Skip to main content
tony2019
tony2019
New Member
January 30, 2019
Solved

Firewalling traffic between hosts located in the same VLAN

  • January 30, 2019
  • 1 reply
  • 9088 views

Hello.

 

We are trying to achieve the following: traffic between hosts (a bunch of VMs, actually) has to be proctected by a firewall, but these hosts are located in the same L2 VLAN and use a matching L3 addressing subnet.

 

The problem is not that we simply need to isolate the hosts that belong to the same VLAN (Private VLANs could be used for this purpose), they still need to communicate with each other and we need to firewall all of their communication.

 

Further segmentation of the VLAN (into smaller networks) is just not feasible.

 

Does anyone have an idea how to do this the best way in the Fortigate world? Would any features of the "new" Security Fabric be of any use here?

 

Thanks for your help!

    Best answer by lobstercreed

    I'm pretty sure what you're asking is impossible in the FortiGate world unless you could put the FortiGate physically between the two hosts and use transparent mode.  However, I assume these hosts are VMs that live in the same farm.  In that case intra-subnet traffic would not flow northbound, so there would be no way to accomplish this.  This is basically what VMware NSX is for.  The only way to get traffic to flow northbound is to further segment the network, which you have stated is not feasible, soo....   :(

    1 reply

    lobstercreed
    lobstercreedAnswer
    New Member
    January 30, 2019

    I'm pretty sure what you're asking is impossible in the FortiGate world unless you could put the FortiGate physically between the two hosts and use transparent mode.  However, I assume these hosts are VMs that live in the same farm.  In that case intra-subnet traffic would not flow northbound, so there would be no way to accomplish this.  This is basically what VMware NSX is for.  The only way to get traffic to flow northbound is to further segment the network, which you have stated is not feasible, soo....   :(

    tony2019
    tony2019Author
    New Member
    January 30, 2019

    Hi, lobstercreed!

     

    Thanks for the idea, so the east-west segmentation should be done with VMware NSX. Does it even support any basic firewalling at all?

     

    There is also a product called Fortigate-VMX that supposedly enables you to write Fortigate-like policies on the FG-VMX. FG-VMX is supposed to seamlessly receive the IP addresses of the VMs from the NSX as firewall objects. There's some Fortinet sales info about FG-NSX available here (the video seems quite promising, I suppose): https://www.fortinet.com/...fabric-connectors.html

    What we are trying to achieve is to get as much of Fortigate-like policy writing feel for firewalling. Would the FG-VMX (in combination with the NSX) be the right product for this job?

     

    Thanks!

    lobstercreed
    lobstercreed
    New Member
    January 31, 2019

    Full disclosure, I have not used VMware NSX, but from others and reading I believe it does include quite a bit of firewall features.  I knew a guy who was using it exclusively for his datacenter firewall and loved it.

     

    I had not heard of FortiGate VMX, but I agree that it looks like the right product for what you're after.  Right now we feel the FortiGate accomplishes what we need it to at the inter-subnet level and we can't afford NSX, but we have always said that if we outsize our current FortiGate for our datacenter needs (it also handles our edge traffic), we would buy NSX and do that part with it. 

    Now that I know about VMX, I wonder if we can afford both if the time comes!  I certainly don't blame you for wanting the FortiGate policy feel.  :)

    Terms & ConditionsAccessibility statement