- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Firewall Questions
Q1 What is the difference between fortigate and fortinet ?
Q2 For this diagram, is it possible not to configure any ip addresses
on the first interface and any configure on the sub interfaces?
Q3 Is it possible to form an etherchannel
and configure ip address only on the sub interfaces?
Q4 What commands can I type to troubleshoot site to site vpn not working with other vendor?
Solved! Go to Solution.
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, it is possible. By default it has no address configured:
Also on a non-aggregate interface:
So, yes, as long as you specify the main interface you base the subinterface on, you can create as many subinterfaces as you like (within the limits of the FortiGate you have)
- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Q1: FortiGate is the firewall product of the company called Fortinet. There are a lot of other products we provide: FortiAnalyzer, FortiManager, FortiClient, etc.
Q2: you already have IPs configured - what is your question?
Q3: No. Etherchannel is a link-aggregation technology. You can route different VLANs over this construct, but not assign separate IPs to its interfaces (separately). This would prevent the aggregation to work
Q4: All of them one search away:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Troubleshooting-IPsec-VPNs/ta-p/195955
- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For Q2, I want no ip addresses to be configured on the main interface but ip addresses to be configured on the sub interface. Is it possible?
Q3 I am talking about etherchannel with subinterfaces. Is such a setting possible with Fortigate?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, it is possible. By default it has no address configured:
Also on a non-aggregate interface:
So, yes, as long as you specify the main interface you base the subinterface on, you can create as many subinterfaces as you like (within the limits of the FortiGate you have)
- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To delete a configured address in the interface setup, enter '0.0.0.0/0'. This is the default and will effectively delete the IP address.
In CLI, 'unset ip'.
Regarding the 'etherchannel' / LACP port, of course you can define it without assigning an IP address, and then create numbered VLAN ports as sub-interfaces. This is BTW the way I hook up bigger FGTs to the core switch(es) to grant each VLAN the maximum bandwidth if needed.
Created on 03-18-2022 08:40 PM Edited on 03-18-2022 10:14 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
One question
How do i configure in ter vlan routing for your vlan in port 2?
Is it possible to select from source zone lan to destination zone lan accept?
I also realize that the interface name cannot be changed. So i have to delete it and redo?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Inter-VLAN routing for connected VLANs is possible because FortiOS automatically creates routes for each connected network, be it physical, VLAN or such.
You will need a policy from VLAN1 to VLAN2, not from the physical port which 'hosts' the VLANs. (But, yes, LAN-to-LAN policies are possible and sometimes make sense. If youn you have 2 different address spaces on one port, and use a secondary IP address on the port, then you would need this.)
And lastly ("One question"), VLAN names or IDs (!) cannot be changed after creation. You will have to remove all references to it (policies, DHCP server etc.) to be able to delete it, and recreate. There is a more convenient way in FortiOS 7, though (port migration wizard).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the end to solve my problem, I had to put static route: 0.0.0.0/0 <management ip add of switch> so that all the interfaces can talk to one another.