HI Everyone,
I have just acquired this Fortinet Firewall for the purpose of site to site VPN between two sites and i don't have previous experience deploying it the live network.My questions are very basic and i hope you don't mind answering them. I have tried to gather information from google but didn't get what i want.
1. I have tried to change IP of management interface (10.10.10.x is reserved for management) so that i can access it from within the LAN but there is no option to assign a Gateway IP therefore its not accessible unless i access it from the same subnet. Question is how can i change the IP to 10.x.x.x range and access it from 11.x.x.x or 12 .x.x.x?
2. Can i use port 1 as a local VPN interface to connect to the other site as i have got the IP and subnet, gateway is not required.
our end IP 172.16.x.1 and their end IP is 172.16.x.2
3. Other switch ports doesn't have the option to assign gateway, so how can i assign a static IP Address to introduce the interface to my LAN.
I will appreciate your help.
Thanks
Ali
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
hi,
and welcome to the forums.
I will try to give you hints as far as I've understood your questions. As you come from a different vendor your expectations as well as terminology might cause some confusion. But, in reality it's quite simple.
rule 1:
you can only assign one subnet (address + mask) to one port. You cannot assign any other address from that subnet to any other port on the FGT.
FortiOS will automatically create a static route to this interface for this subnet (look it up in Monitor > Routing monitor).
rule 2:
the only exception to this is the management interface (if present in hardware) or one port "dedicated to management" (all models). This is meant so that you can access all members of a cluster because this setting will not be synchronized across all cluster members. This means that you can access passive or slave members on their own local interface while the cluster itself carries a different address from the same subnet.
rule 3:
rule 2 leads to the idea that you don't HAVE to use the management port to manage the FGT. You can choose any port and allow access via HTTPS or SSH. I personally wouldn't allow that on WAN ports but there are cases where this comes in handy.
Next question about VPN:
yes, you can terminate an IPsec VPN on any port, using any address. My advice: do not use the VPN wizard but build your phase1 and phase2 by hand. You'll encounter all relevant parameters and find the spot where you specify the outbound port and address.
If you specify the 'remote address' the FGT of course needs a valid route to that address.
Question about gateway:
hmm, maybe you are looking for a way to create routes? Network > Static routes.
If your FGT features a switch (a compound of interfaces internally connected by a switch hardware) then only one port will carry an address & netmask.
Maybe I didn't understand your questions fully, then please continue to ask.
Thanks and i appreciate your help EDE.
My environment is Cisco that is why i am having difficulties but i am trying to learn. In my scenario i tried assigning IP 10.10.10.10 but i was unable to access it from my desktop PC having IP from a different subnet. I also made sure that the port on the switch is in the right VLAN and also tested the same IP on my laptop that worked straight away.
I will try again on Monday and see if it makes any difference.
Thanks for the tips regarding VPN. I don't use wizards anyway. I assume i can introduce my LAN to the WAN ports or any switch port of FGT ?
If incase it doesn't work then i will try to upload a simple network diagram to show what exactly i want.
Diagrams are ALWAYS a big help.
One thing you should know is that a FGT is a security device. One consequence of this is that it will DROP traffic from networks it doesn't know.
Say, your LAN is 10.10.10.0/24 and port1 has 10.10.10.1. Somewhere on the LAN there is a second router which provides access to 10.3.4.0/24. If you ping the FGT from 10.3.4.5, maybe it will reach port1 but then the FGT will silently discard that traffic.
Fix:
you create a static route on the FGT how to reach the subnet 10.3.4.0
subnet 10.3.4.0/24
gateway 10.10.10.254 (must be on a known subnet of the FGT)
Now the remote subnet is known to the FGT and will be allowed if additionally there is a policy allowing it. (for direct access to a FGT port you would not need a policy).
https://forum.fortinet.com/tm.aspx?m=148995
See emnoc's comment on the management interface gateway setting.
toshiesumi wrote:Thanks Toshie, i am not comfortable using Vdoms as it will make things complex. I have seen few videos for changing it from root to your own and i tried too but didnt find an option of adding a new Vdom. Only root and FGT management was available for editing and configuration and i had to execute factory reset in the end.https://forum.fortinet.com/tm.aspx?m=148995
See emnoc's comment on the management interface gateway setting.
Ken's(emnoc's) first suggestion in the thread should work without VDOM. "dedicated-to-managment" interface doesn't live in regular routing-table (out-of-band). It doesn't follow the regular default gateway.
config sys ha set ha-mgmt-status enable set ha-mgmt-interface "mgmt" set ha-mgmt-interface-gateway x.x.x.x end
"our end IP 172.16.x.1 and their end IP is 172.16.x.2"
Does that mean that's overlapping subnets? Or is that indeed two seperate subnets?
If it is overlapping you would have to map it to make it accessible over the vpn. There is a KB article on that somwhere at Fortinet.com. Google might find it.
if not it's fine and Ede and Toshi already mentioned all other things.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
We are not using this 172 IP address anywhere , infact this IP is given by the users of other end who wanted to have a VPN connection with us. They are currently using this scheme with many other clients. Their end is .1 and all other clients are .2,3,4 etc.
i have not had a chance to do any configuration on it yet but i am planning to do it during this week.
the end is different yes. But does the rest difer?
Iif e.g. Client is 172.16.1.1 and you have 172.16.1.2 3 or 4 that is overlapping subnets! it is different ips on both side but the same subnet. This doesn't even cannot be done by subnetting as no matter hwat mask you use at lest .1 to .3 will bei on the same subnet.
In this case that cannot be routed successfully as it is local on an interface on both sides then. So you would have to map it as I said to bei able to route traffic. That would have to be done on both sides of course. ANd then both sides would have to use the mapped subnet instead of the original to get to the other side.
There is a KB Article on how that can be done if there is a FGT on both sides. I once had to do that too and it did work this way here as long as we needed it (we changed the remote subnet as soon as it were possible).
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1662 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.