Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiEdgeCloud
- FortiGate Cloud
- FortiGuard
- FortiExtender
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMonitor
- FortiMail
- FortiNAC
- FortiManager
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiNAC-F
- FortiPhish
- FortiPortal
- FortiPAM
- FortiRecon
- FortiRecorder
- FortiPresence
- FortiProxy
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSOAR
- FortiSwitch
- FortiSIEM
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- GRE tunnel, modify remote-gateway
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
GRE tunnel, modify remote-gateway
Hi all,
I'm running several gre tunnels, all is working perfect. By the way i'd like to modify 1 remote-gateway. I've tried via CLI but i get an error :
unexpected to change gateway address! attribute set operator error, -61, discard the setting
Here is the config :
FGVM-ITX (gre-vince-test) # show config system gre-tunnel
edit "gre-vince-test"
set interface "port10"
set remote-gw xxx.xxx.xxx.xxx ==> IP i need to change
set local-gw zzz.zzz.zzz.zzz
next
end
Do you have any idea?
Thank you in advance,
Bests Regards,
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't think you can modify the tunnel entries after it's configured. You can edit a save cfg file and then do a restoral.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
or delete the tunnel and create it again.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear all,
Thank you for your help. It's a bad new, this firewall is in production and i can not reboot it as i want. I have a lot of policies so it is impossible to delete and renew the tunnel :(
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In this case the best way is changing your configuration from backup and restore it as emnoc said.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok thank you very much.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Keep in mind a configuration restoral is going cause a reboot.
I think another trick would be o place the interface into a zone before you nail policies and then you add the new GRE tunnel into the same zone and delete the old one. But that would also require you to "remove" all policies in your case.
e.g
config system zone edit "mytunnel" set interface "tun1" "tun2" next end
and
config system gre-tunnel edit "tun1" set remote-gw 199.111.111.1 set local-gw 10.10.80.1 next edit "tun2" set remote-gw 199.111.111.2 set local-gw 10.10.80.1 next end
But once you place these into a tunnel, you can nail a policy to just one tunnel, but it will allow you to add or remove tunnels if the need comes up. You don't have to 1+ interfaces in a zone, So you could place one member ( tun1 ) and then if tun1 ever needs to change, you add tun2 and delete tun1.
Either way, it's not a simple 1 2 3 , but with proper planning you can eliminate most of the hassle. And I wish Fortinet would remove this restriction and allow you to re-edit the gw ip_address
YMMV
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello emnoc,
Thank you for your great help. Your idea about creating a zone looks wondurful for my situation. I think i'll do that :)
As you said, Fortinet should remove this restriction, it is a non-sense.
Bests Regards,
Vincent.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know this is an old post, but I searched everywhere and was unable to find an answer that didn't require rebooting a production device, so here is the solution (steps 12-14 are done on a FortiManager, so ignore if you don't have one): 1. SSH to device (or connect to the console). 2. Find all references to tunnel name in configuration. For this example we will use "Zscaler_LON3" for the tunnel. We are changing the remote-gw IP from 145.8.20.36 to 145.8.21.246. FG-FW01 # sh full-configuration | grep -f Zscaler_LON3 config system interface edit "Zscaler_LON3" <--- set vdom "root" set distance 5 ... next end config system gre-tunnel edit "Zscaler_LON3" <--- set interface "wan1" set remote-gw 145.8.20.36 set local-gw 25.125.46.4 set dscp-copying disable set keepalive-interval 0 next end config firewall policy edit 418 set name '' set srcintf "port3" set dstintf "Zscaler_LON3" <--- set srcaddr "all" set dstaddr "ext.grp.denyall.malicious" 3. Take a full copy of ALL returned examples. 4. Create a new GRE tunnel with "-bk" at the end and garbage IPs. config system gre-tunnel edit "Zscaler_LON3-bk" set interface "wan1" set remote-gw 1.1.1.254 set local-gw 1.1.1.211 set dscp-copying disable set keepalive-interval 0 next end 5. Modify all references from original tunnel "Zscaler_LON3" to new tunnel "Zscaler_LON3-bk" config firewall policy edit 418 set dstintf "Zscaler_LON3-bk" next end config router static edit 36 set device "Zscaler_LON3-bk" next end config router policy edit 4101 set output-device "Zscaler_LON3-bk" next end config system link-monitor edit "Zscaler_LON3_Probe" set srcintf "Zscaler_LON3-bk" next end 6. Do another 'sh full-configuration | grep -f <tunnel-name>' and verify the only references to the original tunnel "Zscaler_LON3" are under 'config system interface' and 'config system gre-tunnel'. 