iSCSI Traffic on Internat Switch

No experiences, but i doubt, that the fortigate will inspect iSCSI Traffic, so no security won. Additionally the 60C may not be fast enough to handle loads of (iSCSI ) Traffic. I would not try that.

I agree wtih Jan, not a good idea at all. The spec on the 60C is 1Gbps (firewall throughput), you wont hit it.

As long as you only use the switch I dont see any problems... I am not sure if the switch of the FGT-60C will be capable of handling jumbo frames, but I think you won' t really need them in this scenario! br, Roman

Sounds like you should buy a core switch or 2 if I had to guess. Place the iSCSI traffic locally to the VMServers. Their' s no valid reason to run that traffic thru a firewall from what I can see in your diagram.

The reason im thinking of doing this is to avoid installing more NICs into the servers. currently both servers have 2 nics, which connect to each of my FGT60-C' s " internal ports - switch mode" directly in an A/A cluster. I circumvent any physical switches to reduce potential failure points. we are looking at implementing an iSCSI solution but to get proper redundancy I' ll need 2 more nics on each machine, then 2 more L3 switches (or VLAN my existing cisco switches) if I cant use the FGTs as the switches.

You don' t use more nic you use 802.1q trunking on your core switch. i.e vlan 100 = main-lan vlan 200 = iSCSI then you place the servers in vlan 100 along with the fortigate then you place the servers that needs iSCSI into vlan 200 and NOT the fortigate. Now iSCSI goes to all servers that need it and you don' t worry about any limitations on the FGT 60C ports. And this would also ensure that your iSCSI traffic doesn' t exhaust your 1gig thru-put or 380K sessions limits.

I have a similar issue; I want to define the two 1Gig-ports on a FG80C as software switch to connect a server and a iSCSI device. Would that work or must I go the hard way and set up an dedicated iSCSI-switch? Y