Topic Thread

Expand all | Collapse all

Fortigate with NAT device and dynamic IP

  • 1.  Fortigate with NAT device and dynamic IP

    Posted 04-05-2017 04:37

    Hello

    We have a POC with several FGT's, all behind NAT devices with dynamic IP's.
    The WAN IP on the FGT is static but the NAT device in front has a dynamic IP. They will connect to an externally hosted FMG. 

    I did some tests and the FMG seems to be capable of handling the public IP changes.
    It takes between 5-6 minutes after an IP change for the FMG to see the change.

    Is there some more info on this?
    I would like to be able to explain how the "tunnel" between the FGT and FMG works.
    Currently I know it's using TCP 541 with SSL/TLS encryption: High

    Algorithms are: DHE-RSA-AES256-SHA:AES256-SHA: EDH-RSA-DES-CBC3-SHA: DES-CBC3-SHA:DES-CBC3-MD5:DHE-RSA-AES128-SHA:AES128-SHA

    Can we speed up the failover time? What is the interval it uses to connect or update the status?

    Any info/detail on the connection is welcome.

    Thank you!

     



  • 2.  RE: Fortigate with NAT device and dynamic IP

    Posted 04-05-2017 05:34

    Hi,

    You should have a look at the doc attached to Mantis #0282493.

    Could you also please let us know your method to measure those 5-6 minutes?

    Best Regards.



  • 3.  RE: Fortigate with NAT device and dynamic IP

    Posted 04-06-2017 02:42

    Thank you very much for this info.
    It looks very useful, I will check it in further detail.

    The 5-6 minutes I measured in a not so accurate method.
    I simulated the NAT with another FGT.

    1. I changed the IP on the NAT device and checked how long it took to change in the device manager on the FMG.
    2. I changed the IP on the NAT device and checked the session table to see when the managed FGT tried to connect again.

     Both were around 5 minutes.