Welcome I have a problem. I would like to ask you for help...
My current setup looks like this (current configuration) and I would like to connect all through my Fortigate - target configuration.
(v5.0,build0318 (GA Patch 12)).
I would be very grateful for your help.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Retal wrote:What exactly is it you need help with?Welcome I have a problem. I would like to ask you for help...
Do you have any specific questions or need help with any issues?
gschmitt wrote:Retal wrote:What exactly is it you need help with?Welcome I have a problem. I would like to ask you for help...
Do you have any specific questions or need help with any issues?
Hi.
As you can see I have devices with a static IP number. One server and Router with OpenVPN server installed.
My Fortigate Unit works in switch mode and I would like to pass traffic with a static IP address to these devices.
Should I changing Fortigate from Switch mode to interface mode? If so, how to set up interfaces, policy, router, firewall objects? I also want to run NAT, DHCP o Fortigate. I am a beginner and ask for advice.Retal wrote:My Fortigate Unit works in switch mode and I would like to pass traffic with a static IP address to these devices.
Should I changing Fortigate from Switch mode to interface mode?
Just to make sure we are both talking about the same thing: A FortiGate 90D has 2 WAN interfaces and 14 internal interfaces.
Normally you have 1 subnet per interface. By switching to Interface mode from Switch Mode you break up those 14 internal interfaces into 14 different interfaces (which you an combine into software switches later)
If you need more than 3 subnets (and don't want to use VLANs) you should use interface mode.
For this you have to remove all references to the interfaces (Policies, Routes, Address Objects)
You can see how many References are remaining at System > Network > Interfaces, right click on the bar, select Ref. and Apply
If you click the number you can see what is still left to remove (DHCP counts aswell)
The device will reboot to take effect.
If so, how to set up interfaces, policy, router, firewall objects? I also want to run NAT, DHCP o Fortigate. I am a beginner and ask for advice.
To configure an interface just double click an interface in the same menu.
You can set an alias and set the Addressing mode (Manual 192.168.1.254/24 (255.255.255.0) as an example)
To enable DHCP simply check the DHCP Server box and add Ip ranges you want to use. (192.168.1.100-150 as an example)
To make one side accessable to the other you need policies.
At Policy&Objects > Policies > IPv4 click Create new.
As an example select Interface internal1 (Interface mode; if switchmode it should be internal)
Source address all
Outgoing interface wan1
Destination Address all
Service any (unless you want to specify which services like HTTP/HTTPS for browsing)
If you want to access the internet you probably want to enable NAT (or you get Martian Packages)
You can also create address objects at Policy&Objects > Objects > Addresses to make the policies tighter.
You could Create New an object internal_lan with your subnet 192.168.1.0/24 and use this as your source address
Or you could enter an IP range 192.168.1.100-150 so only your DHCP clients can access the internet.
If you want to use NAT you HAVE to create a virtual IP (below Addresses)
Let's say your internal2 (or wan2 in switch mode) has the IP 10.10.10.1/24 and your server 10.10.10.2 and you want to enable to access it via HTTP from the internet (wan1) and your public IP is 88.77.66.55
Create a new VIP object (http_server)
External IP address/Range would be your public IP 88.77.66.55
Mapped IP address/Range would be your server 10.10.10.2
Enable Port Forwarding (or ALL Ports will get redirected)
Select Protocol TCP
External Service port 80
Map to port 80
Create a policy Source Interface wan1
Source address all (use all unless otherwise specified, but try to specify as often as possible)
Destination Interface wan2 (or internal2)
Destination address http_server (your VIP Object)
Service http
Normally you disable NAT for that.
Now if you enter 88.77.66.55 into your browser your requests get redirected to your server.
Thank you very much
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.