AnsweredHot!Limited transparency

Author
CollabraIT
New Member
  • Total Posts : 17
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/07/07 11:13:38
  • Status: offline
2017/03/17 09:46:50 (permalink)
0

Limited transparency

We have 1 FortiGate that handles the routing of our internal networks as well as the outside world. I'm looking for a way to allow server A on network A to know who server B on network B is when they communicate. With NAT on, when this communication happens, server A sees the communication as coming from the FortiGate instead of from server B. I need to be a to set something like an X-Forwarded-For header on the traffic, or be able to to NAT just the external traffic and set the inside networks to transparency. My understanding is that since we just have the single device which handles inside and outside, I have to have NAT but the FortiGate seems to only allow yes or no when it comes to NAT. 
Can anyone shed some light on this issue? 
#1
ede_pfau
Expert Member
  • Total Posts : 5255
  • Scores: 334
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: Limited transparency 2017/03/17 11:53:37 (permalink) ☄ Helpfulby CollabraIT 2017/03/20 10:01:54
0
Maybe you can post a small diagram of where the subnets are attached to the FGT. Until then, I can only guess.
 
NAT is done on a per-policy base. If you can split the traffic so that source net A and source net B go across different policies you can omit the NAT setting in one.
Again, to decide if you need NAT I'll have to have more infos.
 

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#2
CollabraIT
New Member
  • Total Posts : 17
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/07/07 11:13:38
  • Status: offline
Re: Limited transparency 2017/03/17 11:56:27 (permalink)
0
Internal networks are going to to individual physical interfaces with external access on a WAN interface.
#3
Kenundrum
Silver Member
  • Total Posts : 110
  • Scores: 6
  • Reward points: 0
  • Joined: 2008/05/15 10:25:50
  • Location: Rhode Island, US
  • Status: offline
Re: Limited transparency 2017/03/17 13:07:44 (permalink) ☼ Best Answerby CollabraIT 2017/03/20 10:01:46
0
Ede is correct- just disable NAT on appropriate rules.
 
Consider the following setup:
internet    public IP         wan1
network 1 10.10.10.0/24 port1 FGT address 10.10.10.1
network 2 10.10.20.0/24 port2 FGT address 10.10.20.1
 
What you want is something like network 2 -> network 1 no NAT (original source addresses appear), network 1 or network 2-> internet NAT
All you need to do is disable NAT on the policies that go from port1->port2 and vice versa. The FGT will be able to handle routing between the subnets because it is attached to both. Traffic destined for 10.10.10.12 from 10.10.20.22 will hit the Fortigate and go to port1, the source address will remain as 10.10.20.22 when it arrives. This also assumes your devices have their default gateway as the Fortigate.

NSE4 (at Accelerate2017!)
Some FGT500Ds, 60Ds at work
FWF60E, FWF80CM, FGT60C, and FWF60B at home
#4
CollabraIT
New Member
  • Total Posts : 17
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/07/07 11:13:38
  • Status: offline
Re: Limited transparency 2017/03/20 10:01:33 (permalink)
0
Thanks! That worked. I new I'd seen a NAT check box somewhere, but I'd thought it was on the interface and never went back to look at the policy rules.
#5
Jump to:
© 2017 APG vNext Commercial Version 5.5