If a FortiGate firewall interface IP address overlaps with one or more IP pool address ranges, the interface responds to ARP requests for all of the IP addresses in the overlapping IP pools. For example, consider a FortiGate unit with the following IP addresses for the port1 and port2 interfaces:
- port1 IP address: 220.127.116.11/255.255.255.0 (range is 18.104.22.168-22.214.171.124) l port2 IP address: 126.96.36.199/255.255.255.0 (range is 188.8.131.52-184.108.40.206) And the following IP pools:
- IP_pool_1: 220.127.116.11-18.104.22.168 l IP_pool_2: 22.214.171.124-126.96.36.199 l IP_pool_3: 188.8.131.52-184.108.40.206
The port1 interface overlap IP range with IP_pool_1 is:
(220.127.116.11-18.104.22.168) and (22.214.171.124-126.96.36.199) = 188.8.131.52-184.108.40.206 The port2 interface overlap IP range with IP_pool_2 is:
(220.127.116.11-18.104.22.168) & (22.214.171.124-126.96.36.199) = 188.8.131.52-184.108.40.206 The port2 interface overlap IP range with IP_pool_3 is:
(220.127.116.11-18.104.22.168) & (22.214.171.124-126.96.36.199) = 188.8.131.52-184.108.40.206 And the result is:
- The port1 interface answers ARP requests for 220.127.116.11-18.104.22.168
- The port2 interface answers ARP requests for 22.214.171.124-126.96.36.199 and for 188.8.131.52-184.108.40.206
Select Enable NAT in a security policy and then select Dynamic IP Pool. Select an IP pool to translate the source address of packets leaving the FortiGate unit to an address randomly selected from the IP pool. Whether or not the external address of an IP Pool will respond to an ARP request can be disabled. You might want to disable the ability to responded to ARP requests so that these address cannot be used as a way into your network or show up on a port scan.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!