Hi all,
we have a Fortigate-VM with only one Interface dedicated for WAN and a public IPs range (/28) configured with IP Pools
Now we have a new different public IPs range (/28) belong to different public subnet (maybe same router?) and we want to configure this new public range on the same wan interface.
Important: other interfaces are already configured.
Can I accomplish this task as fast as possible without reconfigure virtual appliance (is not possible in production environment)?
Thanks
Leo
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
leoiaco, I have many subnets routed to my WAN interface. My ISP handles all the WAN routing. I just make sure all my policies, LAN Routing, etc.. are correct.
If I were you, I would proceed like this:
Phase1 - talk with ISP, run "diag sniffier packet" command on fortigate. This will all you to confirm when packets to the new range is hitting your firewall.
Phase2 - now that ISP is routing WAN traffic for both ranges and you have confirmed with sniffer command. Start setting up VIPs and policies. then test.
FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
Hi Leo ,
We can add secondary ip address to an interface on fortigate , you can configure the new public ranges on the same wan
interface ,these new subnets can be configured as part of secondary subnets.
Hi!
if ISP is the same and they take care of routing of the secondary /28 you can avoid to configure a secondary ip address on the wan interface.
Simply configure VIPs and assign them to the ACL.
I tried twice and it works fine!
ciao
Hi Olivierlag
yes is the same ISP but don't know if it take care of routing.
Anyhow, I've tried this configuration but I can only ping gateway from FGT Dashboard.
I will ask to ISP and i will let you know asap.
Regards.
Leo
leoiaco, I have many subnets routed to my WAN interface. My ISP handles all the WAN routing. I just make sure all my policies, LAN Routing, etc.. are correct.
If I were you, I would proceed like this:
Phase1 - talk with ISP, run "diag sniffier packet" command on fortigate. This will all you to confirm when packets to the new range is hitting your firewall.
Phase2 - now that ISP is routing WAN traffic for both ranges and you have confirmed with sniffer command. Start setting up VIPs and policies. then test.
FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.