[c-nsp] Router / Switch in front of Firewall

Jimmy Stewpot squid at oranged.to
Mon May 12 08:55:26 EDT 2008


Hi,

I believe you can get the Fortinet device to query the Fortiguard 
distribution network with a different source address (e.g. an internal 
interface rather than the default route external interface). Check the 
options under

config system fortiguard

In version 3.0 build 660 you should have the following

*hostname                   hostname or IP of the FortiGuard server
srv-ovrd                   enable or disable the server override list.
port                       port used to communicate with the FortiGuard 
servers
client-override-status     enable or disable the client override IP.
service-account-id         service account id
central-mgmt-status        enable/disable central management
antispam-status            enable/disable the service
antispam-cache             enable/disable the cache
antispam-cache-ttl         The time-to-live for cache entries in seconds 
(300-86400)
antispam-cache-mpercent    The maximum percent of memory the cache is 
allowed to use (1-15%)
*antispam-timeout           query time out (1-30 seconds)
avquery-status             enable/disable the service
avquery-cache              enable/disable the cache
avquery-cache-ttl          The time-to-live for cache entries in seconds 
(300-86400)
avquery-cache-mpercent     The maximum percent of memory the cache is 
allowed to use (1-15%)
*avquery-timeout            query time out (1-30 seconds)
webfilter-status           enable/disable the service
webfilter-cache            enable/disable the cache
webfilter-cache-ttl        The time-to-live for cache entries in seconds 
(300-86400)
*webfilter-timeout          query time out (1-30 seconds)

Ive just played around with it in our lab with a 500A and it works well. 
  If your using features like antspam or NAT it may not work so well 
with a non-public address on the "external" interface.

Regards,

Jimmy.

p.s. sorry for posting non cicso related stuff on the cisco list :()


Tor-Ivar Kristoffersen wrote:
> Hi all
> 
> This is my first post here, so I hope this gets in the right way :)
> 
> We have a 100mbit Internet Connection that we are building (this is a new line). We are setting in new eq. and we plan to move over 1 and 1 service.
> We have a Fortigate 500A Firewall in front here, but we need to setup a router or switch or some other nice box in front of the firewall.
> The reason for this is that we have a /21 net routed to this fw, but our supplier runs their eq. on 10.x.x.x IP's and they will not let their eq. be exposed by real ip's. So the issue for us comes when the FG500A is to communicate with the world, it sees that the default gw is on a 10.x.x.x. net and therefore uses it's own 10.x.x.x. assigned IP address for transmitting this. This naturally gets dropped by the isp.
> 
> Solution is to set a Cisco switch / router in front with 2 IF's. One with our legal IP and one with the 10.x address. This way this unit will become the default gw for our fg500a and will transmit with it's real ip address.
> 
> But that leaves the question as to which unit to use in front.
> 
> We have a couple of 2801 in stock, but they can't handle the traffic. We need something that can withstand an attack and at the same time deliver enough performance for the 100mb link.
> 
> All suggestions are welcomed , also if anyone has a similar setup and therefore has any hans on experience with such a front end that would also be great.
> 
> Thanks
> 
> Best regards
> Tor-Ivar Kristoffersen
> IT Consultant
> Lufttransport AS
> 
> "Horsepower is how hard you hit the wall, torque is how long you take the wall with you"
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list