Regards
Shaan
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You set the default gateway on the Fortigate to your Internet provider (or use a Dynamic Gateway route). You would then create static routes for your internal subnets to point to your core router. It would not be a default route.
On policies, then you would create outbound rules with source addresses to include the subnets you want to be able to access the Internet.
Without that policy on the Fortigate you won't reach anything. It blocks everything by default.
in addition to coolbreeze:
youo have to make sure that all vlan traffic reaches the fortigate on one Port and that on the Fortigate this one port carries all the vlans. Then every vlan needs a policy for the internet. Clients in the vlan should then have the vlan IP of the Fortigate als default gw (or you would also need ap policy for every vlan that allows vlan clients to reach the management ip and interface of the fortigate.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Thank you coolbreeze ,sw2090 for your comments .
I did the same and the internet is working now but with juniper we did not use to do this instead we had untagged port on the core switch connecting to FW & the subnets which has to reach the internet we use to have the gateway defined for them on the core switch itself with a default route pointing to FW & on firewall no interfaces either but just a default route pointing to Core switch and internet use to work for those subnets.
The way i have configured is that the only way how internet will for subnets on lan i.e. to have gateway on Fortigate instead of core switch , will it not work with gateways being on the Core Switch ?
Regards
Shaan
Regards
Shaan
yeah that's a limitation in FortiOS. It can only handle vlan traffic that is tagged. It would accept traffic from untagged switchport but would then not be able to route the answer back to the correct vlan.
If you have a Layer 2 core switch you might be able to do NAT on the uplinkport with untagged in one vlan. This might then work too.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Thank You SW2090 for prompt reply
Regards
Shaan
Regards
Shaan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1548 | |
1032 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.