Hot![Question]Best way to setup Fortigate between Cisco Switch & Cisco Router.

Author
TheLordOfTheShells
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/12/31 01:41:20
  • Status: offline
2018/12/31 17:36:05 (permalink)
0

[Question]Best way to setup Fortigate between Cisco Switch & Cisco Router.

Dear All,
I just bought a new fortigate firewall and want to intergrate with our old system has allready run. I'm quite new with fortigate so hope you guys will help for the best way to settup. For a brief overview.
1) 4321 cisco router connect to ISP
2) 3850 cisco switch has several Vlans and intervlan routing also being run on its.
3) 3850 Switch's default route will point to 4321 cisco router.
So now the question is if we need to install fortigate as firewall between cisco router and Sw Core how we can simply the config to the best way. We change the Topo and Ip to meet the best configuration so do not care much about the topo now.
 

Attached Image(s)

#1
rohitchoudhary1978@gmail.com
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/11/30 23:07:36
  • Status: offline
Re: [Question]Best way to setup Fortigate between Cisco Switch & Cisco Router. 2018/12/31 21:48:56 (permalink)
0
Hi,
 
Connect CISCO 4321 [the wan router] to fortigate wan port and from FGT lan port connect the cisco switch with switchmode trunk port. Configure fortigate lan port with sub vlan id and the gateway ip. Create interface with port and select vlan and type vlan id and the necessary gateway ip address. Create the necessary policies for lan usage and the firewall is ready to work.
 
Thanks
Rohit
#2
zhunissov4
Gold Member
  • Total Posts : 256
  • Scores: 24
  • Reward points: 0
  • Joined: 2015/10/12 04:00:01
  • Status: offline
Re: [Question]Best way to setup Fortigate between Cisco Switch & Cisco Router. 2019/01/01 10:26:57 (permalink)
5 (1)
Hello, 
 
Additionally to the previous reply - there won't be any problem with Router and FortiGate connection (just connect them which each other and specify ip addresses and configure default route in FortiGate). However, if you have many vlans, i think it will be better to configure LACP between Fortigate and Cisco Switch. 
 
 
#3
TheLordOfTheShells
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/12/31 01:41:20
  • Status: offline
Re: [Question]Best way to setup Fortigate between Cisco Switch & Cisco Router. 2019/01/03 00:53:19 (permalink)
0
Thank you for all the advices.
After some research, there are some comment told me that Vlan should not be configured on Fortigate, Vlan on Switch layer 3 instead. After all I have configured all vlans on Switch layer 3, default route point to firewall and configure static route between firewall and router. I work fine now but I wonder is there any bad result here?
I really appreciate all your support.
post edited by TheLordOfTheShells - 2019/01/03 00:54:57

Attached Image(s)

#4
TheLordOfTheShells
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/12/31 01:41:20
  • Status: offline
Re: [Question]Best way to setup Fortigate between Cisco Switch & Cisco Router. 2019/01/04 01:35:33 (permalink)
0
Hi guys.
So now I have some problems with port forwarding. I have a server on Vlan 10 need public to internet. After some configuration but not successed at all, here are steps that I has made
1. Static NAT server on router: ip nat inside source static tcp 10.10.10.100 80 interface Dialer 1 8080
2. Allow traffic from outside to server on Fortigate.
Port status is open (using ping.eu to check port status) but i can not access to server from internet.
Do you guys have any idea for that problems?
Thanks
 
post edited by TheLordOfTheShells - 2019/01/04 01:43:37

Attached Image(s)

#5
Dickie
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2012/10/22 03:20:51
  • Status: offline
Re: [Question]Best way to setup Fortigate between Cisco Switch & Cisco Router. 2019/01/04 01:56:29 (permalink)
0
Do you need to keep the Cisco 4321?  It would be a far simpler setup to connect the 200E to the ISP?
#6
TheLordOfTheShells
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/12/31 01:41:20
  • Status: offline
Re: [Question]Best way to setup Fortigate between Cisco Switch & Cisco Router. 2019/01/04 02:08:54 (permalink)
0
Hi Dickie
Thanks for your response.
Because of company policies I can not remove cisco 4321 now, I think i have some misconfiguration on Fortigate, but do not know exactly what it is =/.
#7
Dickie
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2012/10/22 03:20:51
  • Status: offline
Re: [Question]Best way to setup Fortigate between Cisco Switch & Cisco Router. 2019/01/04 02:20:42 (permalink)
0
OK that is a shame.  You should not have the Firewall doing NAT in that case - check that, you will need a policy from WAN to LAN allowing traffic to your server, and all the routing in place.
#8
TheLordOfTheShells
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/12/31 01:41:20
  • Status: offline
Re: [Question]Best way to setup Fortigate between Cisco Switch & Cisco Router. 2019/01/04 03:28:46 (permalink)
0
Dickie
OK that is a shame.  You should not have the Firewall doing NAT in that case - check that, you will need a policy from WAN to LAN allowing traffic to your server, and all the routing in place.


Yes like you said I'm not doing NAT on Firewall site, just allow traffic from Router to Server through Firewall but feel like there is something wrong on Firewall.
On Firewall, I do not have much work on that now, just static route, allow traffic from LAN to Router and Router to LAN now.
#9
rwpatterson
Expert Member
  • Total Posts : 8309
  • Scores: 183
  • Reward points: 0
  • Joined: 2006/08/08 10:08:18
  • Location: Long Island, New York, USA
  • Status: offline
Re: [Question]Best way to setup Fortigate between Cisco Switch & Cisco Router. 2019/01/04 05:49:14 (permalink)
0
If you don't have the VLANs trunked between the switch and the Fortigate, how will the Fortigate police traffic? Is it in transparent mode?

-Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

-4.3.19-b0694
FWF60B
FWF80CM (4)
FWF81CM (2)
 
#10
TheLordOfTheShells
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/12/31 01:41:20
  • Status: offline
Re: [Question]Best way to setup Fortigate between Cisco Switch & Cisco Router. 2019/01/04 06:59:11 (permalink)
0
rwpatterson
If you don't have the VLANs trunked between the switch and the Fortigate, how will the Fortigate police traffic? Is it in transparent mode?


Hi rwpatterson
Firewall Fortigate acts like a router, on that I run static route, see the picture attached bellow.
I can  not find any wrong here with static route.
Regards
 

Attached Image(s)

#11
rwpatterson
Expert Member
  • Total Posts : 8309
  • Scores: 183
  • Reward points: 0
  • Joined: 2006/08/08 10:08:18
  • Location: Long Island, New York, USA
  • Status: offline
Re: [Question]Best way to setup Fortigate between Cisco Switch & Cisco Router. 2019/01/04 09:02:19 (permalink)
0
Because management wants to leave the Cisco router in place, your job is going to compounded. All traffic that needs to see your LAN will first have to be passed through the Cisco to the Fortigate, then the Fortigate will have to have policies in place as well. This is silly. The only thing the Cisco is adding is a layer of complexity (and possibly vulnerabilities if not patched as well). Every time you need to add a virtual IP for a server, you are going to have to place it on the Cisco, then map it to an IP on the Fortigate. Waste of time and resources. If you get paid by the hour, have a party. I'm salaried and have better ways to spend my work day.

-Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

-4.3.19-b0694
FWF60B
FWF80CM (4)
FWF81CM (2)
 
#12
Jump to:
© 2019 APG vNext Commercial Version 5.5