Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jschenk
New Contributor II

Created on ‎11-04-2022 01:48 AM Edited on ‎11-04-2022 02:07 AM

Virtual wire pair before wan interface blocks firewall traffic, proxy traffic works fine

I have a working fortigate v7.2.2 with:
wan1 = Internet

interface 5 = proxy clients

interface 6 = connection from lan on port 6 to internet wan1  through an allow all policy

Everything works great.

 

Now I created a virtual wire pair (port 3&4) and I put an "allow all policy" on it and enabled IPS with a default_pass_all policy.
I use this wire pair as a connection between the isp modem and the wan 1 interface.
so the flow is now isp -> lan3 ...... lan4>wan1
with this wire pair inserted before the wan1 connection, the web proxy still works, but there is no traffic from the lan connected to interface 6 to the internet.

So it looks like the virtual wire pair is blocking something, I tried both the VLAN Wildcard option on and off, but both gave the same result. I even removed the IPS inspection on the wire pair, but no luck.

What am I missing? Why does the insertion of the virtual wire pair before wan1 inhibit traffic from the lan connected to interface 6. I had expected the virtual wire pair to be fully transparent, but apparently it isn't.

Labels:
270
0 Kudos
3 REPLIES 3
gfleming
Staff
Staff

Created on ‎11-04-2022 10:01 AM

Per the documentation, traffic from other interfaces cannot be routed to the interfaces in a virtual wire pair.

 

May I ask why you want to use a virtual wire pair here? You can accomplish the same functionality by putting the IPS profile on your FW policies.

Cheers,
Graham
250
0 Kudos
jschenk
New Contributor II
In response to gfleming

Created on ‎11-07-2022 04:37 AM Edited on ‎11-07-2022 04:37 AM

I have an IPS policy enabled on the firewall policy, however in that case portscans etc on my wan1 internet interface are not detected.
With the virtual wire pair I do get a notification of these kind op attacks.

240
0 Kudos
gfleming
Staff
Staff
In response to jschenk

Created on ‎11-07-2022 08:19 AM

OK I see your reasoning. Unfortunately based on the documentation I don't think what you want to do is possible. This is not an intended use-case for virtual wire pair.

 

With that said, your FortiGate's WAN interface should be extremely locked down anyway—what is the concern about port scans on its IP Address?

Cheers,
Graham
233
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.