Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Not all can reach the Internet when we backed the VLANs to a layer 3 switch


We at the present are utilizing a FortiGate 100F (in NAT mode running on a single IP address on the WAN) that is connected to a Cisco Nexus 9000 series switch via a VLAN trunk with the default gateways for all the VLANs being located on the 100F. I have been asked if we could back the VLAN gateways back to the Cisco 9000 series switch as the firewall is causing bottlenecks on the network when large file transfers are in use. It doesn't sound like a difficult task but when it was last tried. About half of the clients on the network could not reach the Internet, but  they could reach the default gateway without as they could reach the other internal subnets. Some clients on the same VLAN could reach the Internet and others could not. I was wondering if anyone has some pointers on how to best go about this a second time. Unfortunately static routing is use rather than using a routing protocol as the network is comprised of 5 switches but was wondering if we missed something as there was no rhyme or reason about who was able to connect and who couldn't.

Esteemed Contributor III

Moving the VLAN gateway can be done by exchanging the port IP address, from FGT to Nexus. That should be all, apart from moving the routes as well - the FGT doesn't need routes when one of it's ports carries a VLAN IP address but the switch will need routes.

As a sidenote, I wonder how the FGT is ill-configured if it appears to be a bottleneck. The VLANs will no doubt use the 10G ports, so that potentially each VLAN can use 10Gbps. The firewalling figure in the FGT datasheet states that this model is capable of fully servicing the 10G ports. Is your network really as busy as that, or do you have UTM active on the 10G ports? In this case, you're more limited to 1-3 Gbps.

Putting the VLAN gateways will not help in this case, except for the case where you bypass the FGT for backups. But, you could do that as well with a 'naked' policy just for the backup (filtered by hosts, service, or time).


"Kernel panic: Aiee, killing interrupt handler!"

Thanks for the feedback I was curious if we had missed something. Just to be sure I did recheck the UTM installation on the policies. It appears to be correctly configured.  Will plan this out and see how it does in the lab.