I have a working fortigate v7.2.2 with:
wan1 = Internet
interface 5 = proxy clients
interface 6 = connection from lan on port 6 to internet wan1 through an allow all policy
Everything works great.
Now I created a virtual wire pair (port 3&4) and I put an "allow all policy" on it and enabled IPS with a default_pass_all policy.
I use this wire pair as a connection between the isp modem and the wan 1 interface.
so the flow is now isp -> lan3 ...... lan4>wan1
with this wire pair inserted before the wan1 connection, the web proxy still works, but there is no traffic from the lan connected to interface 6 to the internet.
So it looks like the virtual wire pair is blocking something, I tried both the VLAN Wildcard option on and off, but both gave the same result. I even removed the IPS inspection on the wire pair, but no luck.
What am I missing? Why does the insertion of the virtual wire pair before wan1 inhibit traffic from the lan connected to interface 6. I had expected the virtual wire pair to be fully transparent, but apparently it isn't.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Per the documentation, traffic from other interfaces cannot be routed to the interfaces in a virtual wire pair.
May I ask why you want to use a virtual wire pair here? You can accomplish the same functionality by putting the IPS profile on your FW policies.
Created on 11-07-2022 04:37 AM Edited on 11-07-2022 04:37 AM
I have an IPS policy enabled on the firewall policy, however in that case portscans etc on my wan1 internet interface are not detected.
With the virtual wire pair I do get a notification of these kind op attacks.
OK I see your reasoning. Unfortunately based on the documentation I don't think what you want to do is possible. This is not an intended use-case for virtual wire pair.
With that said, your FortiGate's WAN interface should be extremely locked down anyway—what is the concern about port scans on its IP Address?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1717 | |
1093 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.