Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Created on ‎04-04-2011 02:24 PM

Fortigate update over MPLS

HI, I am a french customer, and i am going to install a new equipement (fortigate 110c). I' ve got some problem with this one. to understand my problem i need to explain how the fortigate is connected. I have a juniper directly connected to mpls network with private ip 10.x.x.10 behind this one i have the fortigate 11c connected to the juniper on the wan 1 interface with the Private ip : 10.x.x.9 i have some private network which use a nat rules for going to internet for example i am nating the network 192.168.x.x to ip public 195.x.x.x over the connection WAN 1 A static rules has been entered in the router configuration for going by default to the network 10.x.x.10 (it' s a default gateway) so for my private networks i don' t have any porblem the nat work perfectly and have internet connection. my problem is about the update of the fortigate. As i sayed the wan interface of the fortigate is connected to the juniper and mpls network with an Private ip address and so the fortigate try to have update by using the ip 10.x.x.10 but as we know it' s impossible to route a private ip on internet and so the fortigate can' t make his update..... how i can say to the fortigate to use a public ip for going to search his update like i do with my private network (with nat function). thanks for your help
6357
0 Kudos
27 REPLIES 27
Not applicable

Created on ‎04-15-2011 04:12 AM

As i said at the begining of my post, the fortigate is behind a juniper and communicate with mpls network. so the fortigate has a private ip address to comunicate with the juniper over the mpls. so on the fortigate the wan1 interface as a private ip address non routable. and so if i ping on the fortigate the ocadns1 it doesn' t works however if i ping on the fortigate with a public ip adresse source i can reach ocadns1. config system interface edit " wan1" set vdom " root" set ip 10.X.X.9 255.255.255.252 set allowaccess ping snmp set type physical set external enable set alias " Internet-rare" set speed 100full next end thanks ede
657
0 Kudos
ede_pfau
SuperUser
SuperUser
In response to

Created on ‎04-15-2011 04:40 AM

OK, sorry, I somehow didn' t remember..this thread has become quite long. You are using 4.2.5 b315. There is no way to specify the source IP for DNS from the FGT. This has only be added in 4.3. Just like you, I would rather wait a while before upgrading... The only solution I can think of is that the next router has to help. Either it has to NAT the wan1 IP to a public IP, or it has to supply DNS to the FGT. Or maybe the FGT could use a DNS on the internal subnet. Are that valid options for your setup?
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
657
0 Kudos
Not applicable
In response to

Created on ‎04-15-2011 07:48 AM

i have tried to test your idea with a dns server in internal subnet. and thats what i have after that : Fortinet-LSBB # execute ping update.fortiguard.net unix_receive_request()-897 unix_receive_request()-916: vd-0 received a req with 39 bytes handle_dns_request()-590: pktlen=39, qr=0 dns_local_lookup()-708: vfid=0 qname=update.fortiguard.net, qtype=1, qclass=1, offset=39, map#=3 max_zs=512 dns_lookup_aa_zone()-431: vfid=0, fqdn=update.fortiguard.net dns_send_cached_response()-541 dns_adjust_ttl_values()-112 dns_adjust_ttl_values()-115: Offset of 1st RR: 39 dns_adjust_ttl_values()-117: Number of RR' s: 4 dns_adjust_ttl_values()-128: New ttl: 61192 dns_adjust_ttl_values()-128: New ttl: 82378 dns_adjust_ttl_values()-128: New ttl: 82378 dns_adjust_ttl_values()-128: New ttl: 82378 dns_forward_response()-528 __dns_forward_response()-441 __dns_forward_response()-447: vd-0 Send 118B via fd=14, family=1 dns_query_check_timeout()-288: jiffies=94725346 dns_sock_monitor()-240 PING fds1.fortinet.com (216.156.209.20): 56 data bytes --- fds1.fortinet.com ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss Oher option like the nat on the juniper is not possible because i have not the control of it. that' s the result of the action on the button update in the menu endpoint==>forticlient ==> update now upd_daemon.c[831] upd_daemon-Doing ring request because forced=1 last_ring=94811734 upd_daemon.c[433] do_ring-Starting RING upd_pkg.c[100] pack_obj-Packing obj=Protocol=3.0|Command=Ring|Firmware=FG110C-FW-4.00-315|SerialNumber=FG100C3G09619771 upd_act.c[89] upd_act_ring-Trying FDS 208.91.112.66:443 upd_comm.c[208] tcp_connect_fds-Proxy tunneling is disabled upd_pkg.c[193] get_fcpr_rsp_code-Unpacked obj: Protocol=3.0|Response=200|Firmware=FPT033-FW-3.17-0721|SerialNumber=FPT-FDS-DELL0002|Server=FDSG|Persistent=false upd_daemon.c[458] do_ring-FDN available and it does' nt change anything i am sorry to waste your time, but i don' t find the solution
657
0 Kudos
ede_pfau
SuperUser
SuperUser
In response to

Created on ‎04-15-2011 10:18 AM

OK the idea with the internal DNS works. Now it' s clear that the FGT cannot communicate with the WAN because of the (private) IP on ' wan1' . - I wonder how it gets the FDS updates then - must be because we configured the substitution IP for FDS updates...but that does not work for the Fclient update, apparently. Too bad. Looks like the MPLS setup really is an obstacle. I' ve found an option setting where you can configure that the update should not come from the FDS server but either the FGT itself (?) or a different server. That must be a HTTPS server then as the connection to FDS is HTTPS as well. That could be a way to get the Fclient image into the FGT, even if only once.(1) You are not wasting my time, the forums live from voluntary contributions, and I like to help you finding a solution. But I must say that this topic has grown quite a bit. I don' t know if it is reasonable to further pursue it on the forum as we normally only contribute hints, not elaborate complete solutions. Would you think that opening a support call with Fortinet be possible, depending on your level of support? After all, they are just round the corner...and they are fluent in French. Just what I would do, in parallel.(2) Last opportunity is to upgrade to 4.3. There you have options for the source IP for all internal services like DNS, NTP, SNMP etc. Take a look at the " What' s new in FortiOS 4.3" document on docs.fortinet.com for this. I know at the moment it is a bit risky as 4.3 has just been released. But it might solve your problem in an instant. Difficult.(3) And then, dear Forum members, is there no one out there who has configured a FGT behind an MPLS router and already solved that problem? Please post it here, even if it' s just good advice!(4) So that' s 4 ideas how we might proceed.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
657
0 Kudos
ede_pfau
SuperUser
SuperUser
In response to

Created on ‎04-15-2011 10:28 AM

sorry to bother, another idea: You could use a second VDOM in routing mode just to NAT the FGT self-generated traffic from the root domain. Like this: 
 -------------!___!-------------------!___!-------
 internal     root  intra-VDOM link   vdom2  wan
And vdom2 would be NATting root' s WAN IP to some public IP. It' s not what you do every day but it should work. FGTs can be virtualized into up to 10 VDOMs, essentially separate independent firewalls.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
657
0 Kudos
Not applicable
In response to

Created on ‎04-15-2011 11:33 AM

Thanks, ede i am agry with you for this topic. For my problem, i think i have to do the upgrade.... i tell you if i have got some problem. just last question can you give me the command for using the " option for the source IP for all internal services like DNS" thanks again and again for your help !! " they are fluent in French. Just what I would do, in parallel"
657
0 Kudos
ede_pfau
SuperUser
SuperUser
In response to

Created on ‎04-16-2011 06:40 AM

Please get the " What' s new in FortiOS 4.3" and look for " Source IP addresses for FortiGate-originating traffic" . There have been a lot of changes / additions besides this, so it' s really a MUST READ if you upgrade to 4.3. Just 88 pages. Click here: http://docs.fortinet.com/fgt40mr3.html Actually, the exact command(s) are listed in the " CLI Guide" for 4.3, not the AdminGuide or the ' What' s new' . 
 config system dns
    set source-ip <ipv4_addr>
 end
 config system fortiguard
    set client-override-status enable
    set client-override-ip <ipv4_addr>
 end
 config system ntp
    set source-ip <ipv4_addr>
 end
finally, " ede i am agry with you" ... hopefully you are NOT angry with me, but just agree with me? You' re always welcome if you have trouble after the upgrade. Bonne chance!
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
657
0 Kudos
Not applicable
In response to

Created on ‎04-16-2011 10:50 AM

obviously, i wanted to say, i was agree with you !! sorry lol ^^ i have to improve my english !!!! thanks for your last post !!! if the solution works, i will tell you ! perhaps the Vdom solution is a good idea too
657
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.