Hello, I need an urgent support
I am doing ztna configuration and fortiems on prem,
For off-net and on-net users, I created a record as fortiems.xxx.com for users in both local dns and global dns,
I created fortiems.xxx.com for off-net users, the dns record is in the same subnet as the wan ip but it is not a direct wan ip, I need to announce this ip behind the wan interface to get telemetry data, but I do not know how to do this, I entered the wan interface as the second ip, but it did not seem like a correct configuration, I cannot see it in the arp table.
Can you help me for this
Solved! Go to Solution.
Hello @inventohakkı ,
Can you try to enable the arp replay setting on the VIP configuration?
config firewall vip
edit <name>
set arp-reply enable
next
end
Hello
You can do so by adding a VIP, listening on WAN interface and using secondary IP.
I created vip from secondary ip to local ems ips from secondary ip to local ems ips as 8013 and added second ip to wan interface but it did not happen, the second ip does not appear in the arp table.
Hello @inventohakkı ,
If I understand correctly, you want to reach out to EMS to get telemetry data from both inside and outside users.
If you say yes, firstly you need to create a VIP object on Fortigate. This VIP should redirect packets to your internal EMS server. Configuration should be like this. After that, you need to use this VIP object in the firewall policy.
After that, your client can reach your ems server from outside.
Hello.
You understood correctly, I created the vip in the way you showed, I used it in the rule,
The external ip I use in vip is in the same subnet as the wan ip address behind the wan interface, but it is not the direct internet output ip, I added it as a second ip later because I could not find a solution.
Hello @inventohakkı ,
Can you try to enable the arp replay setting on the VIP configuration?
config firewall vip
edit <name>
set arp-reply enable
next
end
removing ip pool solved the rule but is this the correct configuration
Hello @inventohakkı ,
Yes, it is. Because in your scenario we don't want to do SNAT.
For Source nat, we use IP-Pool objects. In your scenario, just making destination nat(VIP) is enough.
I got it, I have a last question off net, my telnet is working from port 8013 but I can not see it in the arp table, what is the reason for this.
by the way thanks for the solution
Hello @inventohakkı ,
You can't see the ARP record on your client machine's ARP table. Because your connection is Layer 3(routed) connection, not Layer 2. If you look at the ISP router(or any device in front of your FortiGate) arp table, you can see your FortiGate Mac address on that table. Because your FortiGate is connected with your ISP router as Layer 2.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.