7. Delete original GRE tunnel then recreate with new IP address. FG-FW01 (gre-tunnel) # delete Zscaler_LON3 FG-FW01 (gre-tunnel) # end FG-FW01 # conf sys gre-tunnel FG-FW01 (gre-tunnel) # edit "Zscaler_LON3" new entry 'Zscaler_LON3' added FG-FW01 (Zscaler_LON3) # set interface "wan1" FG-FW01 (Zscaler_LON3) # set remote-gw 145.8.21.246 FG-FW01 (Zscaler_LON3) # set local-gw 25.125.46.4 FG-FW01 (Zscaler_LON3) # set dscp-copying disable FG-FW01 (Zscaler_LON3) # set keepalive-interval 0 FG-FW01 (Zscaler_LON3) # next FG-FW01 (gre-tunnel) # end 8. Deleting the GRE tunnel has also deleted all information from the system interface, you need to add it all back in. Make sure to set the 'set remote-ip' to the new remote-gw address "145.8.21.246". FG-FW01 (interface) # edit Zscaler_LON3 FG-FW01 (Zscaler_LON3) # show config system interface edit "Zscaler_LON3" set vdom "root" set type tunnel set snmp-index 34 set interface "wan1" next end FG-FW01 (Zscaler_LON3) # set vdom "root" FG-FW01 (Zscaler_LON3) # set distance 5 FG-FW01 (Zscaler_LON3) # set dhcp-relay-service disable FG-FW01 (Zscaler_LON3) # set ip 172.18.100.89 255.255.255.255 ... FG-FW01 (Zscaler_LON3) # set status up ... FG-FW01 (Zscaler_LON3) # set remote-ip 145.8.21.246 ... FG-FW01 (Zscaler_LON3) # next 9. Modify all references from new tunnel "Zscaler_LON3-bk" to original tunnel "Zscaler_LON3" config firewall policy edit 418 set dstintf "Zscaler_LON3" next end config router static edit 36 set device "Zscaler_LON3" next end config router policy edit 4101 set output-device "Zscaler_LON3" next end config system link-monitor edit "Zscaler_LON3_Probe" set srcintf "Zscaler_LON3" next end 10. Do another 'sh full-configuration | grep -f <tunnel-name>' and verify the only references to the new tunnel "Zscaler_LON3-bk" are under 'config system interface' and 'config system gre-tunnel'. 11. Delete the new tunnel "Zscaler_LON3-bk", then do another check to make sure all references are removed. 12. Do a 'Retrieve Config' from inside Device Manager -> Configuration Revision History and save the configuration. 13. Do a 'Revision Diff' and validate your change. 14. The policy will probably show RED for out-of-sync. If so, do a policy push even though it shows no changes.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,972 -
FortiClient
1,816 -
5.2
801 -
FortiManager
770 -
5.4
639 -
FortiAnalyzer
578 -
FortiSwitch
492 -
FortiAP
482 -
FortiClient EMS
450 -
6.0
416 -
5.6
362 -
FortiMail
326 -
SSL-VPN
266 -
6.2
251 -
FortiAuthenticator v5.5
234 -
IPsec
232 -
FortiWeb
214 -
FortiNAC
202 -
5.0
196 -
FortiGuard
142 -
6.4
128 -
SD-WAN
123 -
FortiAuthenticator
117 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
99 -
FortiToken
92 -
Firewall policy
90 -
Wireless Controller
82 -
Customer Service
81 -
FortiProxy
65 -
4.0MR3
64 -
High Availability
62 -
Fortivoice
58 -
FortiEDR
54 -
FortiADC
54 -
VLAN
53 -
ZTNA
53 -
Routing
49 -
DNS
49 -
FortiSandbox
46 -
FortiExtender
46 -
FortiDNS
42 -
SAML
42 -
BGP
42 -
LDAP
42 -
RADIUS
40 -
Authentication
40 -
SSO
40 -
NAT
38 -
Certificate
38 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
VDOM
33 -
Interface
32 -
FortiLink
32 -
FortiConnect
31 -
Application control
30 -
FortiGate-VM
29 -
FortiWAN
27 -
Logging
27 -
Web profile
27 -
Virtual IP
26 -
FortiConverter
25 -
FortiGate v5.2
24 -
FortiPAM
23 -
SSL SSH inspection
23 -
FortiPortal
21 -
FortiSwitch v6.2
19 -
Fortigate Cloud
19 -
Traffic shaping
19 -
FortiMonitor
18 -
SSID
17 -
OSPF
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
SNMP
15 -
Static route
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
Admin
13 -
FortiCASB
12 -
Security profile
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
IPS signature
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
Traffic shaping policy
10 -
FortiAP profile
10 -
Intrusion prevention
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Port policy
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
DNS filter
8 -
Fortinet Engage Partner Program
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Explicit proxy
7 -
API
7 -
Antivirus profile
7 -
Traffic shaping profile
7 -
Fabric connector
7 -
Web rating
7 -
FortiToken Cloud
6 -
trunk
6 -
Packet capture
6 -
FortiCarrier
5 -
FortiScan
5 -
FortiTester
5 -
Users
5 -
Authentication rule and scheme
5 -
Email filter profile
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Protocol option
4 -
TACACS
4 -
Replacement messages
4 -
Service
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
SDN connector
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1788 | |
| 1119 | |
| 768 | |
| 447 | |
| 242 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.