Hi all,
we have a Fortigate-VM with only one Interface dedicated for WAN and a public IPs range (/28) configured with IP Pools
Now we have a new different public IPs range (/28) belong to different public subnet (maybe same router?) and we want to configure this new public range on the same wan interface.
Important: other interfaces are already configured.
Can I accomplish this task as fast as possible without reconfigure virtual appliance (is not possible in production environment)?
Thanks
Leo
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
leoiaco, I have many subnets routed to my WAN interface. My ISP handles all the WAN routing. I just make sure all my policies, LAN Routing, etc.. are correct.
If I were you, I would proceed like this:
Phase1 - talk with ISP, run "diag sniffier packet" command on fortigate. This will all you to confirm when packets to the new range is hitting your firewall.
Phase2 - now that ISP is routing WAN traffic for both ranges and you have confirmed with sniffer command. Start setting up VIPs and policies. then test.
FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
Not sure if it is the same on Fortigate_VM, but on the hardware boxes you can configure a "secundary ip" address on the interface.
Go to "Network > Interfaces" and edit the interface, at the bottom of the page you should have a check box "secundary ip address" if the interface has a manually assigned ip address. In the box that appears, type in the new ip address for your FGT, only 1 address is necessary..
Johan Witters
Network & Security Engineer
FCNSP V4/V5
BKM NV
Hi Johan,
I've already configured new IP as secondary address on wan interface.
Is necessary to configure static route? VIP?
What test can i do to verify this?
Thanks.
Regards
It depends on what you need to do:
- outbound connections will by default take the wan interface ip address for natting. If you need to access the internet with an address from the new ip range, you need to create a "ip pool" and use this pool as NAT ip on your internal -> outside security policies
- if you need inbound connections on the new ip pack, you need to configure vips for these addresses/ports and use them in outside -> internal policies.
If you need more info, just give me a sign.
Johan Witters
Network & Security Engineer
FCNSP V4/V5
BKM NV
Hi Johan,
let me configure server and policy for test, i will update you as soon as possible.
Thanks a lot.
Regards.
L.
No it normally isn't necessary, the ISP will use the original ip as path to the outside world as they will also have configured a 2ndary ip on their box. So you would use only the original default route that was already configured.
Having 2 default routes with the same metric would also put your FGT in "load balancing", sending packets out with source address 1.1.1.1 for 1 packet and 2.2.2.2 for the next. It would cause you troubles with outbound mail etc where the source ip is checked.
You would need to a a 2nd default route in case you have this setup:
FGT <-> switch <-> router isp1
<-> router isp2
Johan Witters
Network & Security Engineer
FCNSP V4/V5
BKM NV
Hi Johan,
it doesn't work [&:].
Secondary IP on WAN interface-> Configured
IP Pool -> Configured
2nd default route-> (same distance, different priority)Configured
I'm in this scenario FGT <-> switch <-> router isp1 (first route Distance:10, Priority: 0) <-> router isp2 (second route Distance:10, Priority: 10)
Policy Outside with NAT -> Configured
Can you help me?
Thanks
Leo
leoiaco wrote:Hi Johan,
it doesn't work [&:].
Secondary IP on WAN interface-> Configured
IP Pool -> Configured
2nd default route-> (same distance, different priority)Configured
I'm in this scenario FGT <-> switch <-> router isp1 (first route Distance:10, Priority: 0) <-> router isp2 (second route Distance:10, Priority: 10)
Policy Outside with NAT -> Configured
Can you help me?
Thanks
Leo
Second route will not be active as priority is 10, so only first default route will be active.
You can achieve in two way:
Create policy route to push certian traffic through second isp
Make the priority 0, so even second default route will be up ( but you can't decide which traffic will go to which wan)
Nobody can help me?
Thanks.
L.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1714 | |
1093 | |
752 | |
447 | |
232 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.