Hello,
I installed fortivm on an esx in the datacenter.
Maybe it may sound a little strange, but the following configuration is requested.
Datacenter gave me an external ip for example; 10.20.30.40/29 subnet.
As a gateway, I was informed that it was 10.20.30.43.
Step - 1 ) I will define the ip addresses 10.20.30.41 and 42 as wan ports on the port2 interface in the firewall. Servers in the local network will be able to access the internet via this wan port. Port1 is set as internal (Lan) and port2 as wan port and I can access the internet by giving static route (gw 10.20.30.43) and writing lan to wan rule.
There is no problem in this part.
Stage - 2 ) 1 db and 1 web service (iis) server 2019 machines that I have installed (iis) server 2019 machines without giving ip address from local network, giving 10.30.40.44 and 10.30.40.45 addresses statically from direct wan ip block and I am expected to pass the traffic on these machines through the firewall. If I write 10.30.40.43 as gw to the machines, the firewall is not activated. Somehow I need to direct this traffic to the firewall. The request seems a bit absurd, but this is how it is requested. Is it possible to do this? What kind of configuration should I do?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi
You can do as follows:
Exactly, I want to do the configuration in the marked area. I want to give my IIS and DB servers a real wan ip address and pass this traffic through the firewall. Is this possible?
If so, which interfaces should the DB and IIS servers be connected to on the firewall? What kind of rule or rules should be defined?
VM3 and VM4 are on the same VLAN, so the natural way is to connect them to FG via a vSwitch (virtual switch provided by ESXi), and connect the same vSwitch to FGT to any port (lets say portX)
Then create a firewall rule typically like this:
Hope it helps
That's not exactly what I need.
For example, I manually entered the ip address 10.20.30.44 statically on VM4 machine. Firewall and VM4 nic are tagged in the same VLAN. I entered static ip address 10.20.30.46 on Firewall port10 (LAN) interface. I entered static ip address 10.20.30.47 on Firewall port9 (WAN1) interface.
In this way, the VM4 machine accesses the internet from 10.20.30.47.
What I want is that the VM4 machine should access the internet from the same ip address that I wrote. I want to see the ip address I wrote to the VM4 machine when I enter whatismyipaddress.com.
If I'm not misunderstanding your case, I think you are looking for transparent mode, or virtual wire pair.
https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/166804/virtual-wire-pair
https://docs.fortinet.com/document/fortigate/7.4.0/ips-architecture-guide/748610/transparent-mode
You can then filter the traffic through the firewall without need of changing any IP or routing config on your network.
The only doubt I have is that I've never tried these methods on FortiGate-VM. I've tried it only on physical FortiGate and it worked fine.
If the FGT-VM is supposed to "host" the 10.30.40.44 + 45 IPs on behalf of the two servers, in order for packets to reach teh FGT-VM, the other upstream hops (towards the sources of the traffic) must be configured with routes that say that those 10.30.40.44+45 IPs are routable via the FGT-VM (~via 10.20.30.41, for example). In other words, review how the rest of the network routes packets for those IPs, and make the appropriate changes. (static routes, dynamic routes (OSPF, BGP, RIP, ...)
It did not work.
For example, I label Port4 as Lan and set it to 10.20.30.41.
I write 10.20.30.41 as gateway to the server with ip address 10.20.30.44.
How should I write a route on the firewall?
Should it be something like this
Incoming interface : Port4
Incoming source ip : 10.20.30.44/32
Outgoing interface : ? It should go to the internet via its own ip address
Destination ip address: 0.0.0.0.0/0.0.0.0
Gateway : 10.20.30.42
When I type tracert -d google.com as an example from the command line, it goes to 10.20.30.41 as the 1st step and then it is incorrect.
I think I need to do something as a route or rule.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.