login as: rpatters rpatters@192.168.200.1' s password: Fortigate-1 $ config router static Fortigate-1 $ edit 12 Fortigate-1 (12) $ set priority ? <integer> please input integer value Fortigate-1 (12) $The default priority is 10. Lower number has a higher priority. Valid values are from 0 (zero) to 4294967295.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
I changed the webserver to 192.168.10.5 and indeed it' s using wan1 now. I' m confused though, why is this depending on the last number of the IP address being odd/even? Is that only for dmz?answered by ede_pfau
With this IP address x.10.5, does it switch to wan2 when wan1 is down?should: currently when the port is physicaly down, it will switch. you have a cli option " ping-server" that indicates a port " down" when a host behind that interface cannot be reached anymore.
If it' s switching automatically when wan1 is down, do I still need the priority setting?depends on your needs. you need the priory when you want to have all traffic over wan1 and only failover to wan2 when needed. without priority it does balance the requests over the two ports. (refer to ede_pfaus explaination)
Can I use the distance setting so that it acts as a priority setting?no
Can you explain why I should get rid of the Policy Routes?because you override the static routes with it. for your setup proper static routes are sufficient.
Is it possible to install a more recent firmware on these old firewalls?most recent seems to be OS3, MR7, patch 10 from 2. Nov 2010. but i have doubts that you have a valid support contract to download the firmware. a renewal of the support contract is not possible anymore. your current firmware has been released in Dec 2007
ORIGINAL: ede_pfau BTW, delete policy internal->dmz, it defeats the whole reason for a DMZ!I see no issue with this. The other way around does pose a huge security risk... Upon further inspection, I see the policy is indeed DMZ->internal. Big difference. That one HAS GOT TO GO... Think about it this way: Someone compromises your web server and gains access. They then have the ability to surf and destroy anything on your LAN. With this policy, you permit it. The purpose of a DMZ is to place anything out there that you are willing to lose. If those devices get hacked or compromised in any way, you rebuild them and move on. They should not be able to leave that zone at all... My DMZ devices have limited Internet access as well. You don' t want someone to hack your web server, place a mail server on it and spray SPAM all over the Internet with your IP space on it, do you? Things to think about.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.