Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
KPS
New Contributor III

Virtual Wire with NAT-Mode - How to access management port from both "sides" of the VWire

Hi!

 

I am trying to setup a VWire-firewall behind the perimeter routers.

Everything is working fine, except every connection that:

- traverses the VWire

- AND terminates at the firewall

 

In the attached picture:

--> PC 2+3 can access FG-Management-Port

--> PC 1 CANNOT access FG-Management-Port

--> PC 1 can access PC 2+3

 

Do you have any idea, how to avoid problems with packages, which are passing the VWire and terminating to the FG-Management-Interface?

 

Thank you

Regards

KPS

4 REPLIES 4
MikePruett
Valued Contributor

What does the policy look like for that v-wire?

Mike Pruett Fortinet GURU | Fortinet Training Videos
KPS
New Contributor III

Hi!

 

The VWire-Policy does allow everything in both directions.

If I move the VWire to another VDOM, the system is working, but that is a problem for the rest of my config.

 

There seems to be an issue, if the packet is traversing VWire on the way to the Layer3-interface on the same VDOM.

 

Regards,

KPS

dennisv
New Contributor III

Hi ,

this is a known issue , as designed.

Reason is the shared routing table within VWP. You want to access a subnet that is know in the routing table but is not allowed by means of the VWP (else VWP would kinda break as you escape from the VWP).

VWP works fine for traffic between the protected subnets.

Solution, dont use VWP if traffic need to route to the fortigate itself (within a single VDOM).

A second VDOM seperates the routing table and does not have this issue.

 

Regards

 

 

Consultant @ Exclusive Networks BV

Datacenter Networking and Security

FCSS EFW/SDWAN

Fortinet, HPe/Aruba, Arista, Juniper and many more

Consultant @ Exclusive Networks BV Datacenter Networking and Security FCSS EFW/SDWAN Fortinet, HPe/Aruba, Arista, Juniper and many more
KPS
New Contributor III

Hi!

 

The VWire-Policy does allow everything in both directions.

If I move the VWire to another VDOM, the system is working, but that is a problem for the rest of my config.

 

There seems to be an issue, if the packet is traversing VWire on the way to the Layer3-interface on the same VDOM.

 

Regards,

KPS

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors