- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- GRE tunnel, modify remote-gateway
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
GRE tunnel, modify remote-gateway
Hi all,
I'm running several gre tunnels, all is working perfect. By the way i'd like to modify 1 remote-gateway. I've tried via CLI but i get an error :
unexpected to change gateway address! attribute set operator error, -61, discard the setting
Here is the config :
FGVM-ITX (gre-vince-test) # show config system gre-tunnel
edit "gre-vince-test"
set interface "port10"
set remote-gw xxx.xxx.xxx.xxx ==> IP i need to change
set local-gw zzz.zzz.zzz.zzz
next
end
Do you have any idea?
Thank you in advance,
Bests Regards,
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't think you can modify the tunnel entries after it's configured. You can edit a save cfg file and then do a restoral.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
or delete the tunnel and create it again.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear all,
Thank you for your help. It's a bad new, this firewall is in production and i can not reboot it as i want. I have a lot of policies so it is impossible to delete and renew the tunnel :(
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In this case the best way is changing your configuration from backup and restore it as emnoc said.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok thank you very much.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Keep in mind a configuration restoral is going cause a reboot.
I think another trick would be o place the interface into a zone before you nail policies and then you add the new GRE tunnel into the same zone and delete the old one. But that would also require you to "remove" all policies in your case.
e.g
config system zone edit "mytunnel" set interface "tun1" "tun2" next end
and
config system gre-tunnel edit "tun1" set remote-gw 199.111.111.1 set local-gw 10.10.80.1 next edit "tun2" set remote-gw 199.111.111.2 set local-gw 10.10.80.1 next end
But once you place these into a tunnel, you can nail a policy to just one tunnel, but it will allow you to add or remove tunnels if the need comes up. You don't have to 1+ interfaces in a zone, So you could place one member ( tun1 ) and then if tun1 ever needs to change, you add tun2 and delete tun1.
Either way, it's not a simple 1 2 3 , but with proper planning you can eliminate most of the hassle. And I wish Fortinet would remove this restriction and allow you to re-edit the gw ip_address
YMMV
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello emnoc,
Thank you for your great help. Your idea about creating a zone looks wondurful for my situation. I think i'll do that :)
As you said, Fortinet should remove this restriction, it is a non-sense.
Bests Regards,
Vincent.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know this is an old post, but I searched everywhere and was unable to find an answer that didn't require rebooting a production device, so here is the solution (steps 12-14 are done on a FortiManager, so ignore if you don't have one): 1. SSH to device (or connect to the console). 2. Find all references to tunnel name in configuration. For this example we will use "Zscaler_LON3" for the tunnel. We are changing the remote-gw IP from 145.8.20.36 to 145.8.21.246. FG-FW01 # sh full-configuration | grep -f Zscaler_LON3 config system interface edit "Zscaler_LON3" <--- set vdom "root" set distance 5 ... next end config system gre-tunnel edit "Zscaler_LON3" <--- set interface "wan1" set remote-gw 145.8.20.36 set local-gw 25.125.46.4 set dscp-copying disable set keepalive-interval 0 next end config firewall policy edit 418 set name '' set srcintf "port3" set dstintf "Zscaler_LON3" <--- set srcaddr "all" set dstaddr "ext.grp.denyall.malicious" 3. Take a full copy of ALL returned examples. 4. Create a new GRE tunnel with "-bk" at the end and garbage IPs. config system gre-tunnel edit "Zscaler_LON3-bk" set interface "wan1" set remote-gw 1.1.1.254 set local-gw 1.1.1.211 set dscp-copying disable set keepalive-interval 0 next end 5. Modify all references from original tunnel "Zscaler_LON3" to new tunnel "Zscaler_LON3-bk" config firewall policy edit 418 set dstintf "Zscaler_LON3-bk" next end config router static edit 36 set device "Zscaler_LON3-bk" next end config router policy edit 4101 set output-device "Zscaler_LON3-bk" next end config system link-monitor edit "Zscaler_LON3_Probe" set srcintf "Zscaler_LON3-bk" next end 6. Do another 'sh full-configuration | grep -f <tunnel-name>' and verify the only references to the original tunnel "Zscaler_LON3" are under 'config system interface' and 'config system gre-tunnel'. 7. Delete original GRE tunnel then recreate with new IP address. FG-FW01 (gre-tunnel) # delete Zscaler_LON3 FG-FW01 (gre-tunnel) # end FG-FW01 # conf sys gre-tunnel FG-FW01 (gre-tunnel) # edit "Zscaler_LON3" new entry 'Zscaler_LON3' added FG-FW01 (Zscaler_LON3) # set interface "wan1" FG-FW01 (Zscaler_LON3) # set remote-gw 145.8.21.246 FG-FW01 (Zscaler_LON3) # set local-gw 25.125.46.4 FG-FW01 (Zscaler_LON3) # set dscp-copying disable FG-FW01 (Zscaler_LON3) # set keepalive-interval 0 FG-FW01 (Zscaler_LON3) # next FG-FW01 (gre-tunnel) # end 8. Deleting the GRE tunnel has also deleted all information from the system interface, you need to add it all back in. Make sure to set the 'set remote-ip' to the new remote-gw address "145.8.21.246". FG-FW01 (interface) # edit Zscaler_LON3 FG-FW01 (Zscaler_LON3) # show config system interface edit "Zscaler_LON3" set vdom "root" set type tunnel set snmp-index 34 set interface "wan1" next end FG-FW01 (Zscaler_LON3) # set vdom "root" FG-FW01 (Zscaler_LON3) # set distance 5 FG-FW01 (Zscaler_LON3) # set dhcp-relay-service disable FG-FW01 (Zscaler_LON3) # set ip 172.18.100.89 255.255.255.255 ... FG-FW01 (Zscaler_LON3) # set status up ... FG-FW01 (Zscaler_LON3) # set remote-ip 145.8.21.246 ... FG-FW01 (Zscaler_LON3) # next 9. Modify all references from new tunnel "Zscaler_LON3-bk" to original tunnel "Zscaler_LON3" config firewall policy edit 418 set dstintf "Zscaler_LON3" next end config router static edit 36 set device "Zscaler_LON3" next end config router policy edit 4101 set output-device "Zscaler_LON3" next end config system link-monitor edit "Zscaler_LON3_Probe" set srcintf "Zscaler_LON3" next end 10. Do another 'sh full-configuration | grep -f <tunnel-name>' and verify the only references to the new tunnel "Zscaler_LON3-bk" are under 'config system interface' and 'config system gre-tunnel'. 11. Delete the new tunnel "Zscaler_LON3-bk", then do another check to make sure all references are removed. 12. Do a 'Retrieve Config' from inside Device Manager -> Configuration Revision History and save the configuration. 13. Do a 'Revision Diff' and validate your change. 14. The policy will probably show RED for out-of-sync. If so, do a policy push even though it shows no changes.
Related Posts
- Understanding sslvpn logs 128 Views
- VXLAN, Virtual Switch and MTU 87 Views
- IPSec tunnel error : no SA... 163 Views
- SD-WAN IPSec Main Backup tunnels with... 148 Views
- IPSEC Down After Changing the IP... 83 Views
Labels
-
FortiGate
6,534 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
Firewall policy
23 -
FortiConnect
23 -
FortiWAN
22 -
FortiConverter
21 -
VLAN
20 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.