AnsweredHot!I can't connect HP vlan to Fortigate

Page: < 12 Showing page 2 of 2
Author
rwpatterson
Expert Member
  • Total Posts : 8417
  • Scores: 195
  • Reward points: 0
  • Joined: 2006/08/08 10:08:18
  • Location: Long Island, New York, USA
  • Status: online
Re: I can't connect HP vlan to Fortigate 2019/07/11 08:06:02 (permalink)
0
Agreed, if you are not aggregating ports 1 & 2 on the Fortigate, then port 2 being connected will cause issues.

-Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

-4.3.19-b0694
FWF60B
FWF80CM (4)
FWF81CM (2)
 
#21
azwanarif
Bronze Member
  • Total Posts : 26
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/01/14 03:31:48
  • Status: offline
Re: I can't connect HP vlan to Fortigate 2019/07/11 17:20:39 (permalink)
0
@dennisv
 
Current setup is HA enviroment whereby Hp port 23 = FortiGate (Master) port 1 and Hp port 24 = FortiGate (Slave) port 1.
 
@rwpatterson
I have tried only tagged vlan for trunk port 23 & 24 and untagg for the remaining based on vlan assignment e.g 1-18 vlan 10. plug my notebooked and set the IP and gateway same as vlan 10 subnet and encounter same issue unable to reach fortiGate unless the port is configured as tagged. Do i need to check anything on FortiGate since inter vlan policy communication is handle by zone?.
#22
dennisv
New Member
  • Total Posts : 11
  • Scores: -1
  • Reward points: 0
  • Joined: 2017/03/14 08:31:55
  • Status: offline
Re: I can't connect HP vlan to Fortigate 2019/07/12 02:54:49 (permalink)
0
@azwanarif
You should not put port 23+24 into an HP Trunk.
HP Trunking is only for load balancing multiple connections from one HP switch to one Fortigate.
In Fortigate this is called an aggregated interface.
This is used for increase of bandwidth between switches and Fortigates.
Fortigate supports using aggregated LACP on specific models, but yours does not.
 
You are using an HA setup, which splits the connections over two (or more) single fortigates.
This is a redundant interface, not a aggregated interface, huge difference
In a Fortigate HA setup the units are not stacked, they operate as separate nodes beeing controlled by the master.
All redundant interfaces within an Fortigate HA setup operate individually and do not require usage of HP trunking.
In all HA setups control information is send over the HA link between the nodes using FGCP.
If you are using an active-active setup , actual traffic between the nodes can be send over the HA link(s).
Your setup will actually drop traffic initiated to the second fortigate as initated traffic always goes to the primary fortigate. In active-passive or vdom clustering mode traffic will be fully processed by the primary unit, in active-active mode the primary might send the request over to the secondary unit to process the traffic.
But there are several caveats in that.
For further details I will refer to the Fortigate 6.0.5 handbook regarding HA:
https://docs.fortinet.com/document/fortigate/6.0.5/handbook/643919/high-availability
 
You did not mention where the other ports are connected to.
Fortigate A port1 is connected to port23 on the HP switch, which is part of the Trk interface.
In your HP switch configuration you now have placed all vlans on this Trk interface.
VLAN1 is untagged, VLAN 10 and VLAN102 are tagged.
Looking from the Fortigate perspective this is good. Keep it like this on the Fortigate side.
Hardware switch "lan" will receive and send traffic untagged and the HP switch places this traffic in VLAN1.
Hardware switch "lan" sub/vlan interface X will receive and send traffic tagged with vlan X and the HP switch places this traffic in vlan X.
You should put the other vlans you have on the HP switch with tagged port 23 and tagged port 24 (remember no Trunk)
Fortigate port 2 should NOT be connected to the same switch or the same network. You can connect this port to an endpoint (client or server), but it should not make a loop in the network.
 
For the HP switch perspective you should remove the Trk interface and put the vlans on both port 23 and port 24.
On port 23 and port 24 vlan1 untagged, the rest tagged.
For your client ports it depends if that traffic is processed untagged or tagged.
If your clients , like iDRAC, are set up to use a vlan than this is tagged.
If your clients , like your laptop without additional configuration, are set up without a vlan this is untagged.
Try this, place a client port on the HP switch (1-18) of vlan 10 in untagged mode, connect your laptop without specifying a vlan and you will get connection to the fortgate interface in vlan 10.
 
