Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDRCloud
- FortiNDR (on-premise)
- FortiPhish
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- FortiAppSec Cloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Routing for two different gateway
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Routing for two different gateway
Hi,
I have a 60B in transparent mode and 1 server behind the firewall running on public ip address. Now they need to have a new set of ip addresses for their server. Due to the ISP unable to extend their existing IP range, they will be given a new set of IP addresses. So here is what i hope to achieve:
WAN1 - X.X.X.X/28
WAN2 - Y.Y.Y.Y/28
The server eth0 will set the ip address of X.X.X.X and eth1 will set ip address of Y.Y.Y.Y. So is it possible to route to different gatway in transparent mode? Do i need to revert to NAT mode? If yes, how should i go about doing it?
Thanks!
Yongsan
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In transparent mode Fortigate will just pass traffic from
one port to another port (like a bridge), it will not route it. IP address on the
Fortigate in transparent mode is just for Management.
If you want to do policy based routing you will need to
be in NAT/Route mode.
You change operating mode of the FG on Dashboard, System information.
Make sure you backup the configuration of the FG before changing the
operating mode.
Depending on your setup you can migrate from transparent to NAT mode
like this.
Assign IP addresses to WAN1 and WAN2 of FG based on your ISP addresses.
Assign private ip address for your server.
Define Virtual IP for WAN1 and WAN2 pointing to your internal ip of server.
Define 2 default routes and necessary firewall policies to allow traffic.
Define the policy based routes on the FG.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As rocampo wrote, the Fortigate does not route at all in transparent mode. There is nothing special if your servers are configured with different gateways and IP' s.
You can put the Fortigate into routing mode and lead the traffic via Virtual IPs to the servers but what for? Leave it as it is and you' re fine IMHO.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ede,
Does that mean that I can still keep it as transparent mode and set the public ip address on my eth0 and eth1 and it will know how to go out?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You will need to define two default routes on your server.
Assuming this is a Windows Server 2003/2008 having
two default routes with the same metric this will
probably (not entirely sure) cause problems.
So you need to set 1 default route at a higher metric.
You will also need to configure " Dead Gateway Detection"
so that the Server can adjust its routing table if ever one
of your ISP links goes down.
Now weigh the pros and cons of keeping the FG in Transparent mode
as to converting it to NAT mode where all the routing and " dead gateway
detection" will be handled by the FG elegantly.
For me an FG facing the internet in NAT mode is much more flexible
than an FG in transparent mode.
Does that mean that I can still keep it as transparent mode and set the public ip address on my eth0 and eth1 and it will know how to go out?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In transparent mode, think of the FG as a wire. Well, a wire is a layer 1 device and a transparent bridge is a layer 2 device - it will buffer packets, regenerate them if necessary, adjust link speed etc. but will not influence layer 3, routing. This is done on your servers.
As you already have more than 1 public IP you could test this with a second IP and a second server.
BTW, do you feel confident to have your servers directly connected to the Internet?
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I@ede_pfau: f you have the fortigate in transparent mode between the servers and the internet and you do IPS/AV/and firewalling on the transparent fortigate.. do you see a problem there?
Of ycourse you can imagine a scenario with someone bridging around the fortigate.
I would also agree that, when you have to access the servers from internal it is probably more elegenant to access a RFC IP.
But i do not see a general problem with a transparent fortigate infront of internet servers.
(But that is not really relevant to the thread starter).
If starting new i' d probably go with nat/vips and ecmp, but i think it should do they way it is setup now.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jan,
in the transparent scenario, the servers have to deal with all connection attempts from the internet. My feeling is that a Fortigate can deal better with DoS attacks. Who cares if the firewall is running hot as long as the servers can deliver their content?
And think of all the security holes in a general purpose OS. There are so many services running that it means a lot of work to secure them all. MS keeps discovering holes all the time.
And not only the OS is exposed but the applications also (IIS, apache,...).
I hope that at least they do their remote management not via RDP directly (but use the transparent mode IPSec VPN of the FG).
Right, yongsan?
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you have a transparent firewall in front of the servers with proper policys in place the exposure of applications is only on the allowed ports.And this ports/aplications are also exposed if the server is in a dmz with nat and policies. If there is a permit any any policy in the transparent fgt you are right..
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You ca try using VDOMs, one vdom in transparent mode doing what the FG is doing right now, the other in NAT mode, for the new settings.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,813 -
FortiClient
1,789 -
5.2
801 -
FortiManager
746 -
5.4
639 -
FortiAnalyzer
567 -
FortiSwitch
481 -
FortiAP
476 -
FortiClient EMS
440 -
6.0
416 -
5.6
362 -
FortiMail
324 -
SSL-VPN
257 -
6.2
251 -
FortiAuthenticator v5.5
234 -
IPsec
217 -
FortiWeb
211 -
5.0
196 -
FortiNAC
196 -
FortiGuard
139 -
6.4
128 -
SD-WAN
118 -
FortiAuthenticator
110 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
99 -
FortiToken
92 -
Firewall policy
86 -
Customer Service
81 -
Wireless Controller
81 -
4.0MR3
64 -
FortiProxy
61 -
High Availability
60 -
Fortivoice
57 -
FortiADC
54 -
VLAN
53 -
FortiEDR
52 -
ZTNA
50 -
Routing
49 -
FortiExtender
46 -
DNS
46 -
FortiSandbox
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
RADIUS
37 -
NAT
37 -
SAML
36 -
Certificate
36 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SSO
34 -
Interface
32 -
VDOM
32 -
FortiConnect
30 -
FortiLink
29 -
Application control
28 -
FortiWAN
27 -
Web profile
27 -
Virtual IP
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
FortiGate-VM
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
Fortigate Cloud
19 -
FortiMonitor
18 -
Traffic shaping
18 -
OSPF
16 -
SSID
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
SNMP
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
IPS signature
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
API
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
Service
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1747 | |
| 1114 | |
| 761 | |
| 447 | |
| 241 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.