Skip to main content
Qwireca
Qwireca
New Member
November 6, 2023
Solved

ACL between ports on FortiManager 7.2.4

  • November 6, 2023
  • 3 replies
  • 2232 views

I have a setup with one FortiManager that today manages internal firewalls. It has an interface connected to a mgmt network where most of our internal networking equipment are connected to.

 

We want to use this FortiManager to also manage other Fortigates from different customers.  
My initial plan is to create a private VLAN and let a new interface on the FortiManager be behind a promiscious port,.It's only used for adding the units to the Fortimanager. 

 

My consern is that the FortiManager becomes a bridge between our internal mgmt network and customers mgmt network. Example someone makes a static route on the customer Firewall that points to our internal mgmt network with the FortiManager as next hop. 

I have not yet found any way to have an ACL directly on the FortiManager and would in this case be only dependent on the customer Fortigate ACL.

 

Another solution would be to route the traffic towards the FortiManager through a firewall, but I want to keep customer mgmt traffic outside of our internal mgmt network as much as possible. 

Best answer by asrour

Hello @Qwireca 

The Fortimanager will not act as a bridge and will not route the traffic between connected FGTs

each FMG <> FGT connection will be on a separate FGFM tunnel between the Fortigate and the Fortimanager

3 replies

Stephen_G
Moderator
Stephen_G
Moderator
November 8, 2023

Hello Qwireca,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Stephen_G - Fortinet Community Team
Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
November 8, 2023

Although I didn't set up our FMG that way (everything is coming over the internet port), in your case, I would separate the customer FGT's connections on a different port, say port2, while your FGT is connected through port1. I don't think ACL is available on FMGs, so I would put a switch inbetween and set up ACLs there.
Or, if you don't have a switch that supports ACL and that has at least two ports available, I would sacrifice your own FGT's two ports for that purpose and control the FGFM traffic by a set of policies.
Just an idea without having any concrete design.

 

Toshi

Qwireca
QwirecaAuthor
New Member
November 13, 2023

Thanks for the idea. 

We ended up routing in the customer Fortigate LAN interface into our network management network. 

It was considered safe enough as it's going through two firewalls and the FortiManager do have trusted IP:s set.  

asrour
Staff
asrourAnswer
Staff
November 8, 2023

Hello @Qwireca 

The Fortimanager will not act as a bridge and will not route the traffic between connected FGTs

each FMG <> FGT connection will be on a separate FGFM tunnel between the Fortigate and the Fortimanager

    Qwireca
    QwirecaAuthor
    New Member
    November 13, 2023

    Thank you for checking up on my conserns. 

    Terms & ConditionsAccessibility statement