Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

2-stage firewall licensing



when I build up a 2-stage firewall (edge + internal) with complete FortiGate (I know you should use 2 manufacturer) and the internet connection will terminate on the edge firewall. Which services (and licencing) you are using on the internal firewall? Do you also do webfilter on the internal firewall or do you use the security profiles only on the edge firewall?




Hi markbo,


You can configured webfilter app control only in the edge firewall and you can take license only in edge firewall for webfilter and app control since double scanning for web traffic and application is not required.

But for AV, IPS it is recommended to take license on both the FW( edge & core). You can implement AV, IPS in both the FW since virus transmission can also happen internal to internal traffic

Please let me know if any further query is there to answer

Salon Raj Joshi

Hey Mark,

as Salon mentioned:


- it makes sense to have webfiltering on edge firewalls, as webfiltering deals with outbound user traffic

- other features such as AntiVirus, AntiSpam and IPS would also be suitable for internal firewalls

-> to isolate internal networks from each other

-> to prevent any malicious traffic/attack/whatever from spreading that somehow originated inside your network (like an infected USB drive for example)

For Application Control, you can consider if you also need to monitor/block application traffic in your internal network (for example VNC or TeamViewer or RDP) and whether it makes more sense to leverage this at the edge; you might want to apply Application Control both internally and at the edge.

We have a white paper on internal firewalls:
This might give you a good idea of what you want to set on your internal firewall to prevent any breach from spreading.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++