Q1 What is the difference between fortigate and fortinet ?
Q2 For this diagram, is it possible not to configure any ip addresses
on the first interface and any configure on the sub interfaces?
Q3 Is it possible to form an etherchannel
and configure ip address only on the sub interfaces?
Q4 What commands can I type to troubleshoot site to site vpn not working with other vendor?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Yes, it is possible. By default it has no address configured:
Also on a non-aggregate interface:
So, yes, as long as you specify the main interface you base the subinterface on, you can create as many subinterfaces as you like (within the limits of the FortiGate you have)
Q1: FortiGate is the firewall product of the company called Fortinet. There are a lot of other products we provide: FortiAnalyzer, FortiManager, FortiClient, etc.
Q2: you already have IPs configured - what is your question?
Q3: No. Etherchannel is a link-aggregation technology. You can route different VLANs over this construct, but not assign separate IPs to its interfaces (separately). This would prevent the aggregation to work
Q4: All of them one search away:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Troubleshooting-IPsec-VPNs/ta-p/195955
For Q2, I want no ip addresses to be configured on the main interface but ip addresses to be configured on the sub interface. Is it possible?
Q3 I am talking about etherchannel with subinterfaces. Is such a setting possible with Fortigate?
Yes, it is possible. By default it has no address configured:
Also on a non-aggregate interface:
So, yes, as long as you specify the main interface you base the subinterface on, you can create as many subinterfaces as you like (within the limits of the FortiGate you have)
To delete a configured address in the interface setup, enter '0.0.0.0/0'. This is the default and will effectively delete the IP address.
In CLI, 'unset ip'.
Regarding the 'etherchannel' / LACP port, of course you can define it without assigning an IP address, and then create numbered VLAN ports as sub-interfaces. This is BTW the way I hook up bigger FGTs to the core switch(es) to grant each VLAN the maximum bandwidth if needed.
Created on 03-18-2022 08:40 PM Edited on 03-18-2022 10:14 PM
Hi,
One question
How do i configure in ter vlan routing for your vlan in port 2?
Is it possible to select from source zone lan to destination zone lan accept?
I also realize that the interface name cannot be changed. So i have to delete it and redo?
Inter-VLAN routing for connected VLANs is possible because FortiOS automatically creates routes for each connected network, be it physical, VLAN or such.
You will need a policy from VLAN1 to VLAN2, not from the physical port which 'hosts' the VLANs. (But, yes, LAN-to-LAN policies are possible and sometimes make sense. If youn you have 2 different address spaces on one port, and use a secondary IP address on the port, then you would need this.)
And lastly ("One question"), VLAN names or IDs (!) cannot be changed after creation. You will have to remove all references to it (policies, DHCP server etc.) to be able to delete it, and recreate. There is a more convenient way in FortiOS 7, though (port migration wizard).
In the end to solve my problem, I had to put static route: 0.0.0.0/0 <management ip add of switch> so that all the interfaces can talk to one another.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.