Combine PoE and internal interfaces on Fortigate60D POE

Forum|Forum|11 years ago
April 20, 2015
3 replies
33908 views

I am new to Fortigate firewall management.

There is a lot to like about the 60DPoE but one thing I don't is Joining the 2 PoE interfaces to the internal switch.

What's the best way to combine the 2 PoE (InternalA, InternalB) and Internal (5 port switch).

I bought the 60D PoE because it had not only a configurable firewall but 2 PoE ports which would allow me to remove a Linksys PoE switch needed for 2 IP cameras.

The NVR is of course on the 5 port internal switch interface but the 2 PoE ports are required to be on different subnets.

The system works fine as long as I continue to run the IP cameras on a separate PoE switch using the internal 5 ports (all on the same subnet), but I need to get the 2 internalA internalB PoE ports mapped into the same subnet as the NVR. It seems like Fortinet would have an easy way to merge these interfaces. The 60D is basically configured to the factory default settings.

Ben

Dave_Hall

New Member

Not familiar with the 60D POE, but I assume you could still create a soft switch. Just make sure there are no references to the ports you want to create the soft switch. If the fgt has a clean/factory installed (e.g. exec factoryreset from CLI) you only need to delete the firewall policy for internal to "WAN", disable the DHCP on the internal. Then you should be able to create the soft switch from that point.

Alternately, if a soft switch is not doable, you may need to resort to setting up one or two VIPs then create a firewall policy (or two) between the internal and POE ports with NAT enabled. [strike](Kinda ugly imho.)[/strike]

Edit: Actually just creating two firewall polices between internal and the two poe ports with NAT enabled would also work.

Creating a softswitch.gif

benAuthor

New Member

Reading the Fortinet VIP documentation it sounds like they discourage VIP use in this way:

http://docs-legacy.fortin...lp/objects.067.08.html

----------------------------------------

Virtual IP addresses are typically used to NAT external or Public IP addresses to internal or Private IP addresses. [style="background-color: #ffff00;"]Using a Virtual IP address between 2 internal Interfaces made up of Private IP addresses is possible but there is rarely a reason to do so as the 2 networks can just use the IP addresses of the networks.[/style]

Dave_Hall

New Member

ben wrote:
Reading the Fortinet VIP documentation it sounds like they discourage VIP use in this way:
http://docs-legacy.fortin...lp/objects.067.08.html
----------------------------------------
Virtual IP addresses are typically used to NAT external or Public IP addresses to internal or Private IP addresses. [style="background-color: #ffff00;"]Using a Virtual IP address between 2 internal Interfaces made up of Private IP addresses is possible but there is rarely a reason to do so as the 2 networks can just use the IP addresses of the networks.[/style]

Which is why edited my post to just using "natted" firewall policies if you can't use a soft switch.