I've got a customer that has 2 FGT200E in an HA pair running 7.2.5. They also have 2 ISP connections. Right now each ISP connection goes into a Cisco ISR, so there are 2 of those in place. The ISRs do nothing except route from the ISP IP address block to the customer's own public IP block. Maintaining licensing and such on these is very expensive and their configuration/maintenance is also difficult so we would like to remove them and host the public IP block on the Fortigate.
The public IP block they own is currently assigned to the WAN interface of the Fortigate, with each ISR having the ISP IPs connected. This way their site to site VPNs, etc. all use the IP block that the customer owns.
I feel like there are probably a couple of different ways to do this but am hoping someone here has a 'known best practice' type deal for this sort of situation.
Hello JasonBurns,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hello,
We are still looking for an answer to your question.
We will come back to you ASAP.
Thanks,
I ended up figuring it out with help from a guy on Reddit. I setup BGP to advertise the public block and used VIPs with their public block for WAN accessible services. Also used a VIP to handle SSLVPN traffic. Fortinet is working on a solution for IPSEC VPNs in their lab, as VIPs didn't work properly for this traffic.
Hello again,
Thank you for the follow up! Glad that you found a solution.
Kindest regards,
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.