How do i set a IP Pool address in FortiOS 7.2.10 as a local address in a 120G?
120G considers them as a external address.
Thanks in advance
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I'm not sure if I understand well your requirement but I guess you mean enable ARP reply in the VIP.
config firewall vipedit VIP1set arp-reply enablenextend
Edit: Mea culpa. I thought it was about VIP.
Share us the GUI screen shot or CLI output why you think "120G considers them as a external address".
Toshi
Created on 11-05-2024 09:11 AM Edited on 11-05-2024 09:27 AM
I have the 120G and 80F, but with a factoryreset and a simple setup.
Both with 7.2.10 and both with a IP Pool Address and ARP enabled.
FortiGate-80F (SNAT-IP 172.17.5.0/24) # show
config firewall ippool
edit "SNAT-IP 172.17.5.0/24"
set startip 172.17.5.1
set endip 172.17.5.1
next
end
FortiGate-120G (SNAT-IP 172.17.5.0/24) # show
config firewall ippool
edit "SNAT-IP 172.17.5.0/24"
set startip 172.17.5.1
set endip 172.17.5.1
next
end
Screenshot from 120G
And a single f/w-rule
FortiGate-80F (1) # show
config firewall policy
edit 1
set name "Internet"
set uuid xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
set srcintf "internal" "wifi.fortilink"
set dstintf "virtual-wan-link"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
next
end
From a second shell, i do exec ping 172.17.5.1
FortiGate-120G # diagnose sniffer packet any 'host 172.17.5.1' 4
filters=[host 172.17.5.1]
2.693988 port2 out 93.241.42.222 -> 172.17.5.1: icmp: echo request
3.694028 port2 out 93.241.42.222 -> 172.17.5.1: icmp: echo request
FortiGate-80F # diagnose sniffer packet any 'host 172.17.5.1' 4
filters=[host 172.17.5.1]
13.410881 root out 172.17.5.1 -> 172.17.5.1: icmp: echo request
13.410891 root in 172.17.5.1 -> 172.17.5.1: icmp: echo request
120G sends icmp to the internet and 80F to the local IP Pool.
So, i need to tell the 120G that this IP Pool is local address.
IP pools are used in policies for SNAT. The traffic to use the SNAT needs to come from the source interface defined in the policy. Pinging from inside the FGT wouldn't use an ippool. Try ping from a device connected to the source interface.
Toshi
Created on 11-05-2024 09:36 AM Edited on 11-05-2024 09:42 AM
And why does the 80F answer to icmp or the 120G if i upgrade to 7.4.5 in the same setup?
I will have a Site2Site tunnel with icmp from the other site of the (Tunnel Monitoring).
The other site needs to ping this IP Pool address, but the IP Pool doesn´t answer in the 120G.
Next there would be a f/w-rule with a SNAP IP from IP Pool (172.17.5.1).
Created on 11-05-2024 09:58 AM Edited on 11-05-2024 10:05 AM
You're pinging the same IP address of IP pool. Probably config on the 80F is different from 120G.
But, to use the IP pool for SNAT at the policy, you need to specify the pool name in the policy. That's the main reason it wouldn't use the ippool even if you pinged from a device through the 120G to the internet.
config firewall policy
edit 1
<snip>
set nat enable
set ippool enable
set poolname "SNAT-IP 172.17.5.1"
next
end
Toshi
Created on 11-05-2024 11:42 PM Edited on 11-05-2024 11:43 PM
Yes, I have to admit that the config of the 80F and the 120G are complex and differ.
First there was a factory reset. On the 80F the WAN1 port was then configured with DHCP, but on the 120G port2 was configured with DHCP for the WAN connection.
There was also a single firewall rule for Internet access.
The IP pools are both configured in the same way.
And why would the 80F then generate an icmp reply, the 120G does not.
Whereby the 120G with 7.4.5 has an icmp reply.
Also, is it sufficient to define an internal VLAN on the 120G with the IP range 172.17.5.1 - 172.17.5.254 without any firewall rule? And here too, an ICMP to the local IP works perfectly from the CLI.
You say, i should ping from a device connected to the source interface.
Source if would be internal (or any) and should be able to ping the IP Pool address from any client connected to the source interface and with a proper route to this IP Pool address?
If have changed the single fw-rule for internet, it uses a SNAT now.
FortiGate-80F (1) # show
config firewall policy
edit 1
set name "Internet"
set uuid abb7a94e-87a4-51ef-8874-4f6a3326c7de
set srcintf "any"
set dstintf "virtual-wan-link"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
set ippool enable
set poolname "SNATIP 172.17.5.0/24"
next
end
I can´t ping the IP Pool.
I can ping the external Public IP from internal.
Thanks, but this looks like an IP Pool for DHCP ...
I need a IP Pool for SNAT
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1669 | |
1082 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.