Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- RE: Fortigate freezes when Wan 1 and Wan 2 are co...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate freezes when Wan 1 and Wan 2 are connected
Hi,
An interesting problem I have encountered when attempting an implementation of the Fortigate 800C last night. Really hoping I can get some assistance here.
I have a Fortigate 800C inline in transparent mode between 2 Cisco core switches and 2 cisco asa firewalls.
the core switches and firewalls are set up as primary/secondary(failover).
We put the Fortigate in between these devices in transparent mode, primary core switch to wan 1, port 1 to the primary firewall. secondary core switch to port 2, wan 2 to secondary firewall.
Policy was set as Port 1 -> Wan 1 any any all and Port 2 -> wan 2 any any all
When we made connections for port 1 and wan 1, everything worked fine, internet connectivity worked fine. When we made our connections for port 2 and wan 2, after a few seconds the device started blinking red and essentially shut itself down into bypass mode. management console even from usb stopped working and the only way to get it out of this mode was to remove the port 2 and wan 2 connection.
I am not sure why this is happening! Help!
IT Security Analyst
-Phil
IT Security Analyst -Phil
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe you caused some kind of loop on the system, so more traffic then it can handle.
The only way to look at it will require ' diagnose sniffer packet' while you make the bad connection. it will probably die on you again but you will see what network looped or something.
//Chura CCIE, NSE7, CCSE+
//Chura CCIE, NSE7, CCSE+
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe this helps in troubleshooting: http://kb.fortinet.com/kb/viewAttachment.do?attachID=Fortigate_Transparent_Mode_Technical_Guide_FortiOS_4_0_version1.2.pdf&documentID=FD33113
If the ASAs are running A/A, this could be checked as well: http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ha_active_active.html
To avoid having duplicate MAC addresses on your network, make sure you assign each physical interface a virtual active and standby MAC address.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I spoke to Fortinet Technical support about this issue and was told the following.
In transparent mode, trying to use two use both wans will not work because you cannot set priority on the routing table therefore, both port1/wan1 and port2/wan2 will fight to take priority and cause the device to fail into bypass mode.
Typically in a nat mode implementation, you can create the routing tables and set priority to resolve this issue but those features for whatever reason in transparent mode are not available.
From documentation:
In transparent operating mode, all physical interfaces act like one interface. The FortiGate unit essentially becomes a bridge — traffic coming in over any interface is broadcast back out over all the interfaces on the FortiGate unit.
In transparent mode, there is no entry for routing at the main level of the menu on the web-based manager display as there is in NAT/Route mode. Routing is instead accessed through the network menu option.
-----
One potential solution which I am currently reviewing is the possibility of enabling VDOM and creating a VDOM for each of my " zones" to prevent the broadcast from causing a device shutdown. I am not quite sure this will work but will update once i get a firm answer.
Cheers and thanks for your reply' s
-Phil
IT Security Analyst
-Phil
IT Security Analyst -Phil
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So i got a more concrete answer from a fortinet tech, and maybe this sounds like basic knowledge now but here it is.
In order to do what I am thinking of doing, in transparent mode, the only way to achieve this is to create two separate vdoms. unfortunately this also means you have to recreate all your policies twice, once per vdom, and there is no way to replicate policies accross each vdom. except for some export/import via cli but that only helps for some of the configuration.
Even when I get my second device in for redundancy its not recommended that I HA cluster them because it will necessitate a full mesh setup that is not worth the additional configuration for the size of our network.
Needless to say there is no way I can avoid managing two identical sets of policies whether its on one device using VDOM or two separate devices.
oh well...on to the next problem
IT Security Analyst
-Phil
IT Security Analyst -Phil
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In order to do what I am thinking of doing, in transparent mode, the only way to achieve this is to create two separate vdoms. unfortunately this also means you have to recreate all your policies twice, once per vdom, and there is no way to replicate policies accross each vdom. except for some export/import via cli but that only helps for some of the configurationMore than one person here will tell you to load a backup of the config into a text editor, copy the relevant sections of the config into a separate text file -- edit the references of this new section, then paste it back into the new vdom location in the original config. (If you plan to do this, I suggest back up the original config then split the fgt into two vdoms and save/use that config.) Edit: it will be more involving setting up the new vdom and getting the interfaces properly matching under old/new sections, so not quite sure what is involved.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
An alternative is to take a look at using port-pairs and setting forward-domains, we have an 800C doing transparent inspection on one of our WAN links that is carrying two VLAN' s.
As traffic is all vlan tagged we had to create sub-interfaces to see the traffic, however once we did we were seeing traffic from vlan 50 on both vlan 64 routers (at both ends of the WAN)
800C (IPS) # show system port-pair
config system port-pair
edit " BB-50"
set member " BB-50_north" " BB-50_south"
next
edit " BB-64"
set member " BB-64_north" " BB-64_south"
next
end
800C (IPS) # show system interface BB-50_north
config system interface
edit " BB-50_north"
set vdom " IPS"
set forward-domain 50
set interface " port1"
set vlanid 50
next
end
800C (IPS) # show system interface BB-50_south
config system interface
edit " BB-50_south"
set vdom " IPS"
set forward-domain 50
set interface " wan1"
set vlanid 50
next
end
800C (IPS) # show system interface BB-64_north
config system interface
edit " BB-64_north"
set vdom " IPS"
set forward-domain 64
set interface " port1"
set vlanid 64
next
end
800C (IPS) # show system interface BB-64_south
config system interface
edit " BB-64_south"
set vdom " IPS"
set forward-domain 64
set interface " wan1"
set vlanid 64
next
end
800C (IPS) #
Regards,
Matthew Mollenhauer
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,702 -
FortiClient
1,763 -
5.2
801 -
FortiManager
729 -
5.4
639 -
FortiAnalyzer
558 -
FortiSwitch
475 -
FortiAP
471 -
FortiClient EMS
432 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
245 -
FortiAuthenticator v5.5
234 -
IPsec
210 -
FortiWeb
205 -
5.0
196 -
FortiNAC
189 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
103 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiToken
92 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
FortiGate-VM
13 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
API
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1713 | |
| 1093 | |
| 752 | |
| 447 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.