Skip to main content
itamez
itamez
New Member
March 2, 2020
Question

Fortigate 200E bridge mode in VDOM

  • March 2, 2020
  • 1 reply
  • 11423 views

Hello fellow Fortinet pals, this is itamez.

 

I own an Fortigate FG200E and I would like to make a bridge between diferent subnetworks (WAN and LAN), is there anyway to do that?, someone told me that I have to make a vdom and then bridge the two different networks, does some one knows how to do that?

 

I have read the Chapter33 - Virtual Domains, > Enabling and accessing Virtual domains form the Fortigate cookbook, but I don't see information about the bridge I intend to implement.

 

Is there any other options?

 

BR,

itamez

 

1 reply

ShawnZA
ShawnZA
New Member
March 3, 2020

I take it you mean Transparent mode, or do you mean you want to bridge the two networks? Perhaps more info on what you want to achieve?

 

https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-transparent/2-Installation/2-Installation.htm

 

 

itamez
itamezAuthor
New Member
March 4, 2020

Hello ShawnZA thanks for your prompt reply!

 

Here's the general overview of the objective I want to acomplish and the things I've already made:

 

Objective: Protect public DNS servers from attacks and unwanted queries, using ipv4 policy routing to only allow defined traffic inside my infrastructure to reach the mentioned servers via specific protocol/ports, using the Fortigate 200E appliance.

Current scenario: I have to replace an old PFSense server that acts like a firewall, but is now almost dead.

Expected scenario: I assume the Fortigate I was passed on, can do the job or a better job than this old PFSense firewall dying server.

Firewall configuration/specs: I defined three physical connections: LAN, WAN and mgmt. Contained in the LAN are the DNS servers I want to prevent free entrance from the internet using known methods, and also where I defined the policies (WAN->LAN), WAN is the communication I set facing the internet and the point of contact for the users from the cloud so they can reach the public DNS with the politics made, and also the way the DNS servers have to reach internet. Regarding the mgmt interface, is just as is, a management port that is working.

Restrictions: I cannot modify IP addressing, because it's a thing that is already operating (alas suboptimally), thus I was just told that I have to use this FW Fortigate and replace the old PFSense with this new one.

Things I think I've already done right: In the User & device > Device Inventory using the GUI, I see the MAC and IPs of the servers I wan't to protect, I used specific Vlans to discover all the servers and machines in this LAN, briefly illustrated by the schematic below. 

Things I think I'm missing and don't know how to circumvent: In the User & device > Device Inventory using the GUI, I don't see the WAN interface online, maybe because the device has not been configured as transparent YET. 

Specs: 

Firmwarev5.6.3 build1547 (GA)

Basic Network Schematic: FORTIGATE200E_new.png

 

Note:

So far at least 4 Maintance windows: I haven't been able to make this FG200E appliance my main perimetral protection tool.

 

Questions: 

Am I right on my logic in this realm? I'm really new to this fortinet appliances but I want to do the job to the best I can.

What is the difference between Policy Routes that is a suboption of Network (meaning Network > Policy Routes) and the ones contained in the option Policy & Objects > IPv4 Policy? Because I saw in the FortiOS Handbook (Transparent Mode for FortiOS 5.6.3) that the transparent mode has a restriction of a Feature/Capability for the Unicast Routing / Policy Based Routing, is that a problem I would face assuming transparent mode is the thing I need in order to bridge this networks.

ShawnZA
ShawnZA
New Member
March 4, 2020

Ah so you need to rip and replace the PFSense with a Fortigate. Then transparent mode is not what you want at all.

 

You would need to configure the Fortigate with the same details as the FPSense, IP's, firewall policies, routers etc. The fortigate can do everything the PFSense can do and more.

 

Policy Routing... https://kb.fortinet.com/kb/documentLink.do?externalID=FD46603

 

"In some FortiGate deployments, it may be necessary to have a certain type or source of traffic filtered through a different network connection. In other words, a specific protocol or IP will sometimes need to be sent to a destination other than the default gateway or route."

 

You don't need to use it unless you have a specific case to use it. I moved all our Fortigates away from Policy Routing as we did not need it anymore, static routing, BGP and SD-WAN rules took over from what our Policy Routes did.

 

The IPv4 Policy are the actual rules to allow traffic, it's not routing rules, it's firewall rules, that's where you would need to create all the rules that's on the FPSense.

 

 Attached a screenshot of some of my home firewall policies, rules to allow traffic out to the internet (LAn to WAN).... so whatever policies are on the PF needs to be created here on the Fortigate to allow the traffic. You would also specify WAN to LAN rules under IPv4 Policy

 

 

 

 

 

 

Terms & ConditionsAccessibility statement