Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BWiebe
Contributor

Design Question - Nat/Route and Transparent Port

Building a firewall config for a client on a Fortigate 60E with 5.4.3.

 

The firewall is essentially set as NAT/Route mode with various internal interfaces acting as gateways for various VLANs.  The VLANs are in place for various items and various 3rd parties with gear at the site where the firewall will land.

 

Site will initially have a single WAN but this will likely change.  The single WAN will have 6 IPs available.

 

One of the 3rd party's requirements is that we give them a single port with one of the WAN IPs going through the firewall directly as passthrough.  This way we can protect their internet traffic at some level in and out (and the client by extension).  I was against this setup and wanted to just give them a VLAN switch port on an Internet VLAN and let them manage their internet protection, etc.

 

At any rate - I'm now at the point where I 'need' to make this work.  Essentially have their port act as a switch port on the ISP.

 

I had thought about using VDOM and putting a single port for them there, in transparent mode - but this seems to be a lot of trouble for this.

 

Maybe virtual wire pair could work for this sort of thing as well? 

 

Any thoughts on how best to implement this?

 

Thanks,

BWiebe

11 REPLIES 11
SCSIraidGURU
Contributor

You have a /29 registered subnet with 6 host addresses that will not be NAT.   Do you have layer 3 switches or will the 60E be your layer 3 device for routing.   At my house, I have a 60E.   WAN1 is bridged to my cable modem and gets the outside address.   I had to connect up to DMZ with my workstation (it has a 10.x.x.x network) to take the Internet 1 to 7 out of internet mode so use them separately.   So I have 9 available LAN ports and 1 WAN port.   Each VLAN will need a VLAN firewall gateway address.   If you are running Layer 3 switches,  each switch VLAN will need a VLAN switch gateway address.   in my Data Center, I use policy based routing on my HP 5800 layer 3 switches to do the next hop from the VLAN Switch Gateway to the VLAN Firewall Gateway on my 800C.   At home, 60E does my Layer 3 routing in a simple routing table.   You can assign multiple VLANs to each switch port.  On my 800C 10 Gbps port, I have 5 VLANs each with a VLAN Firewall Gateway address.   The address to reach the firewall on that VLAN.  Reason is so I don't violate Reverse Packet Spoofing rules.    The registered subnet will not be NAT outbound. 

BWiebe

Switches are all layer 2, the firewall will manage the routing.

 

The issue is we need to be transparent to the 3rd party but still protect their connection at some level.

 

Thanks,

 

SCSIraidGURU

Will the 60E be able to handle the job of being a firewall, IPS and router for their traffic?   At my home, 60E can do it.  It is mainly for my Cisco VIRL virtual lab I am building.  I need 5 subnets for it.   Will you have UTM, IPS and all other features enabled?  How many users, printers and servers will be on the 60E?   In my data center, I separate layer 3 routing from my 800C.  I have layer 3 switches to handle internal traffic on 13 VLANs.  Only traffic that is internet bound goes out the policy based routes to the 800C VLAN gateways.   Can they afford a layer 3 switch to do the routing and VLANs instead?   In the past we tried using a Cisco ASA for layer 3 and firewall.   It was too much.    Depending on the amount of traffic routed between VLANs will you need a 90E? 

 

BWiebe

No servers, only 8 users and 3 printers.

 

The issue is the variety of 3rd party gear at this plant and the fact they are all on separate VLANs.

 

There will be some interaction between some of the gear which should be no problem with firewall rules.

 

My biggest concern is this single 3rd party and giving them the link as described.

 

Thanks,

 

 

SCSIraidGURU

One of the 3rd party's requirements is that we give them a single port with one of the WAN IPs going through the firewall directly as passthrough. This way we can protect their internet traffic at some level in and out (and the client by extension). I was against this setup and wanted to just give them a VLAN switch port on an Internet VLAN and let them manage their internet protection, etc.

 

That is called a client VPN or site to site VPN.   They would need to install a VPN client or another Fortinet device on their end to connection for the most secure connection.   What is connecting from their end to what on your end?   You could isolate the VLAN to prevent it from connecting to other VLANs. 

BWiebe

No - none of that is an option.

 

I'm familiar with site-to-site VPNs, etc.

 

Initially I had lobbied to give them a single port on the ISP gear and give them an IP and walk away from it and let them have the IP and not have any part of it.

 

This idea was modified to give them a single IP but have it going through the firewall so they can manage their devices, etc - essentially they want the firewall port to just act like the switch port I would have given them, but then they can have traffic visibility and protect the traffic.

 

My issue is how I can give them this connection without impacting the other ports.

 

 

SCSIraidGURU

No - none of that is an option.   I'm familiar with site-to-site VPNs, etc.   Initially I had lobbied to give them a single port on the ISP gear and give them an IP and walk away from it and let them have the IP and not have any part of it.   This idea was modified to give them a single IP but have it going through the firewall so they can manage their devices, etc - essentially they want the firewall port to just act like the switch port I would have given them, but then they can have traffic visibility and protect the traffic.   My issue is how I can give them this connection without impacting the other ports.

 

So a 3rd party wants to access devices behind your firewall without using VPN.   They want to be able to come through your WAN port without any layers of security to protect it.   That would not happen in my data center.  I would provide them a site to site VPN firewall to access it through.   I would put a site to site VPN in and use QnQ VLAN over a Ethernet connection.  Both of my WAN pipes are pure Ethernet not a circuit.   

 

Why in hell would any one on the receiving side consider this acceptable?  The 60E is $1300 with 24x7 support.  I would be putting one at their site.   They would not have a choice.  You would need a inbound policy from their WAN to those devices in a certain VLAN that is isolated from the other VLAN.   I would isolate it down to ports that their need in virtual IPs.  It would be tricky to setup and secure.   That is a lot of liability for doing such a unsecured connection that could be compromised.   You need to use the DMZ port to isolate it completely. 

 

BWiebe

Oh - I agree - this is all one large site, based in North America.  Part of it, I guess, is this particular 3rd party is based in Europe and I guess their access mainly is to support their devices during hours that wouldn't necessarily be palatable to normal support (6 hours ahead of where the items are).

 

Essentially what they want is a single internet IP.  I was ok with just giving them that on a switch VLAN and wash my hands of their setup - but one of our 'security' folks figured it would be a good idea to push this port through the firewall instead so we have 'visibility.'  

 

In other builds I've done for the clients I support, it's been all NAT/ROUTE or all Transparent.  This is the first time where their requirement is different/mixed, hence my quandry.

 

Heck this third party was initially going to bring their own ISP into this to secure their gear (which I would have been fine with :) ), somehow that got changed.

 

Thanks,

SCSIraidGURU
Contributor

A FortiGate can operate in one of two modes: NAT/Route or Transparent. In NAT/Route mode, the most common operating mode, a FortiGate is installed as a gateway or router between two networks. In most cases, it is used between a private network and the Internet. This allows the FortiGate to hide the IP addresses of the private network using network address translation (NAT). NAT/Route mode is also used when two or more Internet service providers (ISPs) will provide the FortiGate with redundant Internet connections. A FortiGate in Transparent mode is installed between the internal network and the router. In this mode, the FortiGate does not make any changes to IP addresses and only applies security scanning to traffic. When a FortiGate is added to a network in Transparent mode, no network changes are required, except to provide the FortiGate with a management IP address. Transparent mode is used primarily when there is a need to increase network protection but changing the configuration of the network itself is impractical. For more information about Transparent Mode, see the Transparent Mode handbook.

 

NAT/Route is what you want to control VLANs, DMZ, etc. 

Labels
Top Kudoed Authors