How do i set a IP pool address as a local IP address in 7.2.10 Release?

jba · ‎11-05-2024

How do i set a IP Pool address in FortiOS 7.2.10 as a local address in a 120G?

120G considers them as a external address.

Thanks in advance

AEK · ‎11-05-2024

~~I'm not sure if I understand well your requirement but I guess you mean enable ARP reply in the VIP.~~

config firewall vip
  edit VIP1
    set arp-reply enable
  next
end

Edit: Mea culpa. I thought it was about VIP.

AEK

Toshi_Esumi · ‎11-05-2024

Share us the GUI screen shot or CLI output why you think "120G considers them as a external address".

Toshi

jba · ‎11-05-2024

I have the 120G and 80F, but with a factoryreset and a simple setup.
Both with 7.2.10 and both with a IP Pool Address and ARP enabled.

80F uses WAN1 with DHCP
120G uses port2 as WAN1 with DHCP
IP Pool at 80F and 120G is the same for testing (Head Office, Branch Office)

FortiGate-80F (SNAT-IP 172.17.5.0/24) # show
config firewall ippool
    edit "SNAT-IP 172.17.5.0/24"
        set startip 172.17.5.1
        set endip 172.17.5.1
    next
end

FortiGate-120G (SNAT-IP 172.17.5.0/24) # show
config firewall ippool
    edit "SNAT-IP 172.17.5.0/24"
        set startip 172.17.5.1
        set endip 172.17.5.1
    next
end

Screenshot from 120G

2024-11-05 18_18_28-FortiGate - FortiGate-120G-01.jpg

And a single f/w-rule

FortiGate-80F (1) # show
config firewall policy
    edit 1
        set name "Internet"
        set uuid xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
        set srcintf "internal" "wifi.fortilink"
        set dstintf "virtual-wan-link"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
    next
end

From a second shell, i do exec ping 172.17.5.1

FortiGate-120G # diagnose sniffer packet any 'host 172.17.5.1' 4
filters=[host 172.17.5.1]
2.693988 port2 out 93.241.42.222 -> 172.17.5.1: icmp: echo request
3.694028 port2 out 93.241.42.222 -> 172.17.5.1: icmp: echo request

FortiGate-80F # diagnose sniffer packet any 'host 172.17.5.1' 4
filters=[host 172.17.5.1]
13.410881 root out 172.17.5.1 -> 172.17.5.1: icmp: echo request
13.410891 root in 172.17.5.1 -> 172.17.5.1: icmp: echo request

120G sends icmp to the internet and 80F to the local IP Pool.

So, i need to tell the 120G that this IP Pool is local address.

Toshi_Esumi · ‎11-05-2024

IP pools are used in policies for SNAT. The traffic to use the SNAT needs to come from the source interface defined in the policy. Pinging from inside the FGT wouldn't use an ippool. Try ping from a device connected to the source interface.

Toshi

jba · ‎11-05-2024

And why does the 80F answer to icmp or the 120G if i upgrade to 7.4.5 in the same setup?

I will have a Site2Site tunnel with icmp from the other site of the (Tunnel Monitoring).
The other site needs to ping this IP Pool address, but the IP Pool doesn´t answer in the 120G.

Next there would be a f/w-rule with a SNAP IP from IP Pool (172.17.5.1).

Toshi_Esumi · ‎11-05-2024

You're pinging the same IP address of IP pool. Probably config on the 80F is different from 120G.
But, to use the IP pool for SNAT at the policy, you need to specify the pool name in the policy. That's the main reason it wouldn't use the ippool even if you pinged from a device through the 120G to the internet.

config firewall policy
    edit 1
    <snip>
        set nat enable
        set ippool enable
        set poolname "SNAT-IP 172.17.5.1"
    next
end

Toshi

jba · ‎11-05-2024

Yes, I have to admit that the config of the 80F and the 120G are complex and differ.

First there was a factory reset. On the 80F the WAN1 port was then configured with DHCP, but on the 120G port2 was configured with DHCP for the WAN connection.

There was also a single firewall rule for Internet access.
The IP pools are both configured in the same way.

And why would the 80F then generate an icmp reply, the 120G does not.
Whereby the 120G with 7.4.5 has an icmp reply.

Also, is it sufficient to define an internal VLAN on the 120G with the IP range 172.17.5.1 - 172.17.5.254 without any firewall rule? And here too, an ICMP to the local IP works perfectly from the CLI.

jba · ‎11-06-2024

You say, i should ping from a device connected to the source interface.
Source if would be internal (or any) and should be able to ping the IP Pool address from any client connected to the source interface and with a proper route to this IP Pool address?

If have changed the single fw-rule for internet, it uses a SNAT now.

FortiGate-80F (1) # show
config firewall policy
    edit 1
        set name "Internet"
        set uuid abb7a94e-87a4-51ef-8874-4f6a3326c7de
        set srcintf "any"
        set dstintf "virtual-wan-link"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
        set ippool enable
        set poolname "SNATIP 172.17.5.0/24"
    next
end

I can´t ping the IP Pool.
I can ping the external Public IP from internal.

jba · ‎11-06-2024

Thanks, but this looks like an IP Pool for DHCP ...
I need a IP Pool for SNAT

How do i set a IP pool address as a local IP address in 7.2.10 Release?

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website