Regarding zones:
If you place multiple interfaces (aka members) into a zone, this can simplify policy rules.
A policy rule can only be created from/to the zone, not the individual members.
For a zone it is possible to allow intra-zone communication with a setting in the zone configuration.
This is the same as making a policy from source interface zone , destination zone, source all, destination all, service all, no nat. Basically an ANY-ANY rule for all members in the zone.
The checkmark you can setup in the zone configuration BLOCKS the intrazone communication.
All traffic between the members will now be denied except for traffic specifically mentioned in a firewall policy.
 
This is how you mentioned your current setup:
" Hp switch is connected directly to Fortigate port 1 (Hardware switch) and using Zone to combine all VLAN with "Block intra-zone traffic" disable to reduce multi policy between Vlan."
 
Yes, this will block all traffic between the members in the zone.
Remember the default behaviour in a fortigate for interfaces that are not in the same zone is block.
For example traffic between the zone and "lan" is blocked by default.
If you would remove all the vlan interfaces from the zone, all will still be blocked by default and you would need to create policies to allow traffic between these interface.
This allows for more control on the traffic between the members, but off course increased the amount of policies in the policy view.
Tip, you can change the system>features to allow for a policy from and to multiple interfaces, reducing the amount of policies that do the same.
Note, this will change the interface view to section view only.
You could make a policy from all the vlan interfaces to all the vlan interfaces allowing all without NAT, which does the same thing as the zone with the allow of intra-zone traffic, your choice.
 
TLDR :
Remove HP Trunk
Put vlan1 untagged on port 23 and port 24 , other vlans tagged on port 23 and port 24
Don't connect Fortigate port2 to the same network
Check HA setup and behaviour
Check zone setup and behaviour
 
((wow this was a long one, usually I get payed for this ;p , but for you it's completely free ))
 

Consultant @ Exclusive Networks BV
Datacenter Networking and Security
NSE4 6.0
Fortinet, HPe/Aruba, Arista, Juniper and many more
#23
azwanarif
Bronze Member
  • Total Posts : 26
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/01/14 03:31:48
  • Status: offline
Re: I can't connect HP vlan to Fortigate 2019/07/14 18:07:31 (permalink)
0
dennisv
@azwanarif
You should not put port 23+24 into an HP Trunk.
HP Trunking is only for load balancing multiple connections from one HP switch to one Fortigate.
In Fortigate this is called an aggregated interface.
This is used for increase of bandwidth between switches and Fortigates.
Fortigate supports using aggregated LACP on specific models, but yours does not.
 
You are using an HA setup, which splits the connections over two (or more) single fortigates.
This is a redundant interface, not a aggregated interface, huge difference
In a Fortigate HA setup the units are not stacked, they operate as separate nodes beeing controlled by the master.
All redundant interfaces within an Fortigate HA setup operate individually and do not require usage of HP trunking.
In all HA setups control information is send over the HA link between the nodes using FGCP.
If you are using an active-active setup , actual traffic between the nodes can be send over the HA link(s).
Your setup will actually drop traffic initiated to the second fortigate as initated traffic always goes to the primary fortigate. In active-passive or vdom clustering mode traffic will be fully processed by the primary unit, in active-active mode the primary might send the request over to the secondary unit to process the traffic.
But there are several caveats in that.
For further details I will refer to the Fortigate 6.0.5 handbook regarding HA:
https://docs.fortinet.com/document/fortigate/6.0.5/handbook/643919/high-availability
 
You did not mention where the other ports are connected to.
Fortigate A port1 is connected to port23 on the HP switch, which is part of the Trk interface.
In your HP switch configuration you now have placed all vlans on this Trk interface.
VLAN1 is untagged, VLAN 10 and VLAN102 are tagged.
Looking from the Fortigate perspective this is good. Keep it like this on the Fortigate side.
Hardware switch "lan" will receive and send traffic untagged and the HP switch places this traffic in VLAN1.
Hardware switch "lan" sub/vlan interface X will receive and send traffic tagged with vlan X and the HP switch places this traffic in vlan X.
You should put the other vlans you have on the HP switch with tagged port 23 and tagged port 24 (remember no Trunk)
Fortigate port 2 should NOT be connected to the same switch or the same network. You can connect this port to an endpoint (client or server), but it should not make a loop in the network.
 
