Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

Nik
New Contributor II

Connect meraki MX with fortigate (one-arm concentrator)

Hi,

We have some vlans configured in our fortigate and we want to connect this fortigate with a meraki MX to use it as vpn concentrator (the MX is a vpn concentrator). Another meraki Z3C with establish an ipsec connection to the MX and then we need to route the trafic to that specific vlan behind the fortigate.

Now my question is how should I configure the port which connects to the MX. I have a lot of ports on fortigate which are not used. I know that I have to create routes on fortigate to go through this port on the other side (to the resources behind the Z3C) but I need to know how the port on the fortigate should be configured.
3 REPLIES 3
BillEfth
New Contributor

If the MX is connected directly to the Fortigate then i think the simplest setup would be for the Fortigate port to be a routed port on a single VLAN (non trunk port).

Not sure if that's the information your looking for but I have an MX in HA connected in a DMZ behind a Fortigate and it works a treat. The DMZ interface off the Fortigate however, is a trunk (multiple VLANs) connected to a switch which then has the MX connected.
Nik
New Contributor II

Hi Bill,

Behind the fortigate there are different vlan and the users behind the Z3C need to access only one of these vlan through the MX which will ve connected to the fortigate. Can I configure the link between the MX and fortigate as access link, since the traffic coming on the fortigate port is layer 3 traffic and then when the traffic reaches the fortigate (it has packets which has destination IP which corresponds to the target vlan) it will go through the policys which we will allow the traffic to pass through it toward that specific vlan. Than of course we will create routes back through the MX's IP address of link (next hop from the fortigate perspective).
BillEfth
New Contributor

If I'm understanding your reply, that is correct. A basic topology I'm interpreting is as follows:

Logical Topo:
LAN------Z3C----------Auto_VPN_Tunnel---------MX_Concentrator(WAN_port)--------------(Access_port)FG_FW----VLAN_X


Physical Topo at HUB:
VLAN_X------FG_FW(WAN)------------{Internet}
                         |
                     (Access_port)
                         |
                         |
                         |
                         |
                    (WAN)
              MX_Concentrator


You will need:
1. routing at the FG_FW for networks at the other side of all the MX Auto-VPN(s) pointing to the MX(WAN) IP address as the next hop.
2. A default route at the MX, with a next hop of the FG_FW(Access_port) interface IP.
3. FG_FW policies permitting traffic accordingly.

I hope this helps.

Cheers,
Bill.