Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
leoiaco
New Contributor

New IP Public Range on same WAN interface

Hi all,

we have a Fortigate-VM with only one Interface dedicated for WAN and a public IPs range (/28) configured with IP Pools

Now we have a new different public IPs range (/28) belong to different public subnet (maybe same router?) and we want to configure this new public range on the same wan interface.

Important: other interfaces are already configured.

Can I accomplish this task as fast as possible without reconfigure virtual appliance (is not possible in production environment)?

Thanks

Leo

1 Solution
Paul_S
Contributor

leoiaco, I have many subnets routed to my WAN interface. My ISP handles all the WAN routing. I just make sure all my policies, LAN Routing, etc.. are correct.

 

If I were you, I would proceed like this:

 

Phase1 - talk with ISP, run "diag sniffier packet" command on fortigate. This will all you to confirm when packets to the new range is hitting your firewall.

 

Phase2 - now that ISP is routing WAN traffic for both ranges and you have confirmed with sniffer command. Start setting up VIPs and policies. then test.

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x                   [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5  |  Fortimail 5.3.11 Network+, Security+

View solution in original post

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
13 REPLIES 13
pushpendra11
New Contributor

Hi Leo ,

 

We can add secondary ip address to an interface on fortigate , you can configure the new public ranges on the same wan 

interface ,these new subnets can be configured as part of secondary subnets. 

 

 

oliverlag
New Contributor

Hi! 

if ISP is the same and they take care of routing of the secondary /28 you can avoid to configure a secondary ip address on the wan interface. 

Simply configure VIPs and assign them to the ACL. 

 

I tried twice and it works fine!

 

ciao

 

leoiaco
New Contributor

Hi Olivierlag

yes is the same ISP but don't know if it take care of routing.

Anyhow, I've tried this configuration but I can only ping gateway from FGT Dashboard.

I will ask to ISP and i will let you know asap.

Regards.

Leo

 

 

Paul_S
Contributor

leoiaco, I have many subnets routed to my WAN interface. My ISP handles all the WAN routing. I just make sure all my policies, LAN Routing, etc.. are correct.

 

If I were you, I would proceed like this:

 

Phase1 - talk with ISP, run "diag sniffier packet" command on fortigate. This will all you to confirm when packets to the new range is hitting your firewall.

 

Phase2 - now that ISP is routing WAN traffic for both ranges and you have confirmed with sniffer command. Start setting up VIPs and policies. then test.

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x                   [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5  |  Fortimail 5.3.11 Network+, Security+

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
Labels
Top Kudoed Authors