I am tasked with routing traffic to a different firewall (sonicwall) that a vendor has on site to manage a vpn connection to their remote network. I want to route the traffic to this remote network out port 11 on our fortigate 100F. The interface I am connecting to on the sonicwall has an IP address that is part of our internal subnet (172.22.0.5). Fortinet support walked me through creating a policy route sending traffic to this remote network via port 11, but when testing the traffic it is not using the policy route, it is trying to go out via the normal wan port. I have read on one fortinet sites (fortiguru) that policy routes sometimes still require a static route to be included.
So how would I best setup port 11 on the fortigate to route traffic bound for this remote network, and can the sonicwall interface have an ip addess that is included in our lan subnet? Also, should port 11 as an interface be given an IP address? Finally, can this be achieved with just a static route or should it work as a policy route?
I don't want to over complicate and if it is necessary to update the sonicwall's interface IP to something different than exists on our subnet I can reach out to the support vendor and ask for that change. Just not sure if I can "extend" our subnet and send the traffic out to it.
Thanks so much from a fortigate newbie. This is a brand new network which we are bringing on line and so just learning the fortinet language!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hey Mark,
I'm not personally familiar with the 100F, but from your post it sounds like each port is its own router interface (like the higher models). If that is the case, then no you wouldn't be able to route the traffic out a different segment of the network.
I want to say you could get what you want accomplished by creating a software switch or by simply plugging the Sonicwall into an interface on your LAN, but it will be much easier to just put the Sonicwall on a different, unique subnet. The next guy (or you in a year) will thank you.
You probably don't need to do anything fancy with policy routing. Static route(s) pointing to the remote subnet(s) that the Sonicwall leads to will accomplish getting the traffic there, but it will be up to the other end of the VPN (and the Sonicwall config locally) to route the traffic back to your network.
In other words they will need a route to 172.22.0.0/24 (or whatever subnet you're using for your LAN) programming both on the remote LAN (to come back across the VPN) and on the Sonicwall to point back to your FortiGate.
Hope this helps! - Daniel
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.