- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Internal routing
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Internal routing
100D's in HA:
The internal network is set for 10.4.1.x/24
We also have other internal networks from 10.1.1.x to 10.8.1.x that can all talk to our primary 10.4.1.x subnet
Our other networks are each on their own VLAN which is all handled by our core switch.
Currently, our Aruba 5406 does all the routing from the other subnets.
ip default-gateway 10.4.1.9 (FortiGate) ip route 0.0.0.0 0.0.0.0 10.4.1.9
In order for the firewall to be able to communicate to the other local subnet for AP discovery with FortiManager:
[ol]We just received two new 600E's that we'll be upgrading to soon as well.
TIA
Solved! Go to Solution.
2 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can't speak to the problem you're trying to solve (I use no FortiAP) but I can tell you that changing the subnet on the internal interface will absolutely not work. The FortiGate will suddenly think all the devices in that range are directly connected and stop routing to the Aruba 5406 to get to them - instead it will ARP fruitlessly.
Instead I would recommend bring those VLANs up to the firewall and letting the FortiGate do all the inter-VLAN routing. You'll gain visibility from the FortiGate and be able to put in better security controls. Make sure you use zones to make your life easier. :)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If all you are trying to achieve is register APs to Fortigate over Layer 3 device, you can specify in APs config IP address of the Fortigate explicitly and it will register over the Aruba just as well:
Say Fortigate has IP of 10.4.1.254, on AP CLI set:
cfg -a AC_IPADDR_1=10.4.1.254
cfg -c
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can't speak to the problem you're trying to solve (I use no FortiAP) but I can tell you that changing the subnet on the internal interface will absolutely not work. The FortiGate will suddenly think all the devices in that range are directly connected and stop routing to the Aruba 5406 to get to them - instead it will ARP fruitlessly.
Instead I would recommend bring those VLANs up to the firewall and letting the FortiGate do all the inter-VLAN routing. You'll gain visibility from the FortiGate and be able to put in better security controls. Make sure you use zones to make your life easier. :)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If all you are trying to achieve is register APs to Fortigate over Layer 3 device, you can specify in APs config IP address of the Fortigate explicitly and it will register over the Aruba just as well:
Say Fortigate has IP of 10.4.1.254, on AP CLI set:
cfg -a AC_IPADDR_1=10.4.1.254
cfg -c
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I thought I've read or heard that it was better to do your routing on the core switch instead of the firewall?
I'm thinking this was due to resource limits on the firewall.
I don't think this will be an issue once we replace our 100D's with the 600E's that we just got in through.
Currently, we have about 200-300 users locally and another 200-300 at remote sites. (Most of the remote sites have private fiber connection back to our network and the firewall handles routing for those)
Thoughts?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In general routers are better at routing than firewalls, of course, but it all depends on the goals. If backbone/core router does routing between branches/network segments then firewall becomes pure perimeter firewall, guarding Internet access for those segments but doing nothing to protect each one of them from another.
600E is a beast, nothing to compare with 100D but a lot depends on how you are gonna use it - services he is going to run vs traffic volume passing through it. Give each branch fiber of 100/100, enable URL filtering with SSL inspection, proxy mode, identity based rules, VPNs etc. and even 600e may strain. Look at the existing patterns and extrapolate to the new 600E capabilities. If 600E is gonna do the same load 100D does today + routing, then it will eat it without sweating.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Currently, the firewall handles all the routing for the remote offices, and we're not doing any interoffice security/filtering currently. It would probably kill the 100D's.
I do like the ability to add additional security/visibility for the remote sites, but we also just purchased a FortiAnalyzer and will send all logs from the remote sites to the Analyzers.
Most of our remote sites are 50/50 with some being 100/100
on avg we use between 50-100Mb of our 1gb Internet pipe.
We have about 15 SSL VPN users, and 13 active IPSec tunnels with a bunch of 4g failover tunnels.
We'll probably start off on the 600's without filtering the remote offices and focus on the internet filtering first, and then enable filtering for interoffice comms.
Also, setting the AC_IPADDR manually fixed being able to manage the FortiAP from the FortiGate.
thank you.
Related Posts
- FortiOS 7.2.4 IPSec split-tunnel breaks local... 21 Views
- BGP modify the mask of a... 32 Views
- Automatically Ban Malicious Inbound IPs using... 62 Views
- Cisco Trunk port to Fortiswitch 157 Views
- Routing Issue on FortiGate 7.2.8 176 Views
Labels
-
FortiGate
6,453 -
FortiClient
1,289 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
410 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
67 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.