I win for today. Let’s see what tomorrow brings? Lol, I want to say thank you so very much for taking the time out of your day to help a newbie. It means a lot to me. You’re a good man!! Have a great night. Again, thanks a million!!
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.