Design for ISFW (Internal Segmentation Firewall) Nat or Transparent?

Question

Hello Guys,

i am about to do a Concept and a Network Security Design for a customer who needs an ISFW for His Core Network.

it will be my first time, implementing an ISFW and so i have a couple of questions that someone who has more experience with that propably could answer.

I want to do it with a 2 x FG15000D because the customer want to have at leaset 40Gig of Stateful Firewall Perfomance and some IPS Policies on Top for some VLANs and Ports.

So it would be easier to use it in Transparent mode, but all the Access Switches (25 Switches / Stacks) have 10Gig Uplinks to the Core Cluster of Cisco6500 . So we have then 50 10Gig Uplinks that i would have to handle in Transparent mode and with 1500D it cannot work.

So i though of aggregating 4x 10Gig Interfaces on FortiGate Cluster and have build so a Trunk between Core - Switch and Fortigate with all the VLANs beeing proceed to Fortigate. So the FortiGate will be a defaul Gateway for each VLAN.

See the Picture Attached.

Howeve here are my doubts.

Will the FortiGate Handle it to be a Default Gateway for all of the VLANs? If a broadcast storm will happen, then the FortiGate will Fail completly? or is there some kind of Storm Control Protection?

What do you think about design? will it work that way?

if i use an Active - Active Cluster will the Desing still the Same or do i have then to do Differet Aggregation Trunks on Master and Slave?

maybe i didn´t understand it right with Transparent mode and ISFW but which FortiGate would Handle 50x 10Gig Uplinks to be implemented in Transparent Mode without a need for redesign?

Thank you all.

FortiMcPorty · Answer

VLANs break up broadcast domains. A broadcast storm shouldn't be a problem because of this.

I think it may work, but if the links saturate, I think you'll suffer contention of the system bus. I did a quick search for hardware docs for that model but could not find anything. So, my hunch is the top four 10g ports should be assigned to one agg and the bottom 4 assigned to another. This will ensure that the traffic flows into and out of the system bus without contention... but I could be wrong about this. Without a hardware doc, is hard to say. The system bus (or 'backplane') is always the weakest link, so understanding how the traffic flows through the firewalls is key to extracting top performance.

I don't think any statefull firewall can keep up with 50 10gb links running at full saturation. I would suggest further network analysis to determine actual needs.

Your use of the term "default gateway" implies routing which the fortigate can not do in transp. mode. I'm guessing you dont mean default gateway so I'm ignoring that statement. I encourage you to avoid routing if you can. I worked in an environment that used two large fortigates in AA mode, fully-meshed, fully redundant with monitored ports and round robin load balancing. We used nat/route mode and it was the most complicated monster that I have ever seen. Because of the routing, a packet would traverse the firewall several times before going where it needed to go. It was a nightmare to support. Analyzing a packet sniff was simply painful. Mere mortals would swear the network was broken after seeing a raw packet capture (looks like tons of retrans). Stick with transp mode if you can.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded