- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Firewall on a stick
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Firewall on a stick
Anyone run a Fortigate on a stick and actually able to use layer 7 stuff?
IP: 10.100.100.1
Default Route of 0.0.0.0/0 > WAN1 GW IP
You have a fortigate hanging off a switch with the following
IP: 10.100.100.254
Default route of 0.0.0.0/0 > 10.100.100.1
Port 1 on the fortigate is the only thing connected(to the same switch as the rest of the network). so it is basically a " Firewall on a stick"
I have this setup in an environment at my house....my pc uses .254 as the default gateway.
I have a VM Fortigate setup as .254 no policy to allow traffic.
I have a physical fortigate setup as 10.100.100.1 with normal policies.
I can get to the internet as long as the VM fortigate is on along with my physical one....
If I power off the VM fortigate (.254) my internet dies because it' s default gateway is now dead (for the clients)
The problem is I don' t see any traffic hitting the VM...it is as though it is acting as a router only and not actually processing any of the traffic on the policies listed etc.
Is there a way to make the Firewall on a stick method work?
Mike Pruett
Mike Pruett
Fortinet GURU | Fortinet Training Videos
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to draw that out and post a topology map. But it sounds like you want the Fgt-VM to route traffic but not process any policies ? That doses not make any sense or I' m not see the clear picture.
Also why do you need 2 firewalls? And is it save to assume the modes are all NAT-ROUTED?
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mike,
you are right in assuming that the VM FGT is only routing.
The problem is in the design: only traffic passing through the FGT will be subject to policying and UTM measures. As in your " one-arm sniffer" mode the only visible effect is routing.
To be exact, one-arm sniffing can be used for UTM but only for monitoring. The FGT will see the traffic on one interface (' internal' ) connected to your LAN, and apply AV, IPS or whatever you specify. For this to happen, you need an active policy because UTM is only put into action in policies.
But before I begin writing nonsense I' d like to refer you to the FortiOS Handbook, chapter " One-arm sniffing" . You will find more detail on this special mode there.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah I was trying to add a fgt to the mix and be able to do policies without changing the environment much.
Thought maybe I could do a port 1 to port 1 policy set.
Dang. Gonna have to change some things.
Transparent mode won' t work because I need to add a second ISP to the mix for redundancy.
Mike Pruett
Mike Pruett
Fortinet GURU | Fortinet Training Videos
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Still not getting why you need this setup, but maybe you could craft a secondary on port1 and route via the primary to secondary address.
Not sure if this is possible or what drawback might come up.
i.e
config sys inter
edit " portl1"
set vdom " root"
set ip 10.100.100.177 255.255.255.0
set allowaccess ping https ssh
set secondary-IP enable
config secondaryip
edit 1
set ip 1.1.1.1 255.255.255.0
set allowaccess ping
next
end
next
end
You will a route to the firewall and then to the ASA on 2 unique subnets.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, I realized the fortigate operates as a router only in this situation.
The more I think about it the more I realized I brain farted on what I was trying to get situated.
I need to start getting more sleep.
Mike Pruett
Mike Pruett
Fortinet GURU | Fortinet Training Videos
Related Posts
- IP sec tunnel connection from fortiweb 59 Views
- Cannot detect FortiSwitch over MPLS 56 Views
- VLANS are not functioning in my... 116 Views
- What might be the cause of... 123 Views
- Configuration of FortiLink with cisco switch 105 Views
Labels
-
FortiGate
6,669 -
FortiClient
1,328 -
5.2
801 -
5.4
639 -
FortiManager
577 -
FortiAnalyzer
421 -
6.0
416 -
5.6
362 -
FortiSwitch
342 -
FortiAP
339 -
FortiClient EMS
271 -
FortiMail
256 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
159 -
6.4
128 -
FortiNAC
109 -
FortiGuard
106 -
FortiSIEM
91 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
77 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
67 -
4.0MR3
64 -
Wireless Controller
58 -
FortiProxy
46 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
40 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
29 -
Firewall policy
29 -
SD-WAN
29 -
High Availability
24 -
FortiConnect
24 -
VLAN
22 -
FortiWAN
22 -
FortiConverter
21 -
FortiAuthenticator
20 -
ZTNA
19 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
Interface
13 -
FortiDDoS
13 -
Logging
13 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
LDAP
11 -
fortilink
10 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSL SSH inspection
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SSO
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
4.0MR1
1 -
Users
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.