- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiNet 60F Questions
I am working to phase out an aging CyberRoam CR35ing with a FortiGate 60F but have ran into a couple of things that I can't seem to find a decent explanation of. The FortiGate 60F is running the latest available firmware at this time of 7.2.2 for reference if needed. I'm going to cross one bridge at a time so-to-speak so please bear with me.
- On the CyberRoam there is an option called Aliases (pictured below) that allows you to have multiple static IPs coming from one physical connection. In this particular case it happens to be from our ISP where we have the static IPs of x.x.x.50 - x.x.x.54. I've looked through the different options in the FortiGate but haven't seen anything that is the equivalent of being able to assign something like this to these IPs. This is important as we have programs and apps that rely on these IPs to be available and be mapped through the firewall. Can someone provide more insight on how this can be accomplished or if it's even possible? I had thought about possibly using a VLAN to obtain the same result but wanted more opinions on it. I know that I can use Virtual IPs as well for the 3 other IP addresses but that simply gives them an internally facing IP.
2.On the same CyberRoam appliance we use an option called Virtual Hosts (pictured below) to essentially map external IPs and ports to internally mapped IPs and ports. I know that I can do this by using Virtual IPs on my 60F but when I attempt to assign them I'm running into a small problem. When I attempt to add a range of IPs (i.e. x.x.x.221-x.x.x.226) it tells me that it's an invalid IP address. If I just put the starting IP address in it works fine.
- Do I need to create a new Virtual IP for each of these IP addresses?
- Also when attempting to add multiple ports for either the External service port or Map to IPv4 port (i.e., 8080, 80, etc.) it gives me an error of Invalid port value?
- Do these ports need to be individually assigned?
Thanks for any and all opinions and answers!
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@HEdwarIT_CMCPL
For your first question, you can put only 2 IPs on one interface on fortigate:
Technical Tip: Set a secondary IP on a FortiGate i... - Fortinet Community
This means that you cannot enable all 4 IPs as in your first appliance.
The approach here is to create VIP for every internal IP and put IP that includes all subnet on WAN interface
For your second question you can create Virtual IP group where you can include all required IPs (your second picture) but in your case it gives error because you have one external IP mapping to many internal. You have to put many external to many internal
i.e External IP/Range 10.10.10.10-10.10.10.13
Mapped to 192.168.1.20-192.168.1.23
And for your third question is the same with ports. You have that error because you have to select Many to many and put the port numbers in the fields
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To build on the excellent response above, you might not need to do the first step of putting the extra IP addresses on your interface. With VIPs configured, the ForitGate will automatically respond to arp requests for the public IP address that is configured in the VIP.
Graham
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can have more than 1 secondary address on an interface. AFAIK the limit is 256 addresses in all.
This is in FortiOS v6.4.11:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Regarding mapping a range of IP addresses:
You can indeed use ONE VIP for a range of addresses, like so:
You notice that there needs to be an equal number of mappings, that is, you can map 10 external addresses to 10 internal ones. But you cannot map one external address to 10 internal ones, using round robin or the like. This would be a "load balancing VIP", which does exist but will be configured via CLI only.
After a while, you will see there are many ways to solve a problem in FortiOS, sometimes even more than one at a time.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks to everyone that has responded so far! I will look into trying these out later this afternoon.