Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jomof
Contributor

Created on ‎04-04-2025 10:28 AM Edited on ‎04-04-2025 10:44 AM

How to prevent the Fortigte device from access the Internet.

Hello expert,

 

I have a hub and Spoke Topology.

I configure  spoke (Lethem) to to reach Head Office using a vpn thru the internet.

We have a static route on the spoke to allow all clients to access the internet by backhauling the request to the Head Office checkpoint firewall.

Because I configured a Wan interface on Lethem to access the internet to create vpn  ipsec tunnel to Head Office, I notice the FortiGate device itself is able to access the internet.

How can I stop the Fortigate device from access the internet?

 

Regards

 

Labels:
137
0 Kudos
1 REPLY 1
AEK
SuperUser
SuperUser

Created on ‎04-04-2025 12:34 PM

Hi Jomof

If you want your client still access to Internet through the S2S VPN but not FGT, then you just need to remove the current default route (0.0.0.0) and replace it with the following:

  • dst: IP address of the remote peer (HQ Check Point FW)
  • intf: wan1 (or the interface that you are currently using for default GW)
  • gw: x.x.x.x (the IP that you are currently using as default GW)

 

Another method (heavier) is to use 2 VDOMs. The management VDOM has no default route (only a route to LANs for management), and the client VDOM has a default route like you did initially (0.0.0.0 though wan1).

AEK
AEK
112
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.