Limited transparency | Fortinet Technical Discussion Forums

Join us now!

Username
Password
Verification
	Stay logged in

Forgot Your Password? Forgot your Username? Haven't received registration validation E-mail?

User Control Panel Log out

Forums
Posts

Latest Posts

Active Posts

Recently Visited

Search Results

View More
Blog

Recent Blog Posts

View More
Photos

Recent Photos

My Favorites

View More Photo Galleries
PMs

Unread PMs

Inbox

Send New PM View More
Page Extras
Menu
- Forum Themes
- Member List
- Online User List
- User Groups

Videos, Cookbook, KB

Mark Thread UnreadFlat Reading Mode ❐

AnsweredHot!Limited transparency

Author Post Essentials Only Full Version
CollabraIT New Member Total Posts : 17 Scores: 0 Reward points: 0 Joined: 2016/07/07 11:13:38 Status: offline 2017/03/17 09:46:50 (permalink) 0 Limited transparency We have 1 FortiGate that handles the routing of our internal networks as well as the outside world. I'm looking for a way to allow server A on network A to know who server B on network B is when they communicate. With NAT on, when this communication happens, server A sees the communication as coming from the FortiGate instead of from server B. I need to be a to set something like an X-Forwarded-For header on the traffic, or be able to to NAT just the external traffic and set the inside networks to transparency. My understanding is that since we just have the single device which handles inside and outside, I have to have NAT but the FortiGate seems to only allow yes or no when it comes to NAT. Can anyone shed some light on this issue? #1 See best answerList Solutions Only 4 Replies Related Threads
ede_pfau Expert Member Total Posts : 5153 Scores: 320 Reward points: 0 Joined: 2004/03/09 01:20:18 Location: Heidelberg, Germany Status: offline Re: Limited transparency 2017/03/17 11:53:37 (permalink) ☄ Helpfulby CollabraIT 2017/03/20 10:01:54 0 Maybe you can post a small diagram of where the subnets are attached to the FGT. Until then, I can only guess. NAT is done on a per-policy base. If you can split the traffic so that source net A and source net B go across different policies you can omit the NAT setting in one. Again, to decide if you need NAT I'll have to have more infos. Ede " Kernel panic: Aiee, killing interrupt handler!" #2
CollabraIT New Member Total Posts : 17 Scores: 0 Reward points: 0 Joined: 2016/07/07 11:13:38 Status: offline Re: Limited transparency 2017/03/17 11:56:27 (permalink) 0 Internal networks are going to to individual physical interfaces with external access on a WAN interface. #3
Kenundrum Silver Member Total Posts : 90 Scores: 6 Reward points: 0 Joined: 2008/05/15 10:25:50 Location: Rhode Island, US Status: offline Re: Limited transparency 2017/03/17 13:07:44 (permalink) ☼ Best Answerby CollabraIT 2017/03/20 10:01:46 0 Ede is correct- just disable NAT on appropriate rules. Consider the following setup: internet public IP wan1 network 1 10.10.10.0/24 port1 FGT address 10.10.10.1 network 2 10.10.20.0/24 port2 FGT address 10.10.20.1 What you want is something like network 2 -> network 1 no NAT (original source addresses appear), network 1 or network 2-> internet NAT All you need to do is disable NAT on the policies that go from port1->port2 and vice versa. The FGT will be able to handle routing between the subnets because it is attached to both. Traffic destined for 10.10.10.12 from 10.10.20.22 will hit the Fortigate and go to port1, the source address will remain as 10.10.20.22 when it arrives. This also assumes your devices have their default gateway as the Fortigate. NSE4 (at Accelerate2017!) Some FGT500Ds, 60Ds at work FWF60E, FWF80CM, FGT60C, and FWF60B at home #4
CollabraIT New Member Total Posts : 17 Scores: 0 Reward points: 0 Joined: 2016/07/07 11:13:38 Status: offline Re: Limited transparency 2017/03/20 10:01:33 (permalink) 0 Thanks! That worked. I new I'd seen a NAT check box somewhere, but I'd thought it was on the interface and never went back to look at the policy rules. #5

Jump to:

© 2017 APG vNext Commercial Version 5.5