What's up all. Novice at networking here, bear with me. Trying to dump my cheap home firewalls and go with the real thing. Looking to purchase a Fortigate Firewall and Catalyst 1200 Series Switch. Pretty basic setup. I need to:Create VLANS and have them access the internetCompletely isolate the VLANS at Layer 3I have been looking at a few different ways to do this but need help. I can figure out most of the config but could use assistance with the design / have a few config questions. Would you:Go layer 2 VLANS at the switch and then tag them up to the firewall and create firewall policies to separate the VLANS? Would I even need to tag them on the firewall?Would inter-vlans need to be created on the firewall to deny all traffic or could I just create firewall polices for each lan and have the switch handle the tagging?orGo Inter-vlan on the switch and create ACLS on the switch as opposed to having the firewall do the work. It seems strange to me to have a firewall perform switching functions as I am trying to separate this all out.Performance is not a concern as this is a basic network, security is top of mind. Thanks to anyone that can help.

Explorer

Solved

Network Configuration Help

Forum|Forum|1 year ago
September 7, 2024
3 replies
4474 views

What's up all. Novice at networking here, bear with me. Trying to dump my cheap home firewalls and go with the real thing. Looking to purchase a Fortigate Firewall and Catalyst 1200 Series Switch. Pretty basic setup. I need to:

Create VLANS and have them access the internet
Completely isolate the VLANS at Layer 3

I have been looking at a few different ways to do this but need help. I can figure out most of the config but could use assistance with the design / have a few config questions.

Would you:

Go layer 2 VLANS at the switch and then tag them up to the firewall and create firewall policies to separate the VLANS? Would I even need to tag them on the firewall?
Would inter-vlans need to be created on the firewall to deny all traffic or could I just create firewall polices for each lan and have the switch handle the tagging?

or

Go Inter-vlan on the switch and create ACLS on the switch as opposed to having the firewall do the work. It seems strange to me to have a firewall perform switching functions as I am trying to separate this all out.

Performance is not a concern as this is a basic network, security is top of mind. Thanks to anyone that can help.

FortiGate

Best answer by Toshi_Esumi

And, for No.2, you just need to create different sets of protection profiles Webfilters/IPS sensors, then use them in different sets of policies per VLAN interface (source interface) to your wan interface(s) (destination interface).

Toshi

Toshi_Esumi

SuperUser

A novice user wouldn't go with FGT+C1200. You sounds very confident how to configure both.

The C1200 is basically a L2 switch although it would do some routing. Therefor you could do the second option if you want. But you wouldn't want to waste your investment on an expensive FW device (unless you're a super rich) which is designed to do all sorts of access control and sophisticated virus/intrusion/application controls at upper layers.
So it's better pulling all VLAN traffic on the switch up to the FGT over a trunked(VLAN/hardware switch) port (ports, in case you use an aggregate link) when inter-VLAN connections need to happen, and leave the L2 switch as an L2 switch. So you can manage it at one place, not have to juggle between two places.

Toshi

Technician-109Author

Explorer

Hey Toshi,

Thanks very much. I understand terminology and basic network config but am far from a Network Technician. Thanks for the vote of confidence, nonetheless. I am going to trunk from the switch to the firewall and let the firewall handle policy. I have a few additional questions if you don't mind. I am also going to pose the same question to @vbandha. Hopefully you don't mind.

1. Not too familiar with configuring zones. Would I have a separate zone for each VLAN, or would there be 1 zone for VLANS and another for WAN? The goal being to 100% keep traffic separate between all VLANS and also to create web / IPS policies for each, which brings me to my next question.

2. How do I create separate WEB/IPS/Firewall policies for each VLAN?

Thanks again

vbandha

Staff

Hi @Technician-109
You would need to create VLANs on the fortigate. Here is a guide for that:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-create-a-VLAN-tagged-interface-802-1q-on-a/ta-p/193893

You will also need appropriate firewall policies on fortigate for inter vlan routing and any other access

By default firewall will deny access so you don't need deny policy between vlans.

I agree that switch side you could leave as basic setup

Especially considering security aspect, you want firewall to be handling all this routing so you can apply security profiles if needed.

Regards,

Varun

Technician-109Author

Explorer

Hey Varun,

Thanks for your help. I answered @Toshi_Esumi as well, and wanted your thoughts on these questions.

1. Not too familiar with configuring zones. Would I have a separate zone for each VLAN, or would there be 1 zone for VLANS and another for WAN? The goal being to 100% keep traffic separate between all VLANS and also to create web / IPS policies for each, which brings me to my next question.

2. How do I create separate WEB/IPS/Firewall policies for each VLAN?

Thanks

vbandha

Staff

Hi,

Regarding your questions:

1. Are you talking about adding interfaces to a zone?

https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/116821/zone

This is not a requirement for network setup, more like a feature to be used as per your need. Zones are used if there are certain interfaces which would need same firewall policies and settings. One drawback of using zones is that you cannot create separate policies for each interface which is part of the zone and have to create policies for the zone itself.

If you would like more flexibility, it would better to not use zones.

Whether you use zones or not, the traffic between vlans will be separate and one vlan traffic will not go to another vlan, unless you make a policy for it.

2. So this question, answers your first question. If you want separate policies for each VLAN, you cannot do that with zones. You have to use them individually.

https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/402940/vlans

If you have any further query on this, please let me know.

Regards,

Varun

SabtainSaleem

New Member

It sounds like you're dealing with quite the network configuration challenge! I’ve been through similar issues in the past, and sometimes just tweaking a few settings can make a huge difference. Have you tried adjusting the firewall rules or double-checking the routing settings? The Fortinet community is really helpful, so I'm sure you'll get some great advice here. Best of luck—hope you get it resolved soon!

Technician-109Author

Explorer

Thanks, @SabtainSaleem

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded