Fortigate as a core router

ihaveabike · ‎05-07-2018

Hi There,

I'm wondering if anyone is using their fortigate as a core router to manage inter-vlan traffic. We're looking to build a simple network with basic server, client, management vlans. We could do routing on a layer 3 switch but we have an 81e at the gateway and were wondering if that could also handle internal traffic. We really want to get some visibility into the intervlan traffic for security. Basically we'd want to set up firewall rules to just allow the required ports between client and server network and we'd also want everything logged and aggregated into our fortianalyzer. We'd also still want the device handling our WAN gateway traffic, which has all the scanning bells and whistles on those policies. It not a huge network, about 150 users, about 100 devices, 1 site to site vpn connected to another fortigate for a small office of about 20 users.

Any experts out there that can advise if this is a doable setup and does anyone have the same setup? Would we be asking to much of the current FG in this scenario and would a more powerful box do the trick, and if so, any thoughts on how to appropriately choose an adequately powerful device? Is there a better way of handling this using our layer 3 switch and the FG to at least still get the FG to be able to log traffic between our internal vlans without impacting speeds? Any insight is appreciated.

aagrafi · ‎05-08-2018

We have several deployments with FGs doing such things at even larger scale than yours. This is a fully supported configuration, but make sure to size the FortiGate properly.

emnoc · ‎05-08-2018

Do you nee security between vlans? A l3+firewall is higher cost than a layer3 switch or router. Price per port and bps is higher on a NGFW imho

PCNSE

NSE

StrongSwan

ihaveabike · ‎05-08-2018

Sizing is a question of mine aagrafi, do you have any guidance on how to properly size a FG for this purpose by chance?

emnoc - I think these days that traffic between client and server vlans should be separated and at least monitored and limited to the ports/services required (at least in smaller environments where this is feasible). So I guess I do think we should have some security between these vlans. But I maybe crazy for thinking this way and I'm open being told different. We could probably do at least this much on a good layer3 switch but we are used to analyzing the fortigates traffic info from a security perspective between lan and wan, so we're thinking it would be good to consolidate intervlan security and gateway security on the same box. I agree that doing this on the FG will be more expensive, but this is also part of why I'm querying the forum for sizing a FG for this purpose. Maybe doing this will be cost prohibitive compared to a l3 but maybe the extra costs will be worth it.

I'm certainly open to more discussion on this from anyone willing to jump in

emnoc · ‎05-08-2018

Security is always good and inspections is also great. Since this is a core ENV, do you need HA ? Again cost will become a issues.

[ul]

Next, what type of interfaces ? and how many ( 1 or 10 gig, LACP,etc...)

LACP? etherchannel bonding

What type of UTM features ( AV? TLS-insp? proxy ? )

So again, as you enable these services, your thru-put will be greatly impacted & require even a bigger hardware items or possible VM-based firewalls[/ul]

So to size this all up, you need to have answers to the above at minimum, and before anybody could even remotely give you numbers.

Define your requirement and business use case 1st, and then get the numbers ;)

PCNSE

NSE

StrongSwan

aagrafi · ‎05-08-2018

You have to answer to this question first, before answering the sizing question: What is the anticipated aggregate inter-VLAN traffic and what inspection do you deed to apply (antivirus, IPS, etc)? Your customer should probably be able to give you some figures here, based in the current traffic. But simply put, the number of users alone cannot give you the size of the firewall. In many networks, a few users may produce much more traffic than hundreds of users do in other networks.