For the HP switch perspective you should remove the Trk interface and put the vlans on both port 23 and port 24.
On port 23 and port 24 vlan1 untagged, the rest tagged.
For your client ports it depends if that traffic is processed untagged or tagged.
If your clients , like iDRAC, are set up to use a vlan than this is tagged.
If your clients , like your laptop without additional configuration, are set up without a vlan this is untagged.
Try this, place a client port on the HP switch (1-18) of vlan 10 in untagged mode, connect your laptop without specifying a vlan and you will get connection to the fortgate interface in vlan 10.
 
Regarding zones:
If you place multiple interfaces (aka members) into a zone, this can simplify policy rules.
A policy rule can only be created from/to the zone, not the individual members.
For a zone it is possible to allow intra-zone communication with a setting in the zone configuration.
This is the same as making a policy from source interface zone , destination zone, source all, destination all, service all, no nat. Basically an ANY-ANY rule for all members in the zone.
The checkmark you can setup in the zone configuration BLOCKS the intrazone communication.
All traffic between the members will now be denied except for traffic specifically mentioned in a firewall policy.
 
This is how you mentioned your current setup:
" Hp switch is connected directly to Fortigate port 1 (Hardware switch) and using Zone to combine all VLAN with "Block intra-zone traffic" disable to reduce multi policy between Vlan."
 
Yes, this will block all traffic between the members in the zone.
Remember the default behaviour in a fortigate for interfaces that are not in the same zone is block.
For example traffic between the zone and "lan" is blocked by default.
If you would remove all the vlan interfaces from the zone, all will still be blocked by default and you would need to create policies to allow traffic between these interface.
This allows for more control on the traffic between the members, but off course increased the amount of policies in the policy view.
Tip, you can change the system>features to allow for a policy from and to multiple interfaces, reducing the amount of policies that do the same.
Note, this will change the interface view to section view only.
You could make a policy from all the vlan interfaces to all the vlan interfaces allowing all without NAT, which does the same thing as the zone with the allow of intra-zone traffic, your choice.
 
TLDR :
Remove HP Trunk
Put vlan1 untagged on port 23 and port 24 , other vlans tagged on port 23 and port 24
Don't connect Fortigate port2 to the same network
Check HA setup and behaviour
Check zone setup and behaviour
 
((wow this was a long one, usually I get payed for this ;p , but for you it's completely free ))
 




 
Hi @dennisv
 
Appreciate the advice,
 
I have follow your guide on above post except for remove the port 24 on hp switch to secondary (Slave) FGT, currently i'm only able to do troubleshooting remotely due to site location required for traveling.
 
Based on screenshot below, I'm not sure because of the iDRAC 9 configuration all port at switch is required to be tagged (probably only HP switch), we already spoke with the server vendor and verified that only IP and gateway without vlan is configured.
 
We have 4 unit Dell EMC server which has been assigned IP 10.101.10.1-4. On my previous post port 1-18 is tagged with  vlan 10 and only iDRAC with IP 10.101.10.3 is accessible with trunk enable, However once remove trunk with all port 1-18 is tagged all server is accessible except iDRAC IP 10.101.10.4 which possibly have issue with configuration.
 

 
 
 
 
 
 
 

Attached Image(s)

#24
dennisv
New Member
  • Total Posts : 11
  • Scores: -1
  • Reward points: 0
  • Joined: 2017/03/14 08:31:55
  • Status: offline
Re: I can't connect HP vlan to Fortigate 2019/07/15 01:29:12 (permalink)
0
Yes this seems like a configuration issue on the iDRAC side.
You mentioned :
"we already spoke with the server vendor and verified that only IP and gateway without vlan is configured."
This implies the traffic from iDRAC to be untagged and HP port 1-18 should be set to untagged vlan 10.
But in a previous post you mentioned that iDRAC was setup with vlan 10 inside iDRAC, which implies HP port 1-18 should be set to tagged vlan 10.
Make sure you contact the server administrator and have them verify (screenshots) the proper iDRAC settings.
 
Anyway, you are on the right path now and it seems the connection between the HP switch and Fortigate is ok.
If you need any additional help with this connection, just reply to this thread and ill get a notification.

Consultant @ Exclusive Networks BV
Datacenter Networking and Security
NSE4 6.0
Fortinet, HPe/Aruba, Arista, Juniper and many more
#25
Page: < 12 Showing page 2 of 2
Jump to:
© 2019 APG vNext Commercial Version 5.5