I'm in the process of moving a customer from Cisco ASA to FortiGate and have run into a small issue with Virtual IP's.
The FG is setup parallell to the ASA on inside and wan interfaces for reachability/management, all other interfaces are disabled. The plan is to configure as much as possible on the FG before migrating.
Now to the issue.
When I configure the Virtual IP's which are used in ASA for various servers today, the FG starts responding to ARP creating a conflict on the external interface since both ASA and FG responds to the same IP. In ASA it's possible to disable a NAT policy and that way prepare policies without impacting production, but I can't find any way to disable VIP's.
Any ideas?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Based on my experience, VIPs on FGT are sticky and act even without references. You probably need to shut down the incoming interface (wan) until the cut-over date.
On the other hand, they're relatively independent from other part of configuration except the policies that use them (if policy-based NAT). So you could leave the changes for the cut-over script.
Based on my experience, VIPs on FGT are sticky and act even without references. You probably need to shut down the incoming interface (wan) until the cut-over date.
On the other hand, they're relatively independent from other part of configuration except the policies that use them (if policy-based NAT). So you could leave the changes for the cut-over script.
Okay, that's what I was suspecting. I guess I'll have to shut down the wan interface for now.
Thanks.
I had this same issue. Since you can't disable the VIP here what we did;
1: build a bogus vip and a define a vip-group
2: apply that in your config using the vip-group ( this allows you to stage all of the item in the firewall policy )
3: when it comes time to place active, add the correct vip in the cfg and apply to the vip-group and test
Ken Felix
PCNSE
NSE
StrongSwan
config firewall vip
edit YourVIP
set arp-reply disable
end
I was kinda hoping the set arp-reply enable/disable command would be available as a checkbox in the GUI.
Anyway, thanks for the suggestions guys.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1517 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.