If a FortiGate firewall interface IP address overlaps with one or more IP pool address ranges, the interface responds to ARP requests for all of the IP addresses in the overlapping IP pools. For example, consider a FortiGate unit with the following IP addresses for the port1 and port2 interfaces:
- port1 IP address: 18.104.22.168/255.255.255.0 (range is 22.214.171.124-126.96.36.199) l port2 IP address: 188.8.131.52/255.255.255.0 (range is 184.108.40.206-220.127.116.11) And the following IP pools:
- IP_pool_1: 18.104.22.168-22.214.171.124 l IP_pool_2: 126.96.36.199-188.8.131.52 l IP_pool_3: 184.108.40.206-220.127.116.11
The port1 interface overlap IP range with IP_pool_1 is:
(18.104.22.168-22.214.171.124) and (126.96.36.199-188.8.131.52) = 184.108.40.206-220.127.116.11 The port2 interface overlap IP range with IP_pool_2 is:
(18.104.22.168-22.214.171.124) & (126.96.36.199-188.8.131.52) = 184.108.40.206-220.127.116.11 The port2 interface overlap IP range with IP_pool_3 is:
(18.104.22.168-22.214.171.124) & (126.96.36.199-188.8.131.52) = 184.108.40.206-220.127.116.11 And the result is:
- The port1 interface answers ARP requests for 18.104.22.168-22.214.171.124
- The port2 interface answers ARP requests for 126.96.36.199-188.8.131.52 and for 184.108.40.206-220.127.116.11
Select Enable NAT in a security policy and then select Dynamic IP Pool. Select an IP pool to translate the source address of packets leaving the FortiGate unit to an address randomly selected from the IP pool. Whether or not the external address of an IP Pool will respond to an ARP request can be disabled. You might want to disable the ability to responded to ARP requests so that these address cannot be used as a way into your network or show up on a port scan.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!