- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Fortinet connect to core switch
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortinet connect to core switch
Dear All,
Can someone guide me what is the best way to setup fortigate in this scenario plz.
1) i have a fortigate & a core switch
2) they are having several vlan configured on the core switch included vlan for voice
3) right now intervlan routing if being done on the core switch
4) if we need to install fortigate as firewall how we can simply the config to the best way
5) i have several server on a specific vlan and also some server web server will need to access from outside on the internet.
6) i have also some vpn users who will need to access the internal resources from outside the network
7) The important thing also if i want to block certain users from a specific vlan not to access other vlan if it will be possible.
The way i want to setting up the fortigate i want to configure an interface on the fortigate example port 1 & port 2 as link aggregation and connect the core switch on port 1 & 2 as aggregation using LACP protocol. And configure and ip address on the fortigate link aggregation interface and configure an ip address to a vlan on the core switch. And on the core switch configure a default route going to the fortigate.
Can anyone may help me plz thanks alot
23 REPLIES 23
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any feedback plz
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
any feedback plz
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1) i have a fortigate & a core switch 2) they are having several vlan configured on the core switch included vlan for voice 3) right now intervlan routing if being done on the core switch 4) if we need to install fortigate as firewall how we can simply the config to the best way 5) i have several server on a specific vlan and also some server web server will need to access from outside on the internet. 6) i have also some vpn users who will need to access the internal resources from outside the network 7) The important thing also if i want to block certain users from a specific vlan not to access other vlan if it will be possible.item #1 what your asking is all simple. for vpn access you want to probably use SSLvpn and define user-groups. You could control someone the same thing with ipsec to some degree Do you want the firewall to have a downlink to the core ? and keep inter-vlan routing on the core? Remember with any RA-access, once a end users get' s access on that server, he/she has access to everything that server would have access , as-if a lcoal user on the console. So police and organize the fwpolicies fo lacp that' s no problem, just grab your 2 links and set them as a virtualinterface and and apply the fwpolocies to that virtual link. Do a search here with me as author, numeours examples has been posed for virtual-link that are LACP and the cfg is simple.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Thanks for your reply.
But i think you did not get me what i want exactly to achieve. And for the question 7 no answer for that.
Look my mission i want to do all the intervlan routing on the core switch itself and create a vlan point to point from core switch to fortinet and example ip address on core switch 192.168.1.2/29 and ip add 192.168.1.1/29 on fortinet and a default route on core switch toward fortinet which will be 192.168.1.1 the default gateway.
All users will use gateway on the core switch and core switch will talk to fortigate for internet etc.
As inter vlan routing are doing on the core switch but users will get access on every vlan but i do not want to allow users to access to all vlan only certain vlan. and some remote users will need to get access to internal resources via vpn. and will port forwarding possible in the setup from outside to inside
find attached the design
can you guide me how to achieve this plz.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1) i have a fortigate & a core switch 2) they are having several vlan configured on the core switch included vlan for voice 3) right now intervlan routing if being done on the core switch 4) if we need to install fortigate as firewall how we can simply the config to the best way 5) i have several server on a specific vlan and also some server web server will need to access from outside on the internet. 6) i have also some vpn users who will need to access the internal resources from outside the network 7) The important thing also if i want to block certain users from a specific vlan not to access other vlan if it will be possible.ad. 4 & 7 You should be more specific about which internetwork segments need to be firewalled. If vlan 10, vlan 20, vlan 30 represent intranet logical segments and if they are to be separated with a firewall, then you have two distinct options: 1- core switch as a L3-L4 FW In point 3) you specify that inter-vlan routing is performed in the core switch. Keeping that fair design, just create access-lists in that switch and bind them to respective vlan interfaces (SVIs). Your intranet traffic will then avoid the inefficiencies of router-on-the-stick. The downside may be poor managability of multiple access lists with multiple access entries and lack of L7 firewall if you care. 2- Fortigate as intranet firewall This design basically reverses the pros and cons of the option 1 but suffers some scalability issues due to router-on-the-stick. Consider that to divert local traffic away from current inter-vlan routing, you need to delete SVIs on your core switch actually relocating them onto your FortiGate, set up a 801.1q between the core and FortiGate and use FortiGate vlan interfaces as default gateways for your segments. Best practice in scalable designs is to keep UTM (Fortigate) for Internet/DMZ/LAN only and a separate FW for intranet. What brand/model is your core switch device?
FCNSP 4.x running FortiOS 5.0.4 on FG621B A-A HA
FCNSP 4.x running FortiOS 5.0.4 on FG621B A-A HA
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But i think you did not get me what i want exactly to achieve. And for the question 7 no answer for that.I know actually what you want. The topology diagram makes it even more clearier. I think RafaIS , summed up your dilema quite well. Your asking the wrong question in regards to using the firewall as a controlling devices for inter-vlan routing on the core switch. If you want todo it on the FGT; than that' s fine enable L3 interfaces for the clans and a 802.1q trunk and even better yet, a LACP 802.1q trunk back to the core and more are L3 SVI from the core switch into the FGT. Keep in mind; packets that travel the wire twice , is probably not good for performance. Managing L3 ACLs is probably not idea, either and I' m not sure of what switch you have but a ZBFW ( zone base firewall ) might not be doable. If you have let' s a 6500 with a FWSM ( firewall service module ) you could do your internal firewall within the core and the FGT would handle traffic destine outbound to the internet. You have so many options and choices, but you would have to determine where and how you want to go about. another choice might be one of the Fortinet Switches, I think they have a means for some type of firewall policies deploy iirc. But to be quite frank have sued enough of them and not overly impressed with them to begin with.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello thanks for both,
i really appreciate the reply.
let me more simple.
Question 1
Right now intervlan routing is doing on the core switch okay.
Question 2
i want to keep everything internal traffic on the core switch itself as rafals mention and only filter traffic for internet / dmz & lan only
but my problem is only to limit certain vlan not to access other vlan
example vlan users should not be able to access vlan management .
as intervlan routing is performing on the core switch obviously they will be able to access each vlan.
i want to setup like this
fortinet----> core switch --------> access switch --------> vlan user / vlan server / vlan management & voice vlan
on the core switch a default gateway toward the fortinet interface and all users & and server will use gateway as each interface configure on the core switch
got me.
A
is it okay like this plz. anything else better
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You will need to manage that with L3 ACLs on the core-switch if you want or do not want inter-vlan access. The fortigate is useless in this manner.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Related Posts
- VXLAN, Virtual Switch and MTU 67 Views
- Forticlient 7.2.2 with vulnerable OpenSSL Library... 79 Views
- VLan fortigate 195 Views
- connect fortigate to 2 sophos at... 248 Views
- FortiToken for FortiClient users CONCERN 144 Views
Labels
-
FortiGate
6,525 -
FortiClient
1,301 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
241 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiAuthenticator
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.