Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
I wish to provide access from guest network1 to service in network2 via VIP on ISP2 interface. Why do i want it such way? Guest network1 is using isp' s dns servers, and i dont want to allow accessing network2 internal dns servers, or to lose fortigate' s protection capabilities.To me, your design seems not the simplest possible with your objectives stated above. Remember that by default Fortigate discards packets on interfaces where their src IPs are not supposed to appear. Even though you use VIPs on the outside, I suppose it won' t work without changing this RPF from strict (default) to loose and this possiblility seems reserved for different purposes anyways. But then again, I don' t like the idea of externalizing the inner traffic. The routing between interfaces is already there so why don' t you just allow desirable communication from NET1 to NET2 with regular FW polices and rely on implicit deny for the rest, including internal DNS? IMHO, this case should involve internal interfaces only, unless I' m missing something from your description, then pls let me know. Cheers! Rafal
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.