- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: Virtual IP and secondary IP address
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Virtual IP and secondary IP address
Hi all
i have a Fortinet 60B 4.0MR1P9 with a /30 public ip subnet configured on wan1.
Now i need to publish some servers connected to the DMZ interface with static nat 1-to-1, so i asked my provider to assign us a secondary subnet of 8 public ip addresses, different from the first one that was not possibile to extend.
I' ve already configured on wan1 a secondary ip address using the first available ip of the new subnet.
I' ve also configured the virtual ip rules and firewall rules to allow inbound traffic
Now, do i need also a new static route pointing to the secondary ip of the gateway? If yes, what weight is needed?
Do i need a policy route to force outgoing traffic from the virtual ip' s to the secondary gateway?
Thanks in advance
Bye
Gianf
Bye Gianf
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
you can delete the secondary IP address, it' s not needed.
The mechanism for 1:1 NAT is a VIP. The FGT will act on the external IP as if it was a physically assigned IP, that is it will proxy-arp for it.
If you don' t use the port forwarding feature then not only reply traffic but even traffic originating at the internal server will have the VIP as the source IP.
As your ISP takes care of the routing you don' t have to create a new static route / gateway.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So you' re saying that the only things i need are the vip definitions and the firewall rules?
No secondary ip addresses, no static/policy routes at all, even if the new subnet is configured as " ip secondary" on the isp router (cisco)?
Bye
Gianf
Bye Gianf
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes. The FGT will use the VIP and the WAN interface MAC as source for traffic from the internal host. The destination IP will be any, and traffic will be sent to the (now only) gateway. Of course, on that gateway the ISP has to have a route to your second subnet but that doesn' t matter to you.
Perhaps you' ll feel more confident after a look at the documentation. I recommend the FortiOS Handbook for your version of FortiOS, available here: http://docs.fortinet.com
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Prior i tried to search the documentation for " secondary ip" , but founding nothing of interest.
Probably my search was not correct, could you point me to the correct section?
Thanks
Bye
Gianf
Bye Gianf
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See the doc ' fortigate-admin-40-mr2.pdf' (if you' re using v4.00MR2), chapter ' System Network' , subchapter ' Adding secondary IP addresses to an interface' .
That was not too hard to find, was it?
And even fearing that I repeat myself: secondary IP address is not the way to go. They should be avoided if possible as their use prevents the built-in anti-spoof protection. And in your case, you can only add 1 secondary IP address from the second range - how do you deploy the others then?
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ede, i' ve searched for " secondary ip" prior to open this topic, i was thinking it was the right way. Now, after your reply, it' s clear to me it was the wrong way.
I was asking in what section of the user guide i can found informations about how to manage a secondary subnet as you explained.
Tnx again
Bye
Gianf
Bye Gianf
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From the Admin Guide (v4.00 MR2), chapter " Firewall Virtual IP" , pg. 312:
Ede
"Kernel panic: Aiee, killing interrupt handler!"
In addition to specifying IP address and port mappings between interfaces, virtual IP configurations can optionally bind an additional IP address or IP address range to the receiving network interface. By binding an additional IP address, you can configure a separate set of mappings that the FortiGate unit can apply to packets whose destination matches that bound IP address, rather than the IP address already configured for the network interface.In other words, adding " bound" addresses is like having ' real' secondary addresses, except for that it includes a destination NAT which secondary IPs do not have.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perfect, this is what i' m looking for.
Thanks a lot
Bye
Gianf
Bye Gianf
Related Posts
- Azure Virtual FortiGate dropped SR-IOV Accelerated... 78 Views
- Virtual IP for npm breaks my... 515 Views
- FortiADC HA Virtual MAC Address 162 Views
- Novice Needing Help Setting Up FortiGate... 327 Views
- Accessing SSL VPN addresses from a... 464 Views
Labels
-
FortiGate
6,816 -
FortiClient
1,353 -
5.2
801 -
5.4
639 -
FortiManager
585 -
FortiAnalyzer
431 -
6.0
416 -
5.6
362 -
FortiAP
352 -
FortiSwitch
348 -
FortiClient EMS
277 -
FortiMail
266 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
165 -
6.4
128 -
FortiNAC
114 -
FortiGuard
108 -
FortiSIEM
92 -
FortiGateCloud
90 -
IPsec
90 -
FortiCloud Products
85 -
FortiToken
74 -
SSL-VPN
73 -
Customer Service
70 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
45 -
FortiEDR
42 -
Fortivoice
41 -
SD-WAN
37 -
FortiDNS
35 -
FortiExtender
34 -
FortiGate v5.4
34 -
FortiSandbox
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
FortiAuthenticator
24 -
High Availability
24 -
FortiConnect
24 -
VLAN
23 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
SAML
15 -
DNS
15 -
LDAP
15 -
FortiMonitor
14 -
BGP
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Authentication
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
SSL SSH inspection
9 -
Traffic shaping
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
Fortigate Cloud
8 -
SSO
8 -
Application control
8 -
FortiGate v4.0 MR3
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Web application firewall profile
6 -
Web profile
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Fabric connector
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.