FortiGate Design Help: Edge & Internal VLAN Routing Topology

Question

Hi everyone,

I want to design a setup that uses two FortiGate firewalls for around 200 users.

One device will work as the edge & Fabric root firewall for VPN, DPI, etc.
The second device will act as an internal firewall for segmentation, VLAN routing, and inter-VLAN policies.

My questions are:

What is the recommended deployment mode for this setup? Am I going in the right direction with this topology?
Is there any official Fortinet documentation or example for this design?
In the next phase, I’m planning to use two devices in an HA setup. Does that make sense?
Finally, I’m considering the FG-121G (Edge) and FG-91G (Internal) models — are these suitable?

Toshi_Esumi · Answer

Not the answer so you might just ignore.

If I had a budget for two new FGTs, I would set them up in HA for redundancy and put everything on it without separating per features/functions as much as possible.
When traffic goes out from one FGT and need to go through another FGT before reaching the destination, physical packets need to go out from a physical port, hit the wire/fiber, come in another port on the next FGT, then need to be taken in by CPU..., which would be avoided if one FGT cluster handles it. That would maximize "hardware acceleration" by NPU those FGTs are built for.
If I really need to separate some processes/functions inside of the cluster, I could use VDOMs. However, I would avoid it unless it's absolutely necessary for performance and simplicity of design.

Toshi

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded