Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
HEdwarIT_CMCPL
New Contributor

Created on ‎11-29-2022 02:38 PM

FortiNet 60F Questions

I am working to phase out an aging CyberRoam CR35ing with a FortiGate 60F but have ran into a couple of things that I can't seem to find a decent explanation of.  The FortiGate 60F is running the latest available firmware at this time of 7.2.2 for reference if needed.  I'm going to cross one bridge at a time so-to-speak so please bear with me.

 

  1. On the CyberRoam there is an option called Aliases (pictured below) that allows you to have multiple static IPs coming from one physical connection.  In this particular case it happens to be from our ISP where we have the static IPs of x.x.x.50 - x.x.x.54. I've looked through the different options in the FortiGate but haven't seen anything that is the equivalent of being able to assign something like this to these IPs.  This is important as we have programs and apps that rely on these IPs to be available and be mapped through the firewall.  Can someone provide more insight on how this can be accomplished or if it's even possible?  I had thought about possibly using a VLAN to obtain the same result but wanted more opinions on it.  I know that I can use Virtual IPs as well for the 3 other IP addresses but that simply gives them an internally facing IP.

HEdwarIT_CMCPL_0-1669761447095.png

 

2.On the same CyberRoam appliance we use an option called Virtual Hosts (pictured below) to essentially map external IPs and ports to internally mapped IPs and ports.  I know that I can do this by using Virtual IPs on my 60F but when I attempt to assign them I'm running into a small problem.  When I attempt to add a range of IPs (i.e. x.x.x.221-x.x.x.226) it tells me that it's an invalid IP address.  If I just put the starting IP address in it works fine. 

    • Do I need to create a new Virtual IP for each of these IP addresses? 

HEdwarIT_CMCPL_1-1669761447100.png

 

 

  • Also when attempting to add multiple ports for either the External service port or Map to IPv4 port (i.e., 8080, 80, etc.) it gives me an error of Invalid port value?
    • Do these ports need to be individually assigned?

HEdwarIT_CMCPL_2-1669761447102.png

 

 

Thanks for any and all opinions and answers!

"No ma'am, that's not a big gulp holder on your PC!"
"No ma'am, that's not a big gulp holder on your PC!"
Labels:
1394
0 Kudos
5 REPLIES 5
xshkurti
Staff
Staff

Created on ‎11-29-2022 03:00 PM

@HEdwarIT_CMCPL 
For your first question, you can put only 2 IPs on one interface on fortigate:
Technical Tip: Set a secondary IP on a FortiGate i... - Fortinet Community

This means that you cannot enable all 4 IPs as in your first appliance.

The approach here is to create VIP for every internal IP and put IP that includes all subnet on WAN interface
For your second question you can create Virtual IP group where you can include all required IPs (your second picture) but in your case it gives error because you have one external IP mapping to many internal. You have to put many external to many internal 
i.e External IP/Range 10.10.10.10-10.10.10.13
Mapped to 192.168.1.20-192.168.1.23

And for your third question is the same with ports. You have that error because you have to select Many to many and put the port numbers in the fields

1389
gfleming
Staff
Staff

Created on ‎11-29-2022 05:48 PM

To build on the excellent response above, you might not need to do the first step of putting the extra IP addresses on your interface. With VIPs configured, the ForitGate will automatically respond to arp requests for the public IP address that is configured in the VIP.

Cheers,
Graham
1383
ede_pfau
SuperUser
SuperUser

Created on ‎11-30-2022 04:07 AM

You can have more than 1 secondary address on an interface. AFAIK the limit is 256 addresses in all.

This is in FortiOS v6.4.11:

grafik.png

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
1368
ede_pfau
SuperUser
SuperUser

Created on ‎11-30-2022 04:21 AM

Regarding mapping a range of IP addresses:

You can indeed use ONE VIP for a range of addresses, like so:

ede_pfau_0-1669810728187.png

You notice that there needs to be an equal number of mappings, that is, you can map 10 external addresses to 10 internal ones. But you cannot map one external address to 10 internal ones, using round robin or the like. This would be a "load balancing VIP", which does exist but will be configured via CLI only.

 

After a while, you will see there are many ways to solve a problem in FortiOS, sometimes even more than one at a time.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
1366
HEdwarIT_CMCPL
New Contributor

Created on ‎11-30-2022 05:41 AM

Thanks to everyone that has responded so far! I will look into trying these out later this afternoon.

"No ma'am, that's not a big gulp holder on your PC!"
"No ma'am, that's not a big gulp holder on your PC!"
1360
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.