How does Fortigate Handle Multiple Internal Networks

Hi THilina, welcome to the forums! Both subnets can be directly attached to the Fortinet. Give the Internal interface of the Fortinet a secondary IP address from the 10.0.0.0 range. Give both subnets a firewall address name (e.g. 192.168.1.0/24=Range1 and 10.0.0.0/16 =Range2, etc.) In the firewall rules, be specific when creating the rules, to use the address names above, don' t use the generic ANY or ALL (on the LAN side). Example firewall policies: Internal - Range1 -> WAN - ALL Internal - Range2 -> WAN - ALL You can then create rules to filter and send traffic between those two subnets, by using; Internal - Range1 -> Internal - Range2 Internal - Range2 -> Internal - Range1 Don' t NAT the rules.

Thank you for your swift response ShrewLWD. Really appreciated. I would also like to know the following. 1) If we don' t create a firewall interface for 10.0.0.0/16 network, and keep the network internal behind a router, and create a policy to allow traffic to/from 10.0.0.0 from 192.167.1.7 interface, will it work? Is it a must that all internal networks have an interface on the firewall in order the firewall to allow traffic? 2) If we create 2 interfaces in the firewall for both internal networks, can both networks be NAT to the same external public IP address on the WAN interface? Thanks

1) In order to differentiate between legitimate and rogue network (addresses) the Fortigate requires that each legititmate network is present in the routing table. If you want to just use addresses from the 10.0.0.0 range on your internal network then you have to create a static route for 10.0.0.0/24 pointing to the ' internal' port. Otherwise, this traffic will be dropped by the FGT which means that it cannot go across the firewall, e.g. to the internet. Assigning an address to a physical or virtual interface automatically creates a ' directly connected' route in the FGT' s routing table. Thats why a secondary address or a VLAN interface ' works' . 2) Yes, no problem. You can NAT outgoing traffic from any or all ports to the WAN interface' s IP address or any other (public) IP address that you choose. If you have 2 ports for your 2 networks then connect both ports to the same LAN switch. This doesn' t really sound like a good idea though. You will have broadcasts, DHCP discovery requests etc. for both address ranges on the same wire and in the same broadcast domain. Running one network over a newly created VLAN is much better, for clarity, bandwidth consumption and functionality. This would mean that your switch(es) will have to support VLANs, preferably tagged VLANs or if needs be, port based VLANs. If that is not an option you should go with the ' secondary address' approach as proposed earlier.

Thanks Ede for the reply. 1) This means it can keep internal networks not visible to the firewall. We just need to create a static route and allow traffic from the firewall policy. Creating a Vlan will remove the need of creating a static route. 2) This one is clear. Thanks all :)

Yes, creating a VLAN or assigning a secondary address to a physical port will both create static routes in the routing table. Try it out for yourself. Don' t forget that without a policy traffic cannot traverse the firewall, from one port to another.