Fortinet and additional router

MrAitch · ‎10-18-2020

Hello,

About 18 months ago, we upgraded the school network, I insisted that we had Fortinet in to run our web filtering and firewall, but our IT guy (long gone) had to have a microtik router to manage the network and wireless AP, I don't know why, but it was a must have. I agreed as long as it worked with the fortinet and I didn't have to worry about it. Having used Fortinet before I know that it just works well, particularly in school environments

Roll on 12 months, IT guy has exited stage left (can't even begin to list the chaos that was uncovered), new IT guy comes in, and lots of things unravel, the main one being that the fortinet 200E was never set up. It has just sat there unusued for a year or more.

The suppliers have been in trying to make it play nice with the Mikrotik router but so far they have failed, my blood pressure has risen and that is about it.

My understanding at the moment is that we have several VLANS set up in school - students, teachers, admin staff, wifi. The Mikrotik runs all this, including the wifi AP.

The supplier and my IT guy cannot get the Fortigate and the Mikrotik to play nicely together.

My first question is it possible to have the mikrotik running all the network login details etc and the Fortigate just managing the filtering/firewall side of things? That is all I really care about.

If it is possible any suggestions as to how it should be set up? So far everything they have done has blocked traffic on the network.

At one point it looked hopeful as they said it was communicating out the way, but nothing at all was coming back in.

I am not living in the most proactive part of the world when it comes to problem solving, often the solution being it can't be done, rather than losing face and saying we don't know.

Any thoughts would be appreciated so that I can go armed to the next shrugging shoulders meeting later this week.

lobstercreed · ‎10-19-2020

Hey David,

I share your frustration with that attitude towards problem-solving, but there may not be a lot I can tell you without more of an idea of the logical topology (public IP addresses available, etc -- you mentioned traffic not coming in), or even more importantly how they aren't "playing nice" together. I have no experience with Mikrotik but can't imagine anything not being possible with a FortiGate.

I would also recommend eliminating the Mikrotik and bringing the VLANs up to the FortiGate, either as a goal in and of itself or at least a test scenario to see why things "aren't playing nice" and which device is really at fault.

Other than a routing error (again, not sure what your public IP space is like), I can't see any reason you wouldn't be able to put it in line and start with a basic any/any on all services in both directions and start tightening it up from there.

- Daniel

MrAitch · ‎10-19-2020

Thanks for the response,

We have one fixed IP address on a leased line, 100M and a 1Gigabit not fixed IP.

Mikrotik is currently load balancing using these two lines

Ligowave AP throughout the school - 26 or so in total

Topography wise what would need to be known? Physically, we installed a fiber optic backbone through the site, with three nodes off it, it's meant to be a star network.

1xCisco SG250X-24 24-Port Gigabit Smart Switch Gigabit Smart Switch with 10G

Uplinks

9xCisco SG220-26-K9-EU Gigabit Smart Switch 10/100/1000

26xLigoWave NFT 3AC-TH Access Point AC1750 Dual-Band 3x3 MIMO

I have a map somewhere, but it has IP and MAC details on it so would need blurring out.

VLAN below

Thanks in advance if this gives you any further insight.

The suggestion a couple of weeks ago was to create a website black list, I had to check my watch to make sure I hadn't done back in time to 1995.

lobstercreed · ‎10-19-2020

I still think your best bet is to plan a migration away from the Mikrotik. The FortiGate's SD-WAN capabilities can fully handle the load balancing you mentioned, but with only the one IP address for each Internet connection it sounds like you'd have to change a lot of IP addressing/routing on the Mikrotik or do transparent mode on the FortiGate -- unless you eliminate the Mikrotik. I don't have any experience with transparent mode, but I'm sure there's others on here that might.

If you do the migration, you'll also gain extra visibility into your network (MAC addresses) and be able to log all inter-VLAN routing even if you don't "firewall" any of it. Maybe the Mikrotik is already doing this for you, but it sounds like it's clearly not doing everything you want, so...

MrAitch · ‎10-19-2020

I think one issue we may have is that we have a 200E but have more than 200 users. I shall speak with my IT guy tomorrow. See how they are progressing. Mikrotik is managing the network and WiFi fine, just not filtering or monitoring sites. The cost.of the mikrotik would have probably allowed .me.to have upgraded to. 300 fortigate. Must not think about it too much or I just get cross.

rwpatterson · ‎10-19-2020

I would:

1) Create a transit network between the Microtik and the Fortigate, and place the Fortigate on the outside edge.

2) Create an all-all policy allowing all traffic through the Fortigate. That will get it into the fold.

3) Create another trunk between the Fortigate and the switch inside the Microtik.

4) Duplicate the policies from the Microtik onto the Fortigate one VLAN at a time.

5) When you think you're good, swap the default gateway IP between the two making the FGT the default.

6) Monitor, correct and when happy move onto the next VLAN.

If you don't have that many policies, that part shouldn't take long. Getting the filtering correct will bring along some headaches, but once done, you'll be happy.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com