multple vlans on fortigate firewall 81f

Question

Good day all,

New to Fortigate. Looking to configure three vlans on the physical internafe.

data - 192.168.30.x ( configured dhcp pool )

guest - 192.168.50.x

voice - 192.168.10.x

The firewall will be connected to a dlink dgs 1210 switch. wanted to know how about to proceed with assigning of ip address from different vlans to their respective devices. Will this be the job for the switch based on how it tags each vlan and passes over the trunk. how will fortigate make the seggregation.

THe dhcp pools will be configured on the firewall only.

gfleming · Answer

You will most likely want to create a trunk port on the DGS1210 which tags all of your VLANs and connect this to the FGT-81F. On the FGT, you create VLAN interfaces for each VLAN and connect them to the 'internal' interface. Each VLAN interface will have the IP address used for default gateway and DHCP server configuration to hand out IP addresses.

Each VLAN interface will by default not have any allowed connectivity to other interfaces so you will need to explicitly allow traffic on the FortiGate between VLANs using Firewall Policies:

If you do not want to secure traffic between VLANs you can group them into a Zone and use the Zone interface to define security policies. You can also assign multiple interfaces to the same security policy if you want (i.e. for general internet access you can lump all three VLANs into one policy).

Here's some more info:

https://docs.fortinet.com/document/fortigate/7.0.6/administration-guide/402940/vlans

https://docs.fortinet.com/document/fortigate/7.0.6/administration-guide/783526/dhcp-server

https://docs.fortinet.com/document/fortigate/7.0.6/administration-guide/118003/policies

https://docs.fortinet.com/document/fortigate/7.0.6/administration-guide/116821/zone