- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- How does Fortigate Handle Multiple Internal Netwo...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How does Fortigate Handle Multiple Internal Networks
Hi,
I have a network with 192.168.1.0/24 subnet with an inside LAN physical interface 192.168.1.7 connected to Fortigate 200B firewall. There is a requirement to break the internal network into 2 subnets. This means the internal network will contain 192.168.1.0/24 network range and 10.0.0.0/16 network range once the solution is implemented.
Does this mean I have to create a virtual sub interface or a physical interface within the firewall to serve the traffic for the new network of 10.0.0.0/16? Meaning should the firewall have a zone (interface) representing each internal network to support policies for both networks? Or isn' t possible to create a completely isolated 10.0.0.0/16 network connected to 192.168.1.0 network internally and route the 10.0.0.0/16 traffic via 192.168.1.0 network to the firewall gateway of 192.168.1.7? Will the firewall drop traffic if it receives packets sourced from 10.0.0.0/16 subnet from 192.168.1.7 physical interface even if the policy is created to allow traffic?
Please advise :)
Thank you in advance.
Thilina
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi THilina, welcome to the forums!
Both subnets can be directly attached to the Fortinet.
Give the Internal interface of the Fortinet a secondary IP address from the 10.0.0.0 range.
Give both subnets a firewall address name (e.g. 192.168.1.0/24=Range1 and 10.0.0.0/16 =Range2, etc.)
In the firewall rules, be specific when creating the rules, to use the address names above, don' t use the generic ANY or ALL (on the LAN side).
Example firewall policies:
Internal - Range1 -> WAN - ALL
Internal - Range2 -> WAN - ALL
You can then create rules to filter and send traffic between those two subnets, by using;
Internal - Range1 -> Internal - Range2
Internal - Range2 -> Internal - Range1
Don' t NAT the rules.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your swift response ShrewLWD. Really appreciated.
I would also like to know the following.
1) If we don' t create a firewall interface for 10.0.0.0/16 network, and keep the network internal behind a router, and create a policy to allow traffic to/from 10.0.0.0 from 192.167.1.7 interface, will it work? Is it a must that all internal networks have an interface on the firewall in order the firewall to allow traffic?
2) If we create 2 interfaces in the firewall for both internal networks, can both networks be NAT to the same external public IP address on the WAN interface?
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1) In order to differentiate between legitimate and rogue network (addresses) the Fortigate requires that each legititmate network is present in the routing table. If you want to just use addresses from the 10.0.0.0 range on your internal network then you have to create a static route for 10.0.0.0/24 pointing to the ' internal' port. Otherwise, this traffic will be dropped by the FGT which means that it cannot go across the firewall, e.g. to the internet.
Assigning an address to a physical or virtual interface automatically creates a ' directly connected' route in the FGT' s routing table. Thats why a secondary address or a VLAN interface ' works' .
2)
Yes, no problem. You can NAT outgoing traffic from any or all ports to the WAN interface' s IP address or any other (public) IP address that you choose.
If you have 2 ports for your 2 networks then connect both ports to the same LAN switch. This doesn' t really sound like a good idea though. You will have broadcasts, DHCP discovery requests etc. for both address ranges on the same wire and in the same broadcast domain. Running one network over a newly created VLAN is much better, for clarity, bandwidth consumption and functionality. This would mean that your switch(es) will have to support VLANs, preferably tagged VLANs or if needs be, port based VLANs.
If that is not an option you should go with the ' secondary address' approach as proposed earlier.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Ede for the reply.
1) This means it can keep internal networks not visible to the firewall. We just need to create a static route and allow traffic from the firewall policy. Creating a Vlan will remove the need of creating a static route.
2) This one is clear.
Thanks all :)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, creating a VLAN or assigning a secondary address to a physical port will both create static routes in the routing table. Try it out for yourself.
Don' t forget that without a policy traffic cannot traverse the firewall, from one port to another.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have an internal network 10.10.20.0/24 connected to the internal port1 on a Fortinet 90E and I have another network 10.10.99.0/24 connected to port11 zone "MGT" on the same firewall (this network is to be used to connect all management IPs to it and to be accessed from s specific internal IP address), now I have created policies from internal to MGT allowing all sources and traffic to pass and a policy from MGT to internal also allowing all sources and destinations (i'm not limiting the source IP for testing purposes)
Now I can not reach any of the IP's inside the MGT network also I can not ping port11 IP address which is 10.10.99.1
Note: I did not create a static route because it is done automatically be the firewall
What could be the problem?
Thanks in advance
Related Posts
- Internal DNS Server issue 91 Views
- resolving Internal DNS internally 116 Views
- Help setting up internet access for... 147 Views
- FortiOS 7.2.4 IPSec split-tunnel breaks local... 185 Views
- Automatically Ban Malicious Inbound IPs using... 184 Views
Labels
-
FortiGate
6,491 -
FortiClient
1,295 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiSwitch
331 -
FortiAP
331 -
FortiClient EMS
260 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
104 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
57 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
18 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
FortiAuthenticator
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSID
6 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
NAC policy
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.