Helpful ReplyHot!Question regarding using our Fortigate for internal segmentation

Author
rg2017
Bronze Member
  • Total Posts : 24
  • Scores: 2
  • Reward points: 0
  • Joined: 2017/08/02 07:28:21
  • Status: offline
2021/10/08 10:16:11 (permalink)
0

Question regarding using our Fortigate for internal segmentation

Hello. I'm working on using our 101E for internal network segmentation. I've set up a LAG port to use to increase the amount of bandwidth available for segment to segment communication. I would like to route Internet access through a separate interface than the LAG port. The reason being is that I have a third party IDS that I want to continue mirroring Internet traffic to and the LAG port on the Cisco switch we use won't allow setting it up for port mirroring.
 
So I want to route internal traffic through the LAG and Internet traffic through a different port on the Fortigate.
 
When I add an IP address to the LAG port that is on our main subnet, the Fortigate automatically starts routing all traffic for that subnet to the LAG port. This takes things down as far as Internet access. The LAG port needs to be reachable by internal workstations, so it needs an IP that is reachable by the subnet.
 
Does someone have recommendations on how to set this up?
 
Thanks
#1
lobstercreed
Expert Member
  • Total Posts : 478
  • Scores: 61
  • Reward points: 0
  • Joined: 2018/11/28 14:57:58
  • Location: Sedalia, MO
  • Status: offline
Re: Question regarding using our Fortigate for internal segmentation 2021/10/08 13:14:03 (permalink) ☄ Helpfulby rg2017 2021/10/13 05:18:42
0
It might help to draw out the topology you're after.  No duplicate IP addresses should exist for things to work properly (this is a router after all).
 
We use our FortiGate extensively as an internal segmentation firewall as well as for Internet traffic with no issues.  I've got 2 LAGs to my core (1 to carry a bunch of VLANs that connect directly to the firewall (L3 gateway is the FGT) and another for core-routed traffic (traffic whose GWs exist on the core).  Then I've got my two Internet connections heading to my ISPs (where I presume you are using your 3rd party IDS).
#2
emnoc
Expert Member
  • Total Posts : 6225
  • Scores: 435
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Question regarding using our Fortigate for internal segmentation 2021/10/09 05:55:38 (permalink)
0
If you have a WAN interface on the FGt why do the IDS/IPS inspect at that point to catch only "internet" facing traffic? if the WAN port(s) are plumb into the cisco switch just san those to your port-mirror. TheLAG you keep mentioning is not relevant.
 
e.g 
# assume 50 your ISP links terminated into a cisco and the IDP is on port gi0/10
 
  monitor session 10  source  vlan 50
  monitor session 10  interface gi0/10
 
You can also apply filter with laye3 access if you are looking at specific traffic 
 
  monitor session 10 filter session internet_traffic_tool_port
 
If you need to run IDS on internal get a 2nd tool port on he IDS or a 2nd IDS and create a session just for that traffic and the vlans related to your internal LANs.
 
 
YMMV
 
Ken Felix
 
 
 

PCNSE 
NSE 
StrongSwan  
#3
rwpatterson
Expert Member
  • Total Posts : 8551
  • Scores: 207
  • Reward points: 0
  • Joined: 2006/08/08 10:08:18
  • Location: Long Island, New York, USA
  • Status: online
Re: Question regarding using our Fortigate for internal segmentation 2021/10/09 13:50:07 (permalink) ☄ Helpfulby rg2017 2021/10/13 05:18:52
0
rg2017...When I add an IP address to the LAG port that is on our main subnet, ...

Why? If you add that IP address to the VLAN, issue resolved. No IP addresses should have to reside on the LAG since it is a trunk.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
-5.6.13-b1714: FWF80CM
-5.2.13-b0762: FWF81CM, FWF80CM
-5.0.14-b0323: FWF81CM, FWF80CM(3)
-4.3.19-b0694: FWF81CM
#4
rg2017
Bronze Member
  • Total Posts : 24
  • Scores: 2
  • Reward points: 0
  • Joined: 2017/08/02 07:28:21
  • Status: offline
Re: Question regarding using our Fortigate for internal segmentation 2021/10/13 05:16:52 (permalink)
0
emnoc
If you have a WAN interface on the FGt why do the IDS/IPS inspect at that point to catch only "internet" facing traffic? if the WAN port(s) are plumb into the cisco switch just san those to your port-mirror. TheLAG you keep mentioning is not relevant.
 
e.g 
# assume 50 your ISP links terminated into a cisco and the IDP is on port gi0/10
 
  monitor session 10  source  vlan 50  monitor session 10  interface gi0/10 You can also apply filter with laye3 access if you are looking at specific traffic    monitor session 10 filter session internet_traffic_tool_port If you need to run IDS on internal get a 2nd tool port on he IDS or a 2nd IDS and create a session just for that traffic and the vlans related to your internal LANs.  YMMV Ken Felix  
 


I don't understand.


#5
Jump to:
© 2021 APG vNext Commercial Version 5.5