Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Roman_Gelfand
New Contributor

Fortigate 50B Network Environment

Consider the following topology... cable router ( 29 network, internal interface xx.xxx.xx.249) ^ || || V Fortigate Transparent mode ^ || || V Server (serving various services ip xx.xxx.xx.250) <===> client (192.168.1.2) I understood that correct practice is to have a single gateway and let routers doing routing. Where and how would you configure router so that the server has only one gateway? I originally thought of making xx.xxx.xx.249 the gateway, but this gateway is outside of fortigate. Any help is appreciated. Thanks
7 REPLIES 7
rwpatterson
Valued Contributor III

The only way I could see that would be to change the FGT to routing mode, and have the server use it as it' s gateway. The clients could share the same network, or you could put the server on the DMZ interface.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Roman_Gelfand

So, just to be confirm... I set up xx.xxx.xx.254 as fortigate management ip. Are you saying... I should make fortigate management ip to be the server' s default gateway? and add a vlan for client network. Also, setup required static routes? Thanks for your help
rwpatterson
Valued Contributor III

No, change the operating mode of the FGT from transparent. This way, each interface will have it' s own IP subnet, then you' ll have to craft policies and routes to make things work in the new configuration.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Roman_Gelfand

Oh, I see. I would go to NAT operation mode, but... 1. won' t fortigate pass packets faster through transparent firewall as opposed to NAT where it needs to translate address. 2. When I had it NAT mode, IPS wasn' t working too well. It erroneously thought the src and dst addresses were the same. Here is my ips signature. This signature works fine in transparent mode. F-SBID( --attack_id 7754; --name SIP.User.Password.Guessing.UDP; --protocol UDP; --service SIP; --flow from_server,reversed; --pattern " SIP/2.0 4" ; --context header; --within 9,context; --pcre " /^\d{2}/" ; --context header; --distance 0; --rate 100,60; --track src_ip; )
ede_pfau
Esteemed Contributor III

1. IMHO no, NAT doesn' t cost much. There are reasons for transparent mode, performance is not among them. 2. then I' d assume the signature has a logic error which is obscured if you use the same subnet for source and destination. I don' t see why it should not work as expected.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Roman_Gelfand

Thanks for the explanation. So, under which circumstance one would choose transparent over NAT mode? Thanks.
ede_pfau
Esteemed Contributor III

Predominantly if you don' t want to redesign the network but you need to place a UTM into the data path for protection. Say, you evaluate a Fortigate, or demonstrate whether it can classify the traffic. Some customers employ a 2-tier firewall design where the firewalls must not be of the same vendor. To avoid a transer network you can use transparent mode. Transparent mode comes in handy especially when cascading VDOMs. Example: WAN acceleration in a routing VDOM, with UTM applied in a transparent VDOM behind it, all on the same hardware for the same traffic